Wireguard: Difference between revisions

From Hurlster Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 2: Line 2:
This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.<br>
This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.<br>
This script then can fire up a specific process to be isolated to the namespace for security purposes.
This script then can fire up a specific process to be isolated to the namespace for security purposes.
* /usr/local/sbin/netns
<pre>
<pre>
#!/bin/sh
#!/bin/sh
Line 7: Line 8:
DEV_NAME="wg2"
DEV_NAME="wg2"
case "$1" in
case "$1" in
         up)
         start)
                 NETNS_FILE=/var/run/netns/$NETNS_NAME
                 NETNS_FILE=/var/run/netns/$NETNS_NAME
                 # Create a new network namespace.
                 # Create a new network namespace.
Line 73: Line 74:
                 #service deluged restart
                 #service deluged restart
                 ;;
                 ;;
         down)
         stop)
                 FOUND=$(grep $DEV_NAME /proc/net/dev)
                 FOUND=$(grep $DEV_NAME /proc/net/dev)
                 # Down NETNS wireguard interface
                 # Down NETNS wireguard interface
Line 98: Line 99:
exit 0
exit 0
</pre>
</pre>
* /etc/systemd/system/netns.service
<pre>
[Unit]
Description=Namespace VPN Manager
After=network-online.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/sbin/netns start
ExecStop=/usr/local/sbin/netns stop
# Time to wait before forcefully stopped.
TimeoutStopSec=300
[Install]
WantedBy=multi-user.target
</pre>
[[Category:Linux]]
[[Category:Linux]]

Revision as of 20:47, 13 January 2021

  • init.d script

This init.d script creates a linux namespace (vpn) and builds a point to point interface between global namespace to (vpn) namespace for monitoring/polling.
This script then can fire up a specific process to be isolated to the namespace for security purposes.

  • /usr/local/sbin/netns
#!/bin/sh
NETNS_NAME="vpn"
DEV_NAME="wg2"
case "$1" in
        start)
                NETNS_FILE=/var/run/netns/$NETNS_NAME
                # Create a new network namespace.
                if [ ! -f "$NETNS_FILE" ]; then
                        ip netns add $NETNS_NAME
                fi
                # Bring up NETNS Loopback interface
                ip -n $NETNS_NAME link set dev lo up

                # Add MAIN virtual interface to talk to NETNS
                ip link add veth0 type veth peer name veth1

                # Add IP to veth0
                ip addr add 10.1.1.1/30 dev veth0

                sleep 1

                # Bring MAIN veth0 up
                ip link set veth0 up

                # Move veth1 in NETNS
                ip link set veth1 netns $NETNS_NAME

                sleep 1

                # Add IP to veth1 in NETNS
                ip -n $NETNS_NAME addr add 10.1.1.2/30 dev veth1

                # Bring veth1 up in NETNS
                ip -n $NETNS_NAME link set veth1 up
                sleep 1

                # Add NETNS route(s) back to MAIN
                ip -n $NETNS_NAME route add 192.168.0.0/24 via 10.1.1.1 dev veth1

                # Create a Wireguard network interface in the default namespace.
                ip link add $DEV_NAME type wireguard
                sleep 1
                # Move the Wireguard interface to the network namespace.
                ip link set $DEV_NAME netns $NETNS_NAME
                sleep 1

                # Load the Wireguard configuration.
                ip netns exec $NETNS_NAME wg setconf $DEV_NAME /etc/wireguard/$DEV_NAME.conf

                # Bring up the Wireguard interface.
                ip -n $NETNS_NAME link set $DEV_NAME up
                echo "ip -n $NETNS_NAME link set $DEV_NAME up"
                sleep 1

                # Set the IP address of the Wireguard interface from wirguard file
                ADDR=`grep Address /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
                #ip netns exec vpn $NETNS_NAME addr add 192.168.6.3/32 dev $DEV_NAME
                ip -n $NETNS_NAME addr add "$ADDR" dev $DEV_NAME
                echo "ip -n $NETNS_NAME addr add $ADDR dev $DEV_NAME"

                # Make the Wireguard interface the default route.
                ip -n $NETNS_NAME route add default dev $DEV_NAME

                # Set DNS servers
                DNS=`grep DNS /etc/wireguard/$DEV_NAME.conf | awk -F " = " '{print $2}'`
                echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf

                # Restart DELUGED
                #service deluged restart
                ;;
        stop)
                FOUND=$(grep $DEV_NAME /proc/net/dev)
                # Down NETNS wireguard interface
                if [ -n "$FOUND" ]; then
                        ip -n $NETNS_NAME link delete dev $DEV_NAME
                        echo "ip -n $NETNS_NAME link delete dev $DEV_NAME"
                fi
                # Down NETNS veth1 and delete
                #ip netns exec vpn ip link set veth1 down
                ip -n $NETNS_NAME link delete veth1
                echo "ip -n $NETNS_NAME link delete veth1"

                # Down MAIN veth0 and delete
                #ip link set veth0 down
                #ip link delete veth0

                # Delete NETNS vpn
                ip netns delete $NETNS_NAME
                echo "ip netns delete $NETNS_NAME"
                ;;
*)
        echo "Usage: $0 {up|down}"
esac
exit 0
  • /etc/systemd/system/netns.service
[Unit]
Description=Namespace VPN Manager
After=network-online.target

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/sbin/netns start
ExecStop=/usr/local/sbin/netns stop
# Time to wait before forcefully stopped.
TimeoutStopSec=300

[Install]
WantedBy=multi-user.target
Retrieved from "https://hurlster.com/wiki/index.php?title=Wireguard&oldid=2692"