dataswamp.org/1/~solene/article-linux-vpn-netns

  URI:

       Title: WireGuard and Linux network namespaces
       Author: Solène
       Date: 02 July 2024
       Tags: security vpn network linux
       Description: In this article, you will learn how to establish a VPN in
       a dedicated network namespace on Linux
       
       # Introduction
       
       This guide explains how to setup a WireGuard tunnel on Linux using a
       dedicated network namespace so you can choose to run a program on the
       VPN or over clearnet.
       
       I have been able to figure the setup thanks to the following blog post,
       I enhanced it a bit using scripts and sudo rules.
       
  HTML Mo Ismailzai's blog: Creating WireGuard jails with Linux network namespaces
       
       # Explanations
       
       By default, if you connect WireGuard tunnel, its "allowedIps" field
       will be used as a route with a higher priority than your current
       default route.  It is not always ideal to have everything routed
       through a VPN, so you will create a dedicated network namespace that
       uses the VPN as a default route, without affecting all other software.
       
       Unfortunately, compared to OpenBSD rdomain (which provide the same
       features in this situation), network namespaces are much more
       complicated to deal with and requires root to run a program under a
       namespace.
       
       You will create a SAFE sudo rule to allow your user to run commands
       under the new namespace, making it more practical for daily use.
       
       # Setup
       
       ## VPN tunnel and namespace
       
       You need a wg-quick compatible WireGuard configuration file, but do not
       make it automatically used at boot.
       
       Create a script (for root use only) with the following content, then
       make it executable:
       
       ```shell
       #!/bin/sh
       
       # your VPN configuration file
       CONFIG=/etc/wireguard/my-vpn.conf
       
       # this directory is used to have a per netns resolver file
       mkdir -p /etc/netns/vpn/
       
       # cleanup any previous VPN in case you want to restart it
       ip netns exec vpn ip l del tun0
       ip netns del vpn
       
       # information to reuse later
       DNS=$(awk '/^DNS/ { print $3 }' $CONFIG)
       IP=$(awk '/^Address/ { print $3 }' $CONFIG)
       
       # the namespace will use the DNS defined in the VPN configuration file
       echo "nameserver $DNS" > /etc/netns/vpn/resolv.conf
       
       # now, it creates the namespace and configure it
       ip netns add vpn
       ip -n vpn link set lo up
       ip link add tun0 type wireguard
       ip link set tun0 netns vpn
       ip netns exec vpn wg setconf tun0 <(wg-quick strip "$CONFIG")
       ip -n vpn a add "$IP" dev tun0
       ip -n vpn link set tun0 up
       ip -n vpn route add default dev tun0
       ip -n vpn add
       
       # extra check if you want to verify the DNS used and the public IP assigned
       #ip netns exec vpn dig ifconfig.me
       #ip netns exec vpn curl https://ifconfig.me
       ```
       
       This script autoconfigure the network namespace and the VPN interface +
       the DNS server to use.  There are extra checks at the end of the script
       that you can uncomment if you want to take a look at the public IP and
       DNS resolver used just after connection.
       
       Running this script will make the netns "vpn" available for use.
       
       The command to run a program under the namespace is `ip netns exec vpn
       your command`, it can only be run as root.
       
       ## Sudo rule
       
       Now you need a specific rule so you can use sudo to run a command in
       vpn netns as your own user without having to log in as root.
       
       Add this to your sudo configuration file, in my example I allow the
       user `solene` to run commands as `solene` for the netns vpn:
       
       ```sudoers
       solene ALL=(root) NOPASSWD: /usr/sbin/ip netns exec vpn /usr/bin/sudo -u solene -- *
       ```
       
       When using this command line, you MUST use full paths exactly as in the
       sudo configuration file, this is important otherwise it would allow you
       to create a script called `ip` with whatever commands and run it as
       root, while `/usr/sbin/ip` can not be spoofed by a local script in
       $PATH.
       
       If I want a shell session with the VPN, I can run the following
       command:
       
       ```
       sudo /usr/sbin/ip netns exec vpn /usr/bin/sudo -u solene -- bash
       ```
       
       This runs bash under the netns vpn, so any command I'm running from it
       will be using the VPN.
       
       # Limitations
       
       It is not a real limitation, but you may be caught by it, if you make a
       program listening on localhost in the netns vpn, you can only connect
       to it from another program in the same namespace.  There are methods to
       connect two namespaces, but I do not plan to cover it, if you need to
       search about this setup, it can be done using socat (this is explained
       in the blog post linked earlier) or a local bridge interface.
       
       # Conclusion
       
       Network namespaces are a cool feature on Linux, but it is overly
       complicated in my opinion, unfortunately I have to deal with it, but at
       least it is working fine in practice.