尝试在网络命名空间中运行 OpenVPN

Question 1

在网络命名空间内启动 openvpn 更安全。我使用以下脚本（Schnouki 的分支）来创建命名空间、配置防火墙、DNS、测试连接、启动 openvpn，最后启动 torrent 客户端。我将 TODO 放在脚本中，您必须根据需要进行调整。

#!/bin/sh
# start openvpn tunnel and torrent client inside Linux network namespace
#
# this is a fork of schnouki's script, see original blog post
# https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/
#
# original script can be found here
# https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf

# ------------ adjust values below ------------
# network namespace
NS_NAME=myVPN
NS_EXEC="ip netns exec $NS_NAME"
# user for starting the torrent client
REGULAR_USER=heinzwurst
# ---------------------------------------------

# exit on unbound variable
set -u

# exit on error
set -e
set -o pipefail

# trace option
#set -x

if [ $USER != "root" ]; then
    echo "This must be run as root."
    exit 1
fi

start_vpn() {
    echo "Add network interface"

    # Create the network namespace
    ip netns add $NS_NAME

    # Start the loopback interface in the namespace
    $NS_EXEC ip addr add 127.0.0.1/8 dev lo
    $NS_EXEC ip link set lo up

    # Create virtual network interfaces that will let OpenVPN (in the
    # namespace) access the real network, and configure the interface in the
    # namespace (vpn1) to use the interface out of the namespace (vpn0) as its
    # default gateway
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns $NS_NAME up

    ip addr add 10.200.200.1/24 dev vpn0
    $NS_EXEC ip addr add 10.200.200.2/24 dev vpn1
    $NS_EXEC ip link set dev vpn1 mtu 1492
    $NS_EXEC ip route add default via 10.200.200.1 dev vpn1

    # Configure the nameserver to use inside the namespace
    # TODO use VPN-provided DNS servers in order to prevent leaks
    mkdir -p /etc/netns/$NS_NAME
    cat >/etc/netns/$NS_NAME/resolv.conf <<EOF || exit 1
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

    # IPv4 NAT, you may need to adjust the interface name prefixes 'eth' 'wlan'
    iptables -t nat -A POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -A POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -A PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    # TODO create firewall rules for your specific application (torrent)
    # or just comment the line below
    $NS_EXEC iptables-restore < /etc/iptables/iptables-$NS_NAME.rules

    # we should have full network access in the namespace
    $NS_EXEC ping -c 3 www.google.com

    # start OpenVPN in the namespace
    echo "Starting VPN"
    cd /etc/openvpn
    # TODO create openvpn configuration in /etc/openvpn/$NS_NAME.conf
    $NS_EXEC openvpn --config $NS_NAME.conf &

    # wait for the tunnel interface to come up
    while ! $NS_EXEC ip link show dev tun0 >/dev/null 2>&1 ; do sleep .5 ; done
}

stop_vpn() {
    echo "Stopping VPN"
    ip netns pids $NS_NAME | xargs -rd'\n' kill
    # TODO wait for terminate

    # clear NAT
    iptables -t nat -D POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -D POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -D PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    echo "Delete network interface"
    rm -rf /etc/netns/$NS_NAME

    ip netns delete $NS_NAME
    ip link delete vpn0
}

# stop VPN on exit (even when error occured)
trap stop_vpn EXIT

start_vpn

# TODO start your favorite torrent client
$NS_EXEC sudo -u $REGULAR_USER transmission-gtk

Answer

在网络命名空间内启动 openvpn 更安全。我使用以下脚本（Schnouki 的分支）来创建命名空间、配置防火墙、DNS、测试连接、启动 openvpn，最后启动 torrent 客户端。我将 TODO 放在脚本中，您必须根据需要进行调整。

#!/bin/sh
# start openvpn tunnel and torrent client inside Linux network namespace
#
# this is a fork of schnouki's script, see original blog post
# https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/
#
# original script can be found here
# https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf

# ------------ adjust values below ------------
# network namespace
NS_NAME=myVPN
NS_EXEC="ip netns exec $NS_NAME"
# user for starting the torrent client
REGULAR_USER=heinzwurst
# ---------------------------------------------

# exit on unbound variable
set -u

# exit on error
set -e
set -o pipefail

# trace option
#set -x

if [ $USER != "root" ]; then
    echo "This must be run as root."
    exit 1
fi

start_vpn() {
    echo "Add network interface"

    # Create the network namespace
    ip netns add $NS_NAME

    # Start the loopback interface in the namespace
    $NS_EXEC ip addr add 127.0.0.1/8 dev lo
    $NS_EXEC ip link set lo up

    # Create virtual network interfaces that will let OpenVPN (in the
    # namespace) access the real network, and configure the interface in the
    # namespace (vpn1) to use the interface out of the namespace (vpn0) as its
    # default gateway
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns $NS_NAME up

    ip addr add 10.200.200.1/24 dev vpn0
    $NS_EXEC ip addr add 10.200.200.2/24 dev vpn1
    $NS_EXEC ip link set dev vpn1 mtu 1492
    $NS_EXEC ip route add default via 10.200.200.1 dev vpn1

    # Configure the nameserver to use inside the namespace
    # TODO use VPN-provided DNS servers in order to prevent leaks
    mkdir -p /etc/netns/$NS_NAME
    cat >/etc/netns/$NS_NAME/resolv.conf <<EOF || exit 1
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

    # IPv4 NAT, you may need to adjust the interface name prefixes 'eth' 'wlan'
    iptables -t nat -A POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -A POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -A PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    # TODO create firewall rules for your specific application (torrent)
    # or just comment the line below
    $NS_EXEC iptables-restore < /etc/iptables/iptables-$NS_NAME.rules

    # we should have full network access in the namespace
    $NS_EXEC ping -c 3 www.google.com

    # start OpenVPN in the namespace
    echo "Starting VPN"
    cd /etc/openvpn
    # TODO create openvpn configuration in /etc/openvpn/$NS_NAME.conf
    $NS_EXEC openvpn --config $NS_NAME.conf &

    # wait for the tunnel interface to come up
    while ! $NS_EXEC ip link show dev tun0 >/dev/null 2>&1 ; do sleep .5 ; done
}

stop_vpn() {
    echo "Stopping VPN"
    ip netns pids $NS_NAME | xargs -rd'\n' kill
    # TODO wait for terminate

    # clear NAT
    iptables -t nat -D POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -D POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -D PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    echo "Delete network interface"
    rm -rf /etc/netns/$NS_NAME

    ip netns delete $NS_NAME
    ip link delete vpn0
}

# stop VPN on exit (even when error occured)
trap stop_vpn EXIT

start_vpn

# TODO start your favorite torrent client
$NS_EXEC sudo -u $REGULAR_USER transmission-gtk

Question 2

我已经使用 Felix 提供的分叉脚本大约六个月了，直到上周它一直工作得很好（一旦我添加了 Nehal J Wani 建议的 sysctl -w net.ipv4.ip_forward=1 行并注释掉管道故障 - 否则它会崩溃）。

然而我注意到在过去的一周里它已经完全停止工作了（Debian 9.4）。我花了很多时间尝试调试出了什么问题，因为该脚本非常有用 - 但无论我尝试什么，我都无法让它再次工作。

由于这是一个非常有用的功能，我想提供 Schnouki 工作的替代分支，它可以很好地防止任何人遇到同样的问题。

https://github.com/crasm/vpnshift.sh

#!/bin/bash
#
# Copyright (c) 2016, crasm <[email protected]>
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


usage="usage: vpnshift -c <config> [<command> [<arg>...]]
optional:
    -u <user>      Execute <command> as <user>
    -d             Toggle namespace debug shell

if not otherwise specified:
    - The command defaults to the user's shell (${SHELL}).
    - The user must be inferred from sudo.
"

quick_die() {
    format="$1"; shift
    >&2 printf "${format}\n" "$@"
    exit 1
}

die() {
    format="$1"; shift
    >&2 printf "${format}\n" "$@"
    clean_exit 1
}

hush() {
    eval "$@" > /dev/null 2> /dev/null
}

must() {
    eval "$@" || die "failed: %s" "$*"
}

is_running() {
    local pid="$1"
    hush kill -s 0 "${pid}"
}

sig_kill() {
    local pid="$1"
    hush kill -s KILL "${pid}"
}

sig_term() {
    local pid="$1"
    hush kill -s TERM "${pid}"
}

clean_exit() {
    local exit_code="$1"

    if is_running "${openvpn_pid}"; then
        # Kill openvpn.
        sig_term "${openvpn_pid}"
        >&2 printf "stopping openvpn (pid = %d)." "${openvpn_pid}"
        for i in {1..100}; do
            if is_running "${openvpn_pid}"; then
                sleep 0.1
                printf "."
            else
                break
            fi
        done
        printf "\n"

        if is_running "${openvpn_pid}"; then
            >&2 echo "forced to kill openvpn"
            sig_kill "${openvpn_pid}"
        fi
    else
        >&2 echo "openvpn exited"
    fi

    # don't start cleaning up until openvpn is gone
    hush ip netns delete "${namespace}"
    hush rm --recursive --force "${namespace_dir}"
    hush sysctl --quiet net.ipv4.ip_forward="${forward}"
    if hush ps -C 'firewalld'; then
        echo "[firewalld] clearing firewalld state"
        hush systemctl restart firewalld
    else
        echo "${rules}" | hush iptables-restore
    fi

    # Sometimes there's a lag for the veths to be deleted by linux, so we
    # delete it manually.
    hush ip link delete "${veth_default}"
    hush ip link delete "${veth_vpn}"

    exit "${exit_code}"
}

nsdo() {
    ip netns exec "${namespace}" "$@"
}

_debug=0

main() {
    local config=
    local user="${SUDO_USER}"
    while getopts "hdc:u:" opt; do
        case "${opt}" in
            h) quick_die "${usage}" ;;
            d) _debug=1 ;;
            c) config="$(realpath "${OPTARG}")" ;;
            u) user="${OPTARG}" ;;
            *) quick_die "unknown option: %s" "${opt}" ;;
        esac
    done
    shift $(( OPTIND - 1 ))

    if [[ -z "${config}" ]]; then
        quick_die "openvpn config is required"
    fi

    if [[ -z "${user}" ]]; then
        quick_die "user must be provided explicitly via '-u' or implicitly via SUDO_USER"
    fi

    local cmd="$1"; shift

    if [[ -z "${cmd}" ]]; then
        cmd="${SHELL}"
    fi

    must ip netns add vpnshift
    must mkdir --parents "${namespace_dir}"

    # Set up loopback interface

    must nsdo ip address add '127.0.0.1/8' dev lo
    must nsdo ip address add '::1/128' dev lo
    must nsdo ip link set lo up

    # Set up veth tunnel

    must ip link add "${veth_vpn}" type veth peer name "${veth_default}"
    must ip link set "${veth_vpn}" netns "${namespace}"

    must ip link set "${veth_default}" up
    must nsdo ip link set "${veth_vpn}" up

    must ip address add "10.10.10.10/31" dev "${veth_default}"
    must nsdo ip \
        address add "10.10.10.11/31" dev "${veth_vpn}"

    must nsdo ip \
        route add default via "10.10.10.10" dev "${veth_vpn}"

    # Set up NAT and IP forwarding
    must sysctl --quiet net.ipv4.ip_forward=1

    # check if we need to enable masquerading via firewalld for veth_default
    if hush ps -C 'firewalld'; then
        echo "[firewalld] enabling firewalld based masquerading for ${veth_default}"

        if [[ $(firewall-cmd --get-zones | grep "${namespace}") != *"${namespace}"* ]]
        then
            echo "[firewalld] creating permanent new zone ${namespace} with target default"
            must firewall-cmd -q --permanent --new-zone="${namespace}"
            must firewall-cmd -q --permanent --zone="${namespace}" --set-target="default"
            must firewall-cmd -q --reload
        fi

        # add interface to our zone
        echo "[firewalld] adding ${veth_default} and ${veth_vpn} to zone ${namespace}"
        must firewall-cmd -q --zone="${namespace}" --change-interface="${veth_default}"

        # apply our source range to our zone
        echo "[firewalld] adding 10.10.10.10/31 as source for ${namespace}"
        must firewall-cmd -q --zone="${namespace}" --add-source=10.10.10.10/31

        # enable masquerading from our new source range on the default zone
        default_zone=$(firewall-cmd --get-default-zone)
        echo "[firewalld] enabling masquerading on default zone: ${default_zone}"
        must firewall-cmd -q --zone="${default_zone}" --add-masquerade
        must firewall-cmd -q --zone="${default_zone}"  --add-rich-rule=\'rule family="ipv4" source address="10.10.10.10/31" masquerade\'

        # optionally allow ports, services, etc. on our zone

        # enabling desired ports
        #echo "enabling all port traffic on zone ${namespace}"
        #must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/udp
        #must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/tcp

        # enable services
        #echo "enabling dns on zone ${namespace}"
        #must firewall-cmd -q --zone="${namespace}" --add-service=dns

    else
        must iptables --table "nat" --append "POSTROUTING" --jump "MASQUERADE" --source "10.10.10.10/31"
    fi

    # Set up DNS inside the new namespace
    printf > "${namespace_dir}/resolv.conf" \
        "nameserver %s\nnameserver %s\n" \
        "108.62.19.131" \
        "104.238.194.235"

    # drop in a shell to debug namespace connectivity ... the exit trap will catch exit from this and clean up
    if [[ "$_debug" == 1 ]]; then
        nsdo "${SHELL}"
    fi

    # Launch openvpn
    local tun="tunvpn"
    nsdo openvpn \
        --cd "$(dirname "${config}")" \
        --config "${config}" \
        --dev "${tun}" \
        --errors-to-stderr &

    openvpn_pid=$(ps --ppid "$!" \
        --format "pid" \
        --no-headers
    )

    >&2 printf "waiting for openvpn (pid = %d)\n" "${openvpn_pid}"

    while ! hush nsdo ip link show "${tun}"; do
        if ! is_running "${openvpn_pid}"; then
            clean_exit 1
        fi
        sleep 0.2
    done

    # Removing the default route protects from exposure if openvpn exits
    # prematurely.
    must nsdo ip \
        route delete default via "10.10.10.10" dev "${veth_vpn}"

    nsdo sudo -u "${user}" "${cmd}" "$@"
}

if [[ $# == 0 ]]; then
    quick_die "${usage}"
elif [[ "$(id -u)" != 0 ]]; then
    sudo "$0" "$@"
    exit "$?"
fi

# Stuff needed by clean_exit() to restore previous state.
namespace="vpnshift"
namespace_dir="/etc/netns/${namespace}"
forward="$(sysctl --values "net.ipv4.ip_forward")"
rules="$(iptables-save -t nat)"
veth_default="veth_default"
veth_vpn="veth_vpn"

openvpn_pid= # This is set later.

# Enable cleanup routine.
trap 'clean_exit 1' INT TERM
trap 'clean_exit $?' EXIT

main "$@"

Answer

我已经使用 Felix 提供的分叉脚本大约六个月了，直到上周它一直工作得很好（一旦我添加了 Nehal J Wani 建议的 sysctl -w net.ipv4.ip_forward=1 行并注释掉管道故障 - 否则它会崩溃）。

然而我注意到在过去的一周里它已经完全停止工作了（Debian 9.4）。我花了很多时间尝试调试出了什么问题，因为该脚本非常有用 - 但无论我尝试什么，我都无法让它再次工作。

由于这是一个非常有用的功能，我想提供 Schnouki 工作的替代分支，它可以很好地防止任何人遇到同样的问题。

https://github.com/crasm/vpnshift.sh

#!/bin/bash
#
# Copyright (c) 2016, crasm <[email protected]>
#
# Permission to use, copy, modify, and/or distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.


usage="usage: vpnshift -c <config> [<command> [<arg>...]]
optional:
    -u <user>      Execute <command> as <user>
    -d             Toggle namespace debug shell

if not otherwise specified:
    - The command defaults to the user's shell (${SHELL}).
    - The user must be inferred from sudo.
"

quick_die() {
    format="$1"; shift
    >&2 printf "${format}\n" "$@"
    exit 1
}

die() {
    format="$1"; shift
    >&2 printf "${format}\n" "$@"
    clean_exit 1
}

hush() {
    eval "$@" > /dev/null 2> /dev/null
}

must() {
    eval "$@" || die "failed: %s" "$*"
}

is_running() {
    local pid="$1"
    hush kill -s 0 "${pid}"
}

sig_kill() {
    local pid="$1"
    hush kill -s KILL "${pid}"
}

sig_term() {
    local pid="$1"
    hush kill -s TERM "${pid}"
}

clean_exit() {
    local exit_code="$1"

    if is_running "${openvpn_pid}"; then
        # Kill openvpn.
        sig_term "${openvpn_pid}"
        >&2 printf "stopping openvpn (pid = %d)." "${openvpn_pid}"
        for i in {1..100}; do
            if is_running "${openvpn_pid}"; then
                sleep 0.1
                printf "."
            else
                break
            fi
        done
        printf "\n"

        if is_running "${openvpn_pid}"; then
            >&2 echo "forced to kill openvpn"
            sig_kill "${openvpn_pid}"
        fi
    else
        >&2 echo "openvpn exited"
    fi

    # don't start cleaning up until openvpn is gone
    hush ip netns delete "${namespace}"
    hush rm --recursive --force "${namespace_dir}"
    hush sysctl --quiet net.ipv4.ip_forward="${forward}"
    if hush ps -C 'firewalld'; then
        echo "[firewalld] clearing firewalld state"
        hush systemctl restart firewalld
    else
        echo "${rules}" | hush iptables-restore
    fi

    # Sometimes there's a lag for the veths to be deleted by linux, so we
    # delete it manually.
    hush ip link delete "${veth_default}"
    hush ip link delete "${veth_vpn}"

    exit "${exit_code}"
}

nsdo() {
    ip netns exec "${namespace}" "$@"
}

_debug=0

main() {
    local config=
    local user="${SUDO_USER}"
    while getopts "hdc:u:" opt; do
        case "${opt}" in
            h) quick_die "${usage}" ;;
            d) _debug=1 ;;
            c) config="$(realpath "${OPTARG}")" ;;
            u) user="${OPTARG}" ;;
            *) quick_die "unknown option: %s" "${opt}" ;;
        esac
    done
    shift $(( OPTIND - 1 ))

    if [[ -z "${config}" ]]; then
        quick_die "openvpn config is required"
    fi

    if [[ -z "${user}" ]]; then
        quick_die "user must be provided explicitly via '-u' or implicitly via SUDO_USER"
    fi

    local cmd="$1"; shift

    if [[ -z "${cmd}" ]]; then
        cmd="${SHELL}"
    fi

    must ip netns add vpnshift
    must mkdir --parents "${namespace_dir}"

    # Set up loopback interface

    must nsdo ip address add '127.0.0.1/8' dev lo
    must nsdo ip address add '::1/128' dev lo
    must nsdo ip link set lo up

    # Set up veth tunnel

    must ip link add "${veth_vpn}" type veth peer name "${veth_default}"
    must ip link set "${veth_vpn}" netns "${namespace}"

    must ip link set "${veth_default}" up
    must nsdo ip link set "${veth_vpn}" up

    must ip address add "10.10.10.10/31" dev "${veth_default}"
    must nsdo ip \
        address add "10.10.10.11/31" dev "${veth_vpn}"

    must nsdo ip \
        route add default via "10.10.10.10" dev "${veth_vpn}"

    # Set up NAT and IP forwarding
    must sysctl --quiet net.ipv4.ip_forward=1

    # check if we need to enable masquerading via firewalld for veth_default
    if hush ps -C 'firewalld'; then
        echo "[firewalld] enabling firewalld based masquerading for ${veth_default}"

        if [[ $(firewall-cmd --get-zones | grep "${namespace}") != *"${namespace}"* ]]
        then
            echo "[firewalld] creating permanent new zone ${namespace} with target default"
            must firewall-cmd -q --permanent --new-zone="${namespace}"
            must firewall-cmd -q --permanent --zone="${namespace}" --set-target="default"
            must firewall-cmd -q --reload
        fi

        # add interface to our zone
        echo "[firewalld] adding ${veth_default} and ${veth_vpn} to zone ${namespace}"
        must firewall-cmd -q --zone="${namespace}" --change-interface="${veth_default}"

        # apply our source range to our zone
        echo "[firewalld] adding 10.10.10.10/31 as source for ${namespace}"
        must firewall-cmd -q --zone="${namespace}" --add-source=10.10.10.10/31

        # enable masquerading from our new source range on the default zone
        default_zone=$(firewall-cmd --get-default-zone)
        echo "[firewalld] enabling masquerading on default zone: ${default_zone}"
        must firewall-cmd -q --zone="${default_zone}" --add-masquerade
        must firewall-cmd -q --zone="${default_zone}"  --add-rich-rule=\'rule family="ipv4" source address="10.10.10.10/31" masquerade\'

        # optionally allow ports, services, etc. on our zone

        # enabling desired ports
        #echo "enabling all port traffic on zone ${namespace}"
        #must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/udp
        #must firewall-cmd -q --zone="${namespace}" --add-port=1025-65535/tcp

        # enable services
        #echo "enabling dns on zone ${namespace}"
        #must firewall-cmd -q --zone="${namespace}" --add-service=dns

    else
        must iptables --table "nat" --append "POSTROUTING" --jump "MASQUERADE" --source "10.10.10.10/31"
    fi

    # Set up DNS inside the new namespace
    printf > "${namespace_dir}/resolv.conf" \
        "nameserver %s\nnameserver %s\n" \
        "108.62.19.131" \
        "104.238.194.235"

    # drop in a shell to debug namespace connectivity ... the exit trap will catch exit from this and clean up
    if [[ "$_debug" == 1 ]]; then
        nsdo "${SHELL}"
    fi

    # Launch openvpn
    local tun="tunvpn"
    nsdo openvpn \
        --cd "$(dirname "${config}")" \
        --config "${config}" \
        --dev "${tun}" \
        --errors-to-stderr &

    openvpn_pid=$(ps --ppid "$!" \
        --format "pid" \
        --no-headers
    )

    >&2 printf "waiting for openvpn (pid = %d)\n" "${openvpn_pid}"

    while ! hush nsdo ip link show "${tun}"; do
        if ! is_running "${openvpn_pid}"; then
            clean_exit 1
        fi
        sleep 0.2
    done

    # Removing the default route protects from exposure if openvpn exits
    # prematurely.
    must nsdo ip \
        route delete default via "10.10.10.10" dev "${veth_vpn}"

    nsdo sudo -u "${user}" "${cmd}" "$@"
}

if [[ $# == 0 ]]; then
    quick_die "${usage}"
elif [[ "$(id -u)" != 0 ]]; then
    sudo "$0" "$@"
    exit "$?"
fi

# Stuff needed by clean_exit() to restore previous state.
namespace="vpnshift"
namespace_dir="/etc/netns/${namespace}"
forward="$(sysctl --values "net.ipv4.ip_forward")"
rules="$(iptables-save -t nat)"
veth_default="veth_default"
veth_vpn="veth_vpn"

openvpn_pid= # This is set later.

# Enable cleanup routine.
trap 'clean_exit 1' INT TERM
trap 'clean_exit $?' EXIT

main "$@"

Question 3

我有一台计算机通过有线以太网连接到 LAN，这使我能够采取一些不同的策略：桥接！它允许 LAN 的 DHCP 服务器向主机和 vpn 命名空间授予单独的地址，并授予 vpn 命名空间直接访问互联网！无需修改 iptables 或手动指定 IP 地址！这是我在命令中的整个解决方案。

# Make the netns.
ip netns add vpn

ip link add br0 type bridge
ip link set br0 up

# Make the inter-namespace pipe and bridge the host end.
ip link add veth.host type veth peer veth.vpn
ip link set veth.host master br0 up
ip link set veth.vpn netns vpn up

# Bridge the wired ethernet.
ip link set eth0 master br0 up

# Start dhcpcd on the bridge for the host to use and on veth.vpn
# for the vpn netns to use. The router will grant separate IP
# addresses to both! (They have different MAC addresses.)
dhcpcd br0
ip netns exec vpn dhcpcd veth.vpn

# OK, now start the VPN.
ip netns exec vpn openvpn --config etc etc etc

设置相当简单。

Answer

我有一台计算机通过有线以太网连接到 LAN，这使我能够采取一些不同的策略：桥接！它允许 LAN 的 DHCP 服务器向主机和 vpn 命名空间授予单独的地址，并授予 vpn 命名空间直接访问互联网！无需修改 iptables 或手动指定 IP 地址！这是我在命令中的整个解决方案。

# Make the netns.
ip netns add vpn

ip link add br0 type bridge
ip link set br0 up

# Make the inter-namespace pipe and bridge the host end.
ip link add veth.host type veth peer veth.vpn
ip link set veth.host master br0 up
ip link set veth.vpn netns vpn up

# Bridge the wired ethernet.
ip link set eth0 master br0 up

# Start dhcpcd on the bridge for the host to use and on veth.vpn
# for the vpn netns to use. The router will grant separate IP
# addresses to both! (They have different MAC addresses.)
dhcpcd br0
ip netns exec vpn dhcpcd veth.vpn

# OK, now start the VPN.
ip netns exec vpn openvpn --config etc etc etc

设置相当简单。

尝试在网络命名空间中运行 OpenVPN

我引用那篇文章，我遇到的问题在底部说明：

我的问题：

答案1

答案2

答案3

相关内容