Executable files for executing arbitrary commands in a seperate OpenVPN namespace.
This project contains files for executing arbitrary commands in OpenVPN namespaces. VPNs established in a namespace do not affect the global network stack, so that the main network connection of the running machine can remain unaffected.
It does not use veth pairs, but instead moves the tun device into the new namespace. It is possible to run multiple VPN namespaces seperatly (in seperate terminals), without polluting the local network configuration.
It is even possible to nest VPN connections (Your PC -> VPN 1 -> VPN 2 -> public internet).
./vpn-exec <VPN conf> <command>
eg
./vpn-exec /etc/openvpn/France.conf sudo -u johndoe firefox
This will create a vpn connection to France and execute firefox in the new vpn-France namespace. It ensures that any traffic generated by this instance of firefox is tunnelled over VPN, but it does not affect the networking configuration of the running system.
(Note: In the example above, it is necessary to close other running instances of firefox, to ensure our firefox process does not bind to another in the global network namespace)
The vpn-exec script can be executed multiple times in different terminals, effectively putting each terminal in a different VPN.
To nest VPN connections, simply execute the vpn-exec script again, while in a vpn-exec /bin/bash session.
The VPN scripts are implemented as systemd units.
The example daily-backup.timer and daily-backup.service show how to leverage this to implement a timed backup script through VPN without affecting the global network namespace. Given an openvpn configuration file /etc/openvpn/office.conf
systemctl start openvpn-ns@office.service
Using the new network namespaces from above:
sudo ip netns exec vpn-office <command>
eg.
sudo ip netns exec vpn-office /bin/bash
su - <user>
firefox
systemctl stop openvpn-ns@<VPN>.service
or to stop all:
systemctl stop 'openvpn-ns@*'