First of all, I’m very bad at explaining things in text, so I advice you check out the scripts on my gist here:
#We call this Variant A from now on:
https://gist.github.com/DeadSix27/9c1a896b9f12c4d99e43df2932e2715a
#Variant B:
https://gist.github.com/DeadSix27/5d4aec84a46e8fcd58eae377237ba36c
Issue description:
I’m running a network namespace (Variant A) on my home server (running ArchLinux) to run programs inside a separated namespace on the same machine which goes through a VPN, while keeping the rest of the system operating normal.
It works surprisingly well, but the initial startup is very tedious and my connection can still leak if opvn dies. So I’m usually running a while loop that constantly checks if ovpn is still running, and if not I just kill all the processes that use it, because once it dies, the namespace wouldn’t go through my VPN anymore, but use my actual IP.
So, I found Variant B online, a script directly executed by ovpn’s up/down thing, this seemed very handy as it would just shut down the namespace if the VPN ever goes down, saving me trouble.
However, unlike Variant A this one doesn’t create a local-address like the other one. (e.g 10.200.200.2/24) so I only have the external-vpn-ip to bind my programs to and won’t be able to access it locally.
Below are the IP routes for VariantA in and outside the namespace, showing vpn0/1 which is absent on Variant B (which is my issue).
I can easily add that range though by adding the below lines to the netns script:
ip link add veth0 type veth peer name veth1
ip link set veth0 up
ip link set veth1 netns vpn up
ip addr add 10.200.200.1/24 dev veth0
However, I can’t add it as default because that is already taken by the ovpn connection, so where would I need to add it to?
ip netns exec vpn ip addr add >>>default<<< dev veth1
############## Details:
VariantA: ip routes on the namespace
$ ip route
0.0.0.0/1 via 193.183.116.193 dev tun0
default via 10.200.200.1 dev vpn1
10.200.200.0/24 dev vpn1 proto kernel scope link src 10.200.200.2
128.0.0.0/1 via 193.183.116.193 dev tun0
193.180.164.53 via 10.200.200.1 dev vpn1
193.183.116.192/26 dev tun0 proto kernel scope link src 193.183.116.212
VariantA: ip routes outside the namespace
$ ip route
default via 192.168.178.1 dev enp0s31f6 proto dhcp src 192.168.178.21 metric 203
10.200.200.0/24 dev vpn0 proto kernel scope link src 10.200.200.1
192.168.178.0/24 dev enp0s31f6 proto dhcp scope link src 192.168.178.21 metric 203
VariantB’s routes are pretty much the same. but without vpn0/1
I’m not that good with networking so I’m not sure what to do here. If it’s impossible to have a local net in VariantB, is there a way to have VariantA never connect to the internet without the VPN running? (e.g get rid of my while loop-process killer)