Run VPN and Transmission daemon inside network namespace

Requirments:

  • no bridging, I’m using a cloud VM and bridge is likely to make me accidently lose access to it
  • only use 1 IP, getting another IP in cloud environment is not an option

I used the script from https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/ , remember to change wl+ to your outgoing interface name.

To use it, first ./1.bash up then ./1.bash start_vpn.

I can run transmission-daemon inside the netns:

ip netns exec frootvpn service transmission-daemon restart

Now all transmission-daemon traffic goes through VPN. But I want to be able to control transmission-daemon using its web UI.

First punch a hole with iptables DNAT (transmission-daemon by default listens to port 9091, in the beginning I put in 9001 and never bothered to change it):

iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 9001 -j DNAT --to-destination 10.200.200.2:9001

Inside the netns, there are 2 routes, one is the original route provided by the NATed interface, vpn1, and the other tun0 after successful establishment of VPN connection. After VPN connection establishment, tun0 will have higher priority, all traffic will go via that route, therefore I need to select transmission-daemon webui’s traffic to use vpn1 route.

From this ServerFault answer I found a way:

ip netns exec frootvpn ip rule add fwmark 2 table 3
ip netns exec frootvpn ip route add default via 10.200.200.1 table 3
ip netns exec frootvpn ip route flush cache
ip netns exec frootvpn iptables -t mangle -A OUTPUT -p tcp --sport 9001 -j MARK --set-mark 2
ip netns exec frootvpn sysctl -w net.ipv4.conf.vpn1.rp_filter=2

Start transmission-daemon inside the netns:

ip netns exec frootvpn service transmission-daemon start

Now you can connect to transmission-daemon web interface at your-server.com:9001 while transmission-daemon download/upload traffic all go through VPN!

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

您的留言將使用 WordPress.com 帳號。 登出 / 變更 )

Twitter picture

您的留言將使用 Twitter 帳號。 登出 / 變更 )

Facebook照片

您的留言將使用 Facebook 帳號。 登出 / 變更 )

Google+ photo

您的留言將使用 Google+ 帳號。 登出 / 變更 )

連結到 %s