Run VPN and Transmission daemon inside network namespace

Requirments:

  • no bridging, I’m using a cloud VM and bridge is likely to make me accidently lose access to it
  • only use 1 IP, getting another IP in cloud environment is not an option

I used the script from https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/ , remember to change wl+ to your outgoing interface name.

To use it, first ./1.bash up then ./1.bash start_vpn.

I can run transmission-daemon inside the netns:

ip netns exec frootvpn service transmission-daemon restart

Now all transmission-daemon traffic goes through VPN. But I want to be able to control transmission-daemon using its web UI.

First punch a hole with iptables DNAT (transmission-daemon by default listens to port 9091, in the beginning I put in 9001 and never bothered to change it):

iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 9001 -j DNAT --to-destination 10.200.200.2:9001

Inside the netns, there are 2 routes, one is the original route provided by the NATed interface, vpn1, and the other tun0 after successful establishment of VPN connection. After VPN connection establishment, tun0 will have higher priority, all traffic will go via that route, therefore I need to select transmission-daemon webui’s traffic to use vpn1 route.

From this ServerFault answer I found a way:

ip netns exec frootvpn ip rule add fwmark 2 table 3
ip netns exec frootvpn ip route add default via 10.200.200.1 table 3
ip netns exec frootvpn ip route flush cache
ip netns exec frootvpn iptables -t mangle -A OUTPUT -p tcp --sport 9001 -j MARK --set-mark 2
ip netns exec frootvpn sysctl -w net.ipv4.conf.vpn1.rp_filter=2

Start transmission-daemon inside the netns:

ip netns exec frootvpn service transmission-daemon start

Now you can connect to transmission-daemon web interface at your-server.com:9001 while transmission-daemon download/upload traffic all go through VPN!

發表迴響

在下方填入你的資料或按右方圖示以社群網站登入:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 變更 )

Twitter picture

You are commenting using your Twitter account. Log Out / 變更 )

Facebook照片

You are commenting using your Facebook account. Log Out / 變更 )

Google+ photo

You are commenting using your Google+ account. Log Out / 變更 )

連結到 %s