Puszczanie tylko jednej aplikacji przez VPN
https://qasimk.io/2018/single-application-vpn/
Ustaw VPN za pomocą openvpn. powinien się utworzyć interfejs np. tun0.
Utwórz plik /root/netns.sh:
# create the namespace
ip netns add nordvpn
run_namespace="ip netns exec nordvpn"
$run_namespace ip link set lo up
# get the ipv4 address of the device in vpn and the vpn gateway
IP_4=$(ip a | grep -A 5 tun0 | grep "inet " | awk '{print $2}')
VPN_GATEWAY=$(ip r | grep tun0 | grep via | head -n 1 | awk '{print $3"/"32}')
# transfer the tun0 into the namespace
ip link set tun0 netns nordvpn
# up the interface
$run_namespace ip link set tun0 up
# set the proper address for the tun0 after transfer
$run_namespace ip addr add $IP_4 peer $VPN_GATEWAY dev tun0
$run_namespace ip route add default dev tun0
# set a bridge to local network so it's possible to communicate with transmission
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns nordvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec nordvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec nordvpn ip route add 192.168.0.0/24 via 10.200.200.1 dev vpn1 # local network
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
# forward ports for the webadmin panel
iptables -t nat -A PREROUTING -p tcp --dport 9091 -j DNAT --to-destination 10.200.200.2:9091
iptables -t nat -A POSTROUTING -p tcp --dport 9091 -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
$run_namespace ip r
$run_namespace curl ifconfig.co
$run_namespace ping 192.168.0.13
Utwórz plik /etc/systemd/system/netns-nordvpn.service:
[Unit]
Description=Create a nordvpn ip namespace
Requires=openvpn-client@nordvpn.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/root/netns.sh
[Install]
WantedBy=multi-user.target
Utwórz plik /etc/systemd/system/namespaced-transmission.service:
[Unit]
Description=Transmission BitTorrent Daemon
After=network.target openvpn@nordvpn.service
Requires=netns-nordvpn.service
Alias=transmission.service
[Service]
Type=simple
#NetworkNamespacePath=/var/run/netns/nordvpn
ExecStart=ip netns exec nordvpn sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error
ExecStop=/bin/kill -s STOP $MAINPID
ExecReload=/bin/kill -s HUP $MAINPID
[Install]
WantedBy=multi-user.target
następnie:
sudo systemctl enable nordvpn-ns-gateway.service
sudo systemctl enable namespaced-transmission
sudo setcap 'cap_net_admin,cap_net_raw+ep' $(which transmission-daemon)