How to run OpenVPN tunnel inside a network namespace
Linux network namespaces can be used to control which processes should be tunneled by OpenVPN.
First create an –up and –down script for OpenVPN. This script will create the VPN tunnel interface inside a network namespace called vpn, instead of the default namespace.
cat > netns-up << EOF
#!/bin/sh
case $script_type in
up)
ip netns add vpn
ip netns exec vpn ip link set dev lo up
mkdir -p /etc/netns/vpn
echo "nameserver 8.8.8.8" > /etc/netns/vpn/resolv.conf
ip link set dev "$1" up netns vpn mtu "$2"
ip netns exec vpn ip addr add dev "$1" \
"$4/${ifconfig_netmask:-30}" \
${ifconfig_broadcast:+broadcast "$ifconfig_broadcast"}
test -n "$ifconfig_ipv6_local" && \
ip netns exec vpn ip addr add dev "$1" \
"$ifconfig_ipv6_local"/112
;;
route-up)
ip netns exec vpn ip route add default via "$route_vpn_gateway"
test -n "$ifconfig_ipv6_remote" && \
ip netns exec vpn ip route add default via \
"$ifconfig_ipv6_remote"
;;
down)
ip netns delete vpn
;;
esac
EOF
Then start OpenVPN and tell it to use our –up script instead of executing ifconfig and route.
Linux namespaces are a relatively new kernel feature which is essential for implementation of containers. A namespace wraps a global system resource into an abstraction which will be bound only to processes within the namespace, providing resource isolation. In this article I discuss network namespace and show a practical example.
What is namespace?
A namespace is a way of scoping a particular set of identifiers. Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.
For example, Linux provides namespaces for networking and processes, among other things. If a process is running within a process namespace, it can only see and communicate with other processes in the same namespace. So, if a shell in a particular process namespace ran ps waux, it would only show the other processes in the same namespace.
Linux network namespaces
In a network namespace, the scoped ‘identifiers’ are network devices; so a given network device, such as eth0, exists in a particular namespace. Linux starts up with a default network namespace, so if your operating system does not do anything special, that is where all the network devices will be located. But it is also possible to create further non-default namespaces, and create new devices in those namespaces, or to move an existing device from one namespace to another.
Each network namespace also has its own routing table, and in fact this is the main reason for namespaces to exist. A routing table is keyed by destination IP address, so network namespaces are what you need if you want the same destination IP address to mean different things at different times – which is something that OpenStack Networking requires for its feature of providing overlapping IP addresses in different virtual networks.
Each network namespace also has its own set of iptables (for both IPv4 and IPv6). So, you can apply different security to flows with the same IP addressing in different namespaces, as well as different routing.
Any given Linux process runs in a particular network namespace. By default this is inherited from its parent process, but a process with the right capabilities can switch itself into a different namespace; in practice this is mostly done using the ip netns exec NETNS COMMAND… invocation, which starts COMMAND running in the namespace named NETNS. Suppose such a process sends out a message to IP address A.B.C.D, the effect of the namespace is that A.B.C.D will be looked up in that namespace’s routing table, and that will determine the network device that the message is transmitted through.
Lets play with ip namespaces
By convention a named network namespace is an object at /var/run/netns/NAME that can be opened. The file descriptor resulting from opening /var/run/netns/NAME refers to the specified network namespace.
create a namespace
power up loopback device
open up a namespace shell
now we can use this shell like user shell where it uses ns1 namespace only
In part-2 , I will explain how to connect to internet from ns1 namespace and adding custom routes.
This article objective is provide you the way to assign the IP address to the network interface from the command line.
You can see the available network interfaces on your machine by using the simple command ifconfig
ifconfig
You can find the interfaces and their names and you can identify the name which is preceded by colon(:) in the left side. Something like eth0, lo and wlan0 etc. The network interface lo interface is the special interface where we called it as localhost and special IP assigned to it 127.0.0.1 also called loopback IP.
Do you know? you can assign multiple IPs to single network interface. This is pretty useful when you need multiple IP addresses but you have only one network card.
ifconfig eht0:1 192.168.2.9 up
We created new interface alias with IP assigned. We can do it simply by giving colon(:) and alias number.
Assign IP using ifconfig
ifconfig eth0 down
ifconfig eth0 192.168.2.3 up
This command will assign the specified IP to the give network interface. It is not a persistent change. The would change after reboot.
ifconfig eth0 192.168.2.14 netmask 255.255.255.0 up
Get IP using dhclient
The program dhclient will get you the IP to the given interface using the Dynamic Host Configuration Protocol (DHCP). The IP which will be assigned to the given network interface which will be provided by gateway or router. If you won’t have any preference of having specific IP assigned to the network card, this can be used
dhclient eth0
Assign static IP
The IP we assigned above is not a persistent or static IP. Means you will lose that IP and will get an other different IP assigned after reboot. To make this IP permanent we have to edit the configuration files.
Ubuntu /etc/network/interfaces
# Your primary public IP address.
iface eth0 inet static
address 198.51.100.5/24
gateway 198.51.100.1
# To add a second public IP address:
iface eth0 inet static
address 198.51.100.10/24
# To add a private IP address:
iface eth0 inet static
address 192.0.2.6/17
CentOS /etc/sysconfig/network-scripts/ifcfg-eth0
Unlike the distribution Debian, CentOS maintains the configuration in a separate file for each interface. The file path would be something like /etc/sysconfig/network-scripts/ifcfg-<interface_name>.
# eth0
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
# Your primary public IP address.
IPADDR=198.51.2.5
NETMASK=255.255.255.0
GATEWAY=198.51.2.1
The route is nothing but a path or way to the specific or range of destination IP addresses. Linux kernel maintains these routes called as kernel routing table and will route the traffic accordingly.
You can use any one of them to display the routing table
route netstat ip
Command route
The command route is used to modify and check the existing routes. To check the routing table using route command,
$ route
This will display the list of routes currently configured
Command:route -n
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
This will give the output with out resolving the names
Command netstat
This command gives the statistics about the network. With this command you can do more than just printing routing table,
If you want to list valid connected IPs in your local network, you can do it by logging into your router if you have a password, else you can check connected client IPs command line using either of the following two commands.
namp arp
Let’s see, how you can list connected systems IPs in your netowrk using these commands
List IPs using command namp
Basically this command namp is used to scan networks. It is most widely used as port scanner. You can do many things with this command.
Auditing the security of a device or firewall by identifying the network
Identifying open ports on a target host
Network i maintenance and asset management.
Generating traffic to hosts on a network, response analysis and response time measurement.
Find and exploit vulnerabilities in a network
Ok, lets come to main thing listing IPs of connected systems in network
nmap -sP 192.168.1.*
Where, you have to specify the IP range or subnet to scan to get the list of connected hosts. Options -sP no port scan based on your version you can also use option -sn.
Warning: Do not performs scans on a network without proper authorization.
List IPs using command arp
Basically arp is the protocol which stands for Address Resolution Protocol. Many linux boxes are loaded with command arp
Ping your network using a broadcast address i.e. “ping 192.168.2.255” if your IP is 192.168.2.8 or something in same network. After that, perform “arp -a” to determine all the computing devices connected to the network
Note: You can find your broadcast IP in ifconfig output for corresponding network interface
You can use the following command to list connected clients after you ping your broadcast IP,
arp -a
This command will list most of the IPs found but it’s not that much accurate. Some times routers hide machines which are connected via wire to the machines which are connected via wifi network.