nnss/README.md

# Network Namespace setup using SSH SOCKS proxy

Create network namespace where all¹ network requests go via socks proxy.

## Dependency

Depends on [tun2socks][4]. Install from [AUR][5] or compile from [source][6].

## Installing

1. Install from [AUR][2].
2. Manual installation:

This will install under `/usr`

```sh
sudo make install
```

Change install directory using `PREFIX`

```sh
sudo make PREFIX=/usr/local install
```

For uninstall, run `make uninstall` or `make PREFIX=<prefix> uninstall`

## Type A: Use ssh to create socks proxy

1. Create a simple ssh config at `/etc/nnss/<namespace_name>/config`. This will
   be included with [other settings][0].
2. Copy your ssh private key to `/etc/nnss/<namespace_name>/privatekey`
3. [Edit][1] your application's service file to include below properties

```systemd
[Unit]
Requires=nnssA@<namespace_name>.service
After=nnssA@<namespace_name>.service
[Service]
NetworkNamespacePath=/run/netns/<namespace_name>ns
```

### Example

```bash
❯ sudo mkdir /etc/nnss/vps1

❯ sudo tee /etc/nnss/vps1/config > /dev/null
Hostname xx.xx.xx.xx
User vps_user_name_here
Port 8822 # If the ssh server is not on default port 22

❯ cp ~/.ssh/id_ed25519_for_vps1 /etc/nnss/vps1/privatekey
```


### Testing namespace

```bash
❯ sudo systemd-run \
    --property=NetworkNamespacePath=/run/netns/vps1ns \
    --property=User=$USER \
    --property=Requires=nnssA@vps1.service \
    --property=After=nnssA@vps1.service \
    --shell
[sudo] password for balki:
Running as unit: run-p233279-i233579.service
Press ^] three times within 1s to disconnect TTY.

❯ curl https://ip.balki.me/ip
xx.xx.xx.xx

❯ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
18: tunvps1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 500
    link/none
    inet 198.19.1.1/30 scope global tunvps1
       valid_lft forever preferred_lft forever
    inet6 fe80::fd64:c3f3:ce6:650c/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever
```

## Type B: Use existing socks proxy

1. Create an environment file at `/etc/nnss/env_<namespace_name>`. This file
   should contain one environment variable `SOCKS_PROXY`. See example below
2. [Edit][1] your application's service file to include below properties

```systemd
[Unit]
Requires=nnssB@<namespace_name>.service
After=nnssB@<namespace_name>.service
[Service]
NetworkNamespacePath=/run/netns/<namespace_name>ns
```
### Example

Assuming tor daemon is running configured to listen on socks proxy on port 9050.

```bash
❯ sudo tee /etc/nnss/env_tor > /dev/null
SOCKS_PROXY=socks5://127.0.0.1:9050
```

Create a shell inside tor namespace

```bash
❯ sudo systemd-run \
    --property=NetworkNamespacePath=/run/netns/torns \
    --property=User=$USER \
    --property=Requires=nnssB@tor.service \
    --property=After=nnssB@tor.service \
    --shell
```

Quick check:
```bash
❯ curl --silent https://check.torproject.org | grep -E "Sorry|Congratulations"
      Congratulations. This browser is configured to use Tor.
```

### Comparison with torsocks

[torsocks][7] can be used to run a program to connect via tor. This works by
replacing network function calls in libc using `LD_PRELOAD`.

This does not work with programs not using libc functions for networking. E.g.
go programs. Or when a sub-process is created wihtout passing down
`LD_PRELOAD`. Network namespaces are more secure and works for any program.


## ¹DNS

DNS by default still goes via host.

[0]: ./ssh_config
[1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
[2]: https://aur.archlinux.org/packages/nnss
[4]: https://github.com/xjasonlyu/tun2socks
[5]: https://aur.archlinux.org/packages/tun2socks-git
[6]: https://github.com/xjasonlyu/tun2socks/wiki/Install-from-Source
[7]: https://gitlab.torproject.org/tpo/core/torsocks
-												initial commit

											
										
										
											2025-01-30 15:43:45 -05:00
+								# Network Namespace setup using SSH SOCKS proxy
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								Create network namespace where all¹ network requests go via socks proxy.
 								## Dependency
 								Depends on [tun2socks][4]. Install from [AUR][5] or compile from [source][6].
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
+								## Installing
 . Install from [AUR][2].
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+. Manual installation:
 								This will install under `/usr`
 								```sh
 								sudo make install
 								```
 								Change install directory using `PREFIX`
 								```sh
 								sudo make PREFIX=/usr/local install
 								```
 								For uninstall, run `make uninstall` or `make PREFIX=<prefix> uninstall`
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								## Type A: Use ssh to create socks proxy
-												initial commit

											
										
										
											2025-01-30 15:43:45 -05:00
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
+. Create a simple ssh config at `/etc/nnss/<namespace_name>/config`. This will
 								   be included with [other settings][0].
 . Copy your ssh private key to `/etc/nnss/<namespace_name>/privatekey`
-												Support direct socks proxy without ssh

											
										
										
											2025-02-27 11:05:11 -05:00
+. [Edit][1] your application's service file to include below properties
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
 								```systemd
 								[Unit]
-												Support direct socks proxy without ssh

											
										
										
											2025-02-27 11:05:11 -05:00
+								Requires=nnssA@<namespace_name>.service
 								After=nnssA@<namespace_name>.service
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
+								[Service]
-												fix namespace path in README.md

											
										
										
											2025-01-31 22:21:40 -05:00
+								NetworkNamespacePath=/run/netns/<namespace_name>ns
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
+								```
 								### Example
-												initial commit

											
										
										
											2025-01-30 15:43:45 -05:00
+								```bash
 								❯ sudo mkdir /etc/nnss/vps1
 								❯ sudo tee /etc/nnss/vps1/config > /dev/null
 								Hostname xx.xx.xx.xx
 								User vps_user_name_here
 								Port 8822 # If the ssh server is not on default port 22
 								❯ cp ~/.ssh/id_ed25519_for_vps1 /etc/nnss/vps1/privatekey
 								```
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								### Testing namespace
-												initial commit

											
										
										
											2025-01-30 15:43:45 -05:00
 								```bash
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
+								❯ sudo systemd-run \
 								    --property=NetworkNamespacePath=/run/netns/vps1ns \
 								    --property=User=$USER \
-												Support direct socks proxy without ssh

											
										
										
											2025-02-27 11:05:11 -05:00
+								    --property=Requires=nnssA@vps1.service \
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								    --property=After=nnssA@vps1.service \
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
+								    --shell
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
+								[sudo] password for balki:
 								Running as unit: run-p233279-i233579.service
 								Press ^] three times within 1s to disconnect TTY.
 								❯ curl https://ip.balki.me/ip
 								xx.xx.xx.xx
 								❯ ip a
 : lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
 								    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 								    inet 127.0.0.1/8 scope host lo
 								       valid_lft forever preferred_lft forever
 								    inet6 ::1/128 scope host proto kernel_lo
 								       valid_lft forever preferred_lft forever
 : tunvps1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 500
 								    link/none
 								    inet 198.19.1.1/30 scope global tunvps1
 								       valid_lft forever preferred_lft forever
 								    inet6 fe80::fd64:c3f3:ce6:650c/64 scope link stable-privacy proto kernel_ll
 								       valid_lft forever preferred_lft forever
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								```
 								## Type B: Use existing socks proxy
 . Create an environment file at `/etc/nnss/env_<namespace_name>`. This file
 								   should contain one environment variable `SOCKS_PROXY`. See example below
 . [Edit][1] your application's service file to include below properties
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								```systemd
 								[Unit]
 								Requires=nnssB@<namespace_name>.service
 								After=nnssB@<namespace_name>.service
 								[Service]
 								NetworkNamespacePath=/run/netns/<namespace_name>ns
-												initial commit

											
										
										
											2025-01-30 15:43:45 -05:00
+								```
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								### Example
 								Assuming tor daemon is running configured to listen on socks proxy on port 9050.
 								```bash
 								❯ sudo tee /etc/nnss/env_tor > /dev/null
 								SOCKS_PROXY=socks5://127.0.0.1:9050
 								```
 								Create a shell inside tor namespace
 								```bash
 								❯ sudo systemd-run \
 								    --property=NetworkNamespacePath=/run/netns/torns \
 								    --property=User=$USER \
 								    --property=Requires=nnssB@tor.service \
 								    --property=After=nnssB@tor.service \
 								    --shell
 								```
 								Quick check:
 								```bash
 								❯ curl --silent https://check.torproject.org | grep -E "Sorry|Congratulations"
 								      Congratulations. This browser is configured to use Tor.
 								```
 								### Comparison with torsocks
 								[torsocks][7] can be used to run a program to connect via tor. This works by
 								replacing network function calls in libc using `LD_PRELOAD`.
 								This does not work with programs not using libc functions for networking. E.g.
 								go programs. Or when a sub-process is created wihtout passing down
 								`LD_PRELOAD`. Network namespaces are more secure and works for any program.
-												update README

											
										
										
											2025-01-30 23:27:46 -05:00
 								## ¹DNS
 								DNS by default still goes via host.
 								[0]: ./ssh_config
 								[1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units
-												Add install instructions to README

											
										
										
											2025-01-31 00:27:18 -05:00
+								[2]: https://aur.archlinux.org/packages/nnss
-												Update README.md

											
										
										
											2025-03-01 19:00:11 -05:00
+								[4]: https://github.com/xjasonlyu/tun2socks
 								[5]: https://aur.archlinux.org/packages/tun2socks-git
 								[6]: https://github.com/xjasonlyu/tun2socks/wiki/Install-from-Source
 								[7]: https://gitlab.torproject.org/tpo/core/torsocks