diff --git a/README.md b/README.md index 9be36f3..4d4c2d1 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,31 @@ # Network Namespace setup using SSH SOCKS proxy -Create network namespace where all¹ network requests go via ssh connection. +Create network namespace where all¹ network requests go via socks proxy. + +## Dependency + +Depends on [tun2socks][4]. Install from [AUR][5] or compile from [source][6]. ## Installing 1. Install from [AUR][2]. -2. Download and install pre-built archlinux package: [link][3]. -3. For other linux, copy the files to appropriate path as done [here][4]. +2. Manual installation: -## Creating new namespace +This will install under `/usr` + +```sh +sudo make install +``` + +Change install directory using `PREFIX` + +```sh +sudo make PREFIX=/usr/local install +``` + +For uninstall, run `make uninstall` or `make PREFIX= uninstall` + +## Type A: Use ssh to create socks proxy 1. Create a simple ssh config at `/etc/nnss//config`. This will be included with [other settings][0]. @@ -37,14 +54,14 @@ Port 8822 # If the ssh server is not on default port 22 ``` -## Testing namespace +### Testing namespace ```bash ❯ sudo systemd-run \ --property=NetworkNamespacePath=/run/netns/vps1ns \ --property=User=$USER \ --property=Requires=nnssA@vps1.service \ - --property=After=nnssA@vps1.service \ + --property=After=nnssA@vps1.service \ --shell [sudo] password for balki: Running as unit: run-p233279-i233579.service @@ -66,17 +83,57 @@ xx.xx.xx.xx valid_lft forever preferred_lft forever inet6 fe80::fd64:c3f3:ce6:650c/64 scope link stable-privacy proto kernel_ll valid_lft forever preferred_lft forever - -❯ -Finished with result: success -Main processes terminated with: code=exited, status=0/SUCCESS -Service runtime: 1min 4.383s -CPU time consumed: 201ms -Memory peak: 5.7M (swap: 0B) -IP traffic received: 3.2K sent: 1.3K -IO bytes written: 304K ``` +## Type B: Use existing socks proxy + +1. Create an environment file at `/etc/nnss/env_`. This file + should contain one environment variable `SOCKS_PROXY`. See example below +2. [Edit][1] your application's service file to include below properties + +```systemd +[Unit] +Requires=nnssB@.service +After=nnssB@.service +[Service] +NetworkNamespacePath=/run/netns/ns +``` +### Example + +Assuming tor daemon is running configured to listen on socks proxy on port 9050. + +```bash +❯ sudo tee /etc/nnss/env_tor > /dev/null +SOCKS_PROXY=socks5://127.0.0.1:9050 +``` + +Create a shell inside tor namespace + +```bash +❯ sudo systemd-run \ + --property=NetworkNamespacePath=/run/netns/torns \ + --property=User=$USER \ + --property=Requires=nnssB@tor.service \ + --property=After=nnssB@tor.service \ + --shell +``` + +Quick check: +```bash +❯ curl --silent https://check.torproject.org | grep -E "Sorry|Congratulations" + Congratulations. This browser is configured to use Tor. +``` + +### Comparison with torsocks + +[torsocks][7] can be used to run a program to connect via tor. This works by +replacing network function calls in libc using `LD_PRELOAD`. + +This does not work with programs not using libc functions for networking. E.g. +go programs. Or when a sub-process is created wihtout passing down +`LD_PRELOAD`. Network namespaces are more secure and works for any program. + + ## ¹DNS DNS by default still goes via host. @@ -84,5 +141,7 @@ DNS by default still goes via host. [0]: ./ssh_config [1]: https://wiki.archlinux.org/title/Systemd#Editing_provided_units [2]: https://aur.archlinux.org/packages/nnss -[3]: https://gitea.balki.me/balki-aur/-/packages/arch/nnss/0.1.0-1 -[4]: https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=nnss#n14 +[4]: https://github.com/xjasonlyu/tun2socks +[5]: https://aur.archlinux.org/packages/tun2socks-git +[6]: https://github.com/xjasonlyu/tun2socks/wiki/Install-from-Source +[7]: https://gitlab.torproject.org/tpo/core/torsocks diff --git a/tunsocks.sh b/tunsocks.sh index a21aa69..2dda7d6 100755 --- a/tunsocks.sh +++ b/tunsocks.sh @@ -30,7 +30,7 @@ setup() { done_cmd="sh -c 'echo DONE > \"$chan\"'" - /usr/bin/tun2socks -device "$device" -proxy "$proxy" -tun-post-up "$done_cmd" & + tun2socks -device "$device" -proxy "$proxy" -tun-post-up "$done_cmd" & echo "$!" >"$pidfile" read -r status <"$chan"