From c76d512806a45a8242ba113bec960a4f8ca5a8cc Mon Sep 17 00:00:00 2001 From: Balakrishnan Balasubramanian Date: Thu, 30 Jan 2025 15:43:45 -0500 Subject: [PATCH] initial commit --- .gitignore | 3 +++ PKGBUILD | 32 ++++++++++++++++++++++++++++++++ README.md | 22 ++++++++++++++++++++++ nnss-ssh@.service | 20 ++++++++++++++++++++ nnss-tunsocks@.service | 18 ++++++++++++++++++ ssh_config | 17 +++++++++++++++++ tmpfiles.conf | 1 + tunsocks.sh | 39 +++++++++++++++++++++++++++++++++++++++ 8 files changed, 152 insertions(+) create mode 100644 .gitignore create mode 100644 PKGBUILD create mode 100644 README.md create mode 100644 nnss-ssh@.service create mode 100644 nnss-tunsocks@.service create mode 100644 ssh_config create mode 100644 tmpfiles.conf create mode 100755 tunsocks.sh diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b190303 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +nnss*pkg.tar.zst +src/ +pkg/ diff --git a/PKGBUILD b/PKGBUILD new file mode 100644 index 0000000..b542d7b --- /dev/null +++ b/PKGBUILD @@ -0,0 +1,32 @@ +pkgname=nnss +pkgver=0.1.0 +pkgrel=1 +pkgdesc='Network Namespace setup using SSH SOCKS proxy' +arch=('any') +license=('MIT') +depends=('tun2socks') +url="https://gitea.balki.me/balki/$pkgname" +source=( + nnss-ssh@.service + nnss-tunsocks@.service + ssh_config + tunsocks.sh + README.md + tmpfiles.conf +) +sha256sums=('e67d279bbb82fdd5325ba2aae0e71e5ac74ce0d2e5d0c52672bf6bf7b967c1e4' + 'a3feff1f18bcff7aec4a18c724111e9ac5b761e0601df36b53e33db17db38430' + '07db0f63afa5798501b1a85522be0840a27f291f26bc972585bc753a91f07b8c' + 'e7ea1b14390befffae07ae9fbf7ecafd41b75a740a791408949500cf16166870' + '64fd74de73b0b6ee3a209495fb16867a4d8689380bf04550eb8228b18202247b' + '654a3615be4eb635957a4ab33e733a1c6655225f6ff34ec8a58f6dabc9ac0d70') + +package() { + install -Dm 644 "${srcdir}/nnss-ssh@.service" -t "${pkgdir}/usr/lib/systemd/system" + install -Dm 644 "${srcdir}/nnss-tunsocks@.service" -t "${pkgdir}/usr/lib/systemd/system" + install -Dm 644 "${srcdir}/ssh_config" -t "${pkgdir}/usr/lib/nnss" + install -Dm 755 "${srcdir}/tunsocks.sh" -t "${pkgdir}/usr/lib/nnss" + install -Dm 644 "${srcdir}/README.md" -t "${pkgdir}/usr/share/doc/nnss" + + install -Dm 644 "${srcdir}/tmpfiles.conf" "${pkgdir}/usr/lib/tmpfiles.d/nnss.conf" +} diff --git a/README.md b/README.md new file mode 100644 index 0000000..7dea6ba --- /dev/null +++ b/README.md @@ -0,0 +1,22 @@ + +# Network Namespace setup using SSH SOCKS proxy + +## Creating new namespace + +```bash +❯ sudo mkdir /etc/nnss/vps1 + +❯ sudo tee /etc/nnss/vps1/config > /dev/null +Hostname xx.xx.xx.xx +User vps_user_name_here +Port 8822 # If the ssh server is not on default port 22 + +❯ cp ~/.ssh/id_ed25519_for_vps1 /etc/nnss/vps1/privatekey +``` + + +## Entering namespace + +```bash +❯ sudo systemd-run --property=NetworkNamespacePath=/run/netns/vps1ns --property=User=$USER --shell +``` diff --git a/nnss-ssh@.service b/nnss-ssh@.service new file mode 100644 index 0000000..f324746 --- /dev/null +++ b/nnss-ssh@.service @@ -0,0 +1,20 @@ +[Unit] +Description=Create SSH connection to %I +After=network.target +StopWhenUnneeded=yes + +[Service] +Type=notify +NotifyAccess=all +DynamicUser=yes + +LoadCredential=ssh:/etc/nnss/%i + +RuntimeDirectory=nnss-%i +StateDirectory=nnss-%i +ExecStart=ssh -F /usr/lib/nnss/ssh_config default + +NoNewPrivileges=yes +CapabilityBoundingSet= +RestrictNamespaces=true +SystemCallFilter=@system-service diff --git a/nnss-tunsocks@.service b/nnss-tunsocks@.service new file mode 100644 index 0000000..f467663 --- /dev/null +++ b/nnss-tunsocks@.service @@ -0,0 +1,18 @@ +[Unit] +Description=Create network namespace and tun device to %I +After=nnss-ssh@%i.service +Requires=nnss-ssh@%i.service +StopWhenUnneeded=yes + +[Service] + +Type=notify +NotifyAccess=all + +RuntimeDirectory=nnss-tunsocks%i + +ExecStart=/usr/lib/nnss/tunsocks.sh "%i" setup +ExecStop=/usr/lib/nnss/tunsocks.sh "%i" cleanup + +[Install] +WantedBy=multi-user.target diff --git a/ssh_config b/ssh_config new file mode 100644 index 0000000..e99d486 --- /dev/null +++ b/ssh_config @@ -0,0 +1,17 @@ +Include ${CREDENTIALS_DIRECTORY}/ssh_config +Host default + IdentitiesOnly yes + StreamLocalBindMask 0111 + StreamLocalBindUnlink yes + DynamicForward ${RUNTIME_DIRECTORY}/sock + SessionType none + ExitOnForwardFailure yes + ServerAliveInterval 60 + IdentityFile ${CREDENTIALS_DIRECTORY}/ssh_privatekey + StrictHostKeyChecking accept-new + UserKnownHostsFile ${STATE_DIRECTORY}/known_hosts + PermitLocalCommand yes + LocalCommand systemd-notify --ready + LogLevel VERBOSE + +# vim:filetype=sshconfig diff --git a/tmpfiles.conf b/tmpfiles.conf new file mode 100644 index 0000000..66dc4bd --- /dev/null +++ b/tmpfiles.conf @@ -0,0 +1 @@ +d /etc/nnss 0700 root root - diff --git a/tunsocks.sh b/tunsocks.sh new file mode 100755 index 0000000..80011b4 --- /dev/null +++ b/tunsocks.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +set -xeuo pipefail + +pidfile=${RUNTIME_DIRECTORY:-/tmp}/tunsocks.pid + +nsname="$1" +device="tun${nsname}" +ns="${nsname}ns" +socketpath="/run/nnss-${nsname}/sock" + +setup() +{ + ip tuntap add mode tun dev "$device" + + /usr/bin/tun2socks -device "$device" -proxy "socks5://$socketpath" & + echo "$!" > "$pidfile" + sleep 5 + + ip netns add "$ns" + ip link set "$device" netns "$ns" + + ip -n "$ns" addr add 198.19.1.1/30 dev "$device" + ip -n "$ns" link set dev "$device" up + ip -n "$ns" route add default via 198.19.1.1 dev "$device" metric 100 + ip -n "$ns" link set lo up + systemd-notify --ready + wait +} + +cleanup() +{ + ip tuntap del mode tun dev "$device" || true + kill $(cat "$pidfile") + ip -n "$ns" tuntap del mode tun dev "$device" + ip netns del "$ns" +} + +$2