balki/nnss
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nnss/README.md

4.1 KiB
Raw Blame History

Network Namespace setup using SSH SOCKS proxy

Create network namespace where all¹ network requests go via socks proxy.

Dependency

Depends on tun2socks. Install from AUR or compile from source.

Installing

  1. Install from AUR.
  2. Manual installation:

This will install under /usr

sudo make install

Change install directory using PREFIX

sudo make PREFIX=/usr/local install

For uninstall, run make uninstall or make PREFIX=<prefix> uninstall

Type A: Use ssh to create socks proxy

  1. Create a simple ssh config at /etc/nnss/<namespace_name>/config. This will be included with other settings.
  2. Copy your ssh private key to /etc/nnss/<namespace_name>/privatekey
  3. Edit your application's service file to include below properties
[Unit]
Requires=nnssA@<namespace_name>.service
After=nnssA@<namespace_name>.service
[Service]
NetworkNamespacePath=/run/netns/<namespace_name>ns

Example

 sudo mkdir /etc/nnss/vps1

 sudo tee /etc/nnss/vps1/config > /dev/null
Hostname xx.xx.xx.xx
User vps_user_name_here
Port 8822 # If the ssh server is not on default port 22

 cp ~/.ssh/id_ed25519_for_vps1 /etc/nnss/vps1/privatekey

Testing namespace

 sudo systemd-run \
    --property=NetworkNamespacePath=/run/netns/vps1ns \
    --property=User=$USER \
    --property=Requires=nnssA@vps1.service \
    --property=After=nnssA@vps1.service \
    --shell
[sudo] password for balki:
Running as unit: run-p233279-i233579.service
Press ^] three times within 1s to disconnect TTY.

 curl https://ip.balki.me/ip
xx.xx.xx.xx

 ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo
       valid_lft forever preferred_lft forever
18: tunvps1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 500
    link/none
    inet 198.19.1.1/30 scope global tunvps1
       valid_lft forever preferred_lft forever
    inet6 fe80::fd64:c3f3:ce6:650c/64 scope link stable-privacy proto kernel_ll
       valid_lft forever preferred_lft forever

Type B: Use existing socks proxy

  1. Create an environment file at /etc/nnss/env_<namespace_name>. This file should contain one environment variable SOCKS_PROXY. See example below
  2. Edit your application's service file to include below properties
[Unit]
Requires=nnssB@<namespace_name>.service
After=nnssB@<namespace_name>.service
[Service]
NetworkNamespacePath=/run/netns/<namespace_name>ns

Example

Assuming tor daemon is running configured to listen on socks proxy on port 9050.

 sudo tee /etc/nnss/env_tor > /dev/null
SOCKS_PROXY=socks5://127.0.0.1:9050

Create a shell inside tor namespace

 sudo systemd-run \
    --property=NetworkNamespacePath=/run/netns/torns \
    --property=User=$USER \
    --property=Requires=nnssB@tor.service \
    --property=After=nnssB@tor.service \
    --shell

Quick check:

 curl --silent https://check.torproject.org | grep -E "Sorry|Congratulations"
      Congratulations. This browser is configured to use Tor.

Comparison with torsocks

torsocks can be used to run a program to connect via tor. This works by replacing network function calls in libc using LD_PRELOAD.

This does not work with programs not using libc functions for networking. E.g. go programs. Or when a sub-process is created wihtout passing down LD_PRELOAD. Network namespaces are more secure and works for any program.

¹DNS

DNS by default still goes via host.