I would like a Linux system using OpenVPN client to support:

1) running applications that have network access via OpenVPN tun/tap interface,
   but no network access via the underlying interface (when OpenVPN interface
   goes down for any reason and brings down its routes);
2) running applications that have network access only via the underlying
   interface, even when OpenVPN tun/tap interface is up;
3) chaining OpenVPN clients (tunnel in tunnel).

All this is easily achievable with the help of Linux network namespaces: one
just needs to run OpenVPN in the namespace with the underlying interface, but
configure tun/tap in another namespace.  Then applications in the first
namespace will not see OpenVPN at all, and applications in the second namespace
will not see the underlying interface; and to chain OpenVPN clients, one just
runs the second client in the second namespace with its tun/tap in the third
one, and so on.

An almost complete implementation of this idea is available at my fork:
https://github.com/OpenVPN/openvpn/compare/dea8917a...orivej:netns .  The only
thing missing is that redirect_default_route_to_vpn() fails because it "Cannot
read current default gateway from system" and I am not sure about the proper
fix.  (It should just set the new gateway as the default.)

To use OpenVPN with namespaces, just add some, and specify --dev-netns option.
Assuming VPN server provides internet access:

ip netns add abc
openvpn --config CONFIF --dev-netns /run/netns/abc
# List routes.
ip -n abc route
# Add default, as long as redirect_default_route_to_vpn() cannot do it.
ip -n abc route add default via XXX
ip netns exec abc ping 8.8.8.8

* * *

I am aware of http://www.naju.se/articles/openvpn-netns and
http://www.naju.se/articles/openvpn-netns, but these scripts are very ad-hoc and
fragile, e.g. they do not support buth tun and tap devices, and their only
purpose is to reimplement what do_open_tun() does after the kernel wipes all its
work when the interface is moved into another namespace.

------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to