# (not shown: general configuration) # we set our routes manually route-noexec script-security 2 # no down.sh needed in my case, the device is destroyed along with configuration on down anyway up /etc/openvpn/netns-up.sh/etc/openvpn/netns-up.sh:
#!/bin/sh # I can't be bothered to parse $ifconfig_netmask preflen=24 # put something sensible here ns=nsname # create the namespace if it doesn't exist # if you're not running debian, this file may be somewhere else if ! [ -f /var/run/netns/$ns ]; then ip netns add $ns fi ipr="ip netns exec $ns ip" ip link set $dev netns $ns # moving the interface will reset its configuration so we restore it manually $ipr link set dev $dev up mtu $tun_mtu $ipr addr add dev $dev $ifconfig_local/$preflen broadcast $ifconfig_broadcast $ipr route add default via $route_vpn_gateway/etc/sudoers.d/netns: (optional, adjust for username)
$user ALL = NOPASSWD: /sbin/ip netns exec $nsname sudo -u $user -- *Test your setup with:
% sudo ip netns exec $nsname sudo -u $USER -- $SHELL % ip addr % ip routeCaveats: 1. No DNS included! Use a globally reachable DNS server or set up your own in the VPN. 2. If started in a netns via the sudo line, Firefox complains about lack of dbus connectivity because it breaks somewhere along the double sudo. I haven't found a fix for this yet. For an alternative approach, you can also specify --iproute to OpenVPN instead of a --up script - this ended up way too hacky for my tastes though. comments/ideas/improvements via mail to: www@ published: Sep 07 2015. epistemic status: solid.
[up]