[SOLVED] Network namespace unable to resolve domains

drgn · 2016-07-20 17:44:29

I want to create a network namespace in which I can run openvpn so that I can choose which programs should connect through it.
I have relied on already written scripts thus far, as this is my first time trying to manage namespaces and the connection to and from them.
While I understand the basics of what is going on here, it's possible some commands in this script are causing the issue I'm having (as I might not understand them). But as I can successfully ping to Google's DNS-servers, I think I'm on the right track. I'd be happy for any help towards resolving this issue.

Script follows:

#!/usr/bin/env zsh
# vpnns.sh

NS="vpn"
VETH="veth-1"
VPEER="vpeer-1"

if [[ $UID != 0 ]]; then
    echo "This must be run as root."
    exit 1
fi

function iface_up() {
    ip netns add ${NS}

    ip netns exec ${NS} ip addr add 127.0.0.1/8 dev lo
    ip netns exec ${NS} ip link set lo up

    ip link add ${VETH} type veth peer name ${VPEER}
    ip link set ${VETH} up
    ip link set ${VPEER} netns ${NS} up

    ip addr add 10.200.200.1/24 dev ${VETH}
    ip netns exec ${NS} ip addr add 10.200.200.2/24 dev ${VPEER}
    ip netns exec ${NS} ip route add default via 10.200.200.1 dev ${VPEER}

    iptables -A INPUT \! -i ${VETH} -s 10.200.200.0/24 -j DROP
    iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o enp0s31f6 -j MASQUERADE

    sysctl -q net.ipv4.ip_forward=1

    mkdir -p /etc/netns/${NS}
    echo 'nameserver 8.8.8.8' > /etc/netns/${NS}/resolv.conf
}

function iface_down() {
    rm -rf /etc/netns/${NS}

    sysctl -q net.ipv4.ip_forward=0

    iptables -D INPUT \! -i ${VETH} -s 10.200.200.0/24 -j DROP
    iptables -t nat -D POSTROUTING -s 10.200.200.0/24 -o enp0s31f6 -j MASQUERADE

    ip netns delete ${NS}
}

function run() {
    shift
    sudo ip netns exec ${NS} "$@"
}

case "$1" in
    up)
        iface_up ;;
    down)
        iface_down ;;
    run)
        run "$@" ;;
    *)
        echo "Syntax: $0 up|down|run|start_vpn"
        exit 1
        ;;
esac

As mentioned, `ping 8.8.8.8` works without issue, but if I try to ping a domain:

$ sudo vpnnvs.sh run ping google.com
ping: google.com: Name or service not known

What makes me unable to resolve hosts, and what can I do to fix that?
Big thanks in advance.

Last edited by drgn (2016-07-20 22:19:17)

drgn · 2016-07-20 22:18:51

My issue has been resolved and I now run OpenVPN in a network namespace thanks to z3bra <http://z3bra.org/> and Shubnngrath.

While I can't point out the issues in the script in my first post, I present to you a combination of commands which makes this work on my system:

    sysctl -q net.ipv4.ip_forward=1
    ip netns add vpn
    ip link add veth0 type veth peer name eth0
    ip link set eth0 netns vpn
    ip addr add 10.0.0.1/24 dev veth0
    ip netns exec vpn ip addr add 10.0.0.2/24 dev eth0
    ip link set veth0 up
    ip netns exec vpn ip link set eth0 up

    ip netns exec vpn ip route add default via 10.0.0.1 dev eth0
    ip netns exec vpn ip addr add 127.0.0.1 dev lo
    ip netns exec vpn ip link set lo up

    iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 0.0.0.0/0 -j MASQUERADE

With this you should be able to ping 10.0.0.1 and 10.0.0.2, both within and outside of the namespace.

OpenVPN can then be started via `ip netns exec vpn openvpn --config /path/to/config`.
It is also required that OpenVPN isn't presently running on the host system, something I didn't realize directly.

Arch Linux

#1 2016-07-20 17:44:29

[SOLVED] Network namespace unable to resolve domains

#2 2016-07-20 22:18:51

Re: [SOLVED] Network namespace unable to resolve domains

Board footer