fuad-daoud/01-README.md

Linux namespaced traffic proxy

Here I explain how I had specfic app(s) be in network namespace in linux and have a proxy (cloudflare-warp) route the traffic to act like a vpn

Tl;DR

Skip steps and run script setup-namespace.sh then edit the service using sudo systemctl edit warp-svc.service by adding

[Service]
NetworkNamespacePath=/var/run/netns/discordns
PrivateNetwork=true

Run sudo systemctl restart warp-svc.service
Run discord in the namespace (or any app) via run-discord

To remove all setup run cleanup.sh

Why

Had to do because discord got banned in jordan and can only access it via a vpn but since I am running arch linux with sway not all vpns with split tunneling always work and rialiable.

Steps

variables:

NAMESPACE="discordns"
VETH_HOST="veth-discord"
VETH_NS="veth-discord-ns"
HOST_IP="10.200.1.1"
NS_IP="10.200.1.2"

Run warp service

sudo systemctl start warp-svc.service

Create directory for the namespace

sudo mkdir -p /etc/netns/discordns

Copy your DNS config

sudo cp /etc/resolv.conf /etc/netns/discordns/resolv.conf

Create namespace

sudo ip netns add $NAMESPACE

Setup the connection between namespace and host via veth pair (virtual cable)

Create veth pair

sudo ip link add $VETH_HOST type veth peer name $VETH_NS

Move interface to the namespace

sudo ip link set $VETH_NS netns $NAMESPACE

Assigns IP address HOST_IP to VETH_HOST interface on the host

sudo ip addr add ${HOST_IP}/24 dev $VETH_HOST

Brings up the interface VETH_HOST

sudo ip link set $VETH_HOST up

its like the host virtual cable end now has the address HOST_IP

Configure namespace side, setting IP and bring up on the namespace side (other end of the cable)

sudo ip netns exec $NAMESPACE ip addr add ${NS_IP}/24 dev $VETH_NS
sudo ip netns exec $NAMESPACE ip link set $VETH_NS up

its like the namespace virtual cable end now has the address NS_IP

bring up the lo interface

sudo ip netns exec $NAMESPACE ip link set lo up

Add default route in namespace

sudo ip netns exec $NAMESPACE ip route add default via $HOST_IP

Enable IP forwarding

sudo sysctl -w net.ipv4.ip_forward=1

Set up NAT

get internet interface from routing table br0 my case

INET_IFACE=$(ip route | grep default | awk '{print $5}' | head -n1)

the MASQUERADE Rule

sudo iptables -t nat -A POSTROUTING -s ${NS_IP}/24 -o $INET_IFACE -j MASQUERADE

Why ? because:

Before NAT:
┌─────────────┐
│ Packet from │
│ 10.200.1.2  │ ──► To: google.com
└─────────────┘

After MASQUERADE:
┌─────────────┐
│ Packet from │
│ YOUR_HOST_IP│ ──► To: google.com
└─────────────┘

forward rules:

Allow packets coming FROM the internet TO the namespace

sudo iptables -A FORWARD -i $INET_IFACE -o $VETH_HOST -j ACCEPT

Allow packets coming FROM the internet TO the namespace

sudo iptables -A FORWARD -o $INET_IFACE -i $VETH_HOST -j ACCEPT

full flow

┌─────────────────────────────────────────────────────-─────────┐
│                          HOST SYSTEM                          │
│                                                               │
│  ┌─────────────────────────────────────────────────────────┐  │
│  │         NAMESPACE "discordns"                           │  │
│  │                                                         │  │
│  │  ┌──────────┐                                           │  │
│  │  │ Discord  │                                           │  │
│  │  │ App      │                                           │  │
│  │  └────┬─────┘                                           │  │
│  │       │ Unencrypted traffic                             │  │
│  │       │ (thinks it's going to discord.com)              │  │
│  │       ▼                                                 │  │
│  │  ┌──────────────┐                                       │  │
│  │  │ Warp Client  │ ← Running in namespace                │  │
│  │  │ (encrypts &  │                                       │  │
│  │  │  tunnels)    │                                       │  │
│  │  └──────┬───────┘                                       │  │
│  │         │ Encrypted traffic                             │  │
│  │         │ (wrapped for Cloudflare)                      │  │
│  │         ▼                                               │  │
│  │  ┌────────────────┐                                     │  │
│  │  │ veth-discord-ns│                                     │  │
│  │  │ 10.200.1.2     │◄────────────────────────────────┐   │  │
│  │  └────────┬───────┘                                 │   │  │
│  │           │                                         │   │  │
│  └───────────┼─────────────────────────────────────────┼───┘  │
│              │                                         │      │
│              │ Virtual ethernet "cable"                │      │
│              │                                         │      │
│       ┌──────▼───────┐                                 │      │
│       │ veth-discord │                                 │      │
│       │ 10.200.1.1   │                                 │      │
│       └──────┬───────┘                                 │      │
│              │                                         │      │
│              │ NAT/MASQUERADE                          │      │
│              │ (10.200.1.2 → YOUR_PUBLIC_IP)           │      │
│              ▼                                         │      │
│       ┌─────────────┐                                  │      │
│       │ wlan0/eth0  │                                  │      │
│       │ (Internet)  │                                  │      │
│       └──────┬──────┘                                  │      │
│              │                                         │      │
└──────────────┼─────────────────────────────────────────┼──────┘
               │                                         │
               │ Encrypted traffic to Cloudflare         │
               ▼                                         │
         ┌──────────┐                                    │
         │ Internet │                                    │
         │  Router  │                                    │
         └─────┬────┘                                    │
               │                                         │
               ▼                                         │
      ┌────────────────┐                                 │
      │   Cloudflare   │                                 │
      │    Network     │                                 │
      │   (Warp Edge)  │                                 │
      └────────┬───────┘                                 │
               │ Decrypts & forwards                     │
               ▼                                         │
         ┌──────────┐                                    │
         │discord.com│                                   │
         └───────────┘                                   │
                                                         │
               Reply path ───────────────────────────────┘

Modify the warp service to run only in the namespace

[Service]
NetworkNamespacePath=/var/run/netns/discordns
PrivateNetwork=true

Restart the servcie

sudo systemctl restart warp-svc.service

Finally run your app mine is discord

sudo ip netns exec discordns sudo -u $USER \
  XDG_RUNTIME_DIR=/run/user/$(id -u) \
  WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
  DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u)/bus \
  discord

for cleanup check cleanup.md

Cleanup

TL;DR

Run the file cleanup.sh

Steps

variables

NAMESPACE="discordns"
VETH_HOST="veth-discord"
NS_IP="10.200.1.2"

Stop warp

sudo systemctl stop warp-svc.service

Get the internet interface and remove the iptables rules

INET_IFACE=$(ip route | grep default | awk '{print $5}' | head -n1)
sudo iptables -t nat -D POSTROUTING -s ${NS_IP}/24 -o $INET_IFACE -j MASQUERADE 2>/dev/null
sudo iptables -D FORWARD -i $INET_IFACE -o $VETH_HOST -j ACCEPT 2>/dev/null
sudo iptables -D FORWARD -o $INET_IFACE -i $VETH_HOST -j ACCEPT 2>/dev/null

Delete the veth pair (virtual cable)

sudo ip link delete $VETH_HOST 2>/dev/null

Delete namespace and directory

sudo ip netns delete $NAMESPACE 2>/dev/null
sudo rm -rf /etc/netns/$NAMESPACE

fuad-daoud/01-README.md

Select an option

No results found

Select an option

No results found

Linux namespaced traffic proxy

Tl;DR

Why

Steps

Setup the connection between namespace and host via veth pair (virtual cable)

Set up NAT

Cleanup

TL;DR

Steps

	#!/bin/bash

	NAMESPACE="discordns"
	VETH_HOST="veth-discord"
	VETH_NS="veth-discord-ns"
	HOST_IP="10.200.1.1"
	NS_IP="10.200.1.2"

	sudo systemctl start warp-svc.service

	sudo mkdir -p /etc/netns/discordns

	sudo cp /etc/resolv.conf /etc/netns/discordns/resolv.conf

	sudo ip netns add $NAMESPACE

	sudo ip link add $VETH_HOST type veth peer name $VETH_NS

	sudo ip link set $VETH_NS netns $NAMESPACE

	sudo ip addr add ${HOST_IP}/24 dev $VETH_HOST
	sudo ip link set $VETH_HOST up

	sudo ip netns exec $NAMESPACE ip addr add ${NS_IP}/24 dev $VETH_NS
	sudo ip netns exec $NAMESPACE ip link set $VETH_NS up
	sudo ip netns exec $NAMESPACE ip link set lo up

	sudo ip netns exec $NAMESPACE ip route add default via $HOST_IP

	sudo sysctl -w net.ipv4.ip_forward=1

	INET_IFACE=$(ip route \| grep default \| awk '{print $5}' \| head -n1)
	sudo iptables -t nat -A POSTROUTING -s ${NS_IP}/24 -o $INET_IFACE -j MASQUERADE
	sudo iptables -A FORWARD -i $INET_IFACE -o $VETH_HOST -j ACCEPT
	sudo iptables -A FORWARD -o $INET_IFACE -i $VETH_HOST -j ACCEPT

	sudo ip netns exec discordns sudo -u $USER \
	XDG_RUNTIME_DIR=/run/user/$(id -u) \
	WAYLAND_DISPLAY=$WAYLAND_DISPLAY \
	DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/$(id -u)/bus \
	discord