roypur/wireguard-setup
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add tool to enter vpn

Browse Source
This commit is contained in:
Roy Olav Purser
2024-02-09 19:49:10 +01:00
parent 266bac7e21
commit 243f72c103
7 changed files with 148 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.clang-format Normal file
View File

@@ -0,0 +1,12 @@
---
AccessModifierOffset: 0
IndentAccessModifiers: true
AlignTrailingComments: true
AllowShortFunctionsOnASingleLine: false
AllowShortIfStatementsOnASingleLine: true
AllowShortLoopsOnASingleLine: true
BreakBeforeBinaryOperators: false
IndentWidth: 4
SortIncludes: false
NamespaceIndentation: All
...

16
Makefile
View File

@@ -1,6 +1,6 @@
CFLAGS = -std=gnu99 -pie -fPIC -pedantic -Wno-imports -Wunused -Wno-missing-field-initializers -Wextra -Wunreachable-code -O3
all: wireguard_mount wireguard_resolve
all: wireguard_mount wireguard_resolve enter_vpn
wireguard_mount: src/wireguard-mount.c
mkdir -p bin
@@ -10,7 +10,16 @@ wireguard_resolve: src/resolve.c src/resolve.s
mkdir -p bin
gcc -shared -o bin/wireguard-resolve.so -nostdlib -fPIC src/resolve.c src/resolve.s
install_mount: systemd bin:
enter_vpn: src/enter_vpn.c
mkdir -p bin
gcc $(CFLAGS) -o bin/enter_vpn src/enter_vpn.c
format: src scripts
clang-format -i src/*.c
ruff --fix scripts
black scripts
install_mount: systemd bin
mkdir -p /snacks/wireguard/bin
cp bin/wireguard-mount /snacks/wireguard/bin/wireguard-mount
cp systemd/wireguard-mount.service /etc/systemd/system/wireguard-mount.service
@@ -28,3 +37,6 @@ install_basic: systemd scripts bin
cp scripts/inner_basic.sh /snacks/wireguard/scripts/inner_basic.sh
chmod -R 755 /snacks/wireguard
systemctl daemon-reload

79
scripts/connect.py
View File

@@ -1,21 +1,26 @@
#!/usr/bin/env python3
import subprocess,os
import subprocess, os
newenv = os.environ.copy()
newenv["LD_PRELOAD"] = "/snacks/wireguard/bin/wireguard-resolve.so"
def default_devices():
with open("/proc/1/net/dev", "r") as f:
return f.read()
def vpn_devices():
with open("/proc/self/net/dev", "r") as f:
return f.read()
def wireguard():
try:
os.mkdir("/run/netns")
except FileExistsError:
pass
try:
os.symlink("/run/vpn/net", "/run/netns/vpn")
os.symlink("/proc/1/ns/net", "/run/netns/default")
@@ -37,19 +42,72 @@ def wireguard():
subprocess.run(["ip", "link", "del", "dev", "vpn"])
if "mynet0" not in vpn_devices():
subprocess.run(["ip", "link", "add", "name", "mynet0", "type", "bridge"])
if "veth-inner" in default_devices():
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "veth-inner"])
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"del",
"dev",
"veth-inner",
]
)
if "veth-outer" in default_devices():
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "veth-outer"])
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"del",
"dev",
"veth-outer",
]
)
if "vpn" in default_devices():
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"])
subprocess.run(
["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"]
)
subprocess.run(["modprobe", "wireguard"])
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "add", "dev", "vpn", "type", "wireguard"])
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "set", "dev", "vpn", "netns", "vpn"])
subprocess.run(["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner.sh"], env=newenv)
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "/snacks/wireguard/scripts/outer.sh"], env=newenv)
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"add",
"dev",
"vpn",
"type",
"wireguard",
]
)
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"set",
"dev",
"vpn",
"netns",
"vpn",
]
)
subprocess.run(
["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner.sh"],
env=newenv,
)
subprocess.run(
["nsenter", "--net=/proc/1/ns/net", "/snacks/wireguard/scripts/outer.sh"],
env=newenv,
)
try:
self_ns = os.readlink("/proc/self/ns/net")
@@ -61,4 +119,3 @@ else:
wireguard()
else:
print("This script should be called from the VPN network namespace.")

48
scripts/connect_basic.py
View File

@@ -1,21 +1,26 @@
#!/usr/bin/env python3
import subprocess,os
import subprocess, os
newenv = os.environ.copy()
newenv["LD_PRELOAD"] = "/snacks/wireguard/bin/wireguard-resolve.so"
def default_devices():
with open("/proc/1/net/dev", "r") as f:
return f.read()
def vpn_devices():
with open("/proc/self/net/dev", "r") as f:
return f.read()
def wireguard():
try:
os.mkdir("/run/netns")
except FileExistsError:
pass
try:
os.symlink("/run/vpn/net", "/run/netns/vpn")
os.symlink("/proc/1/ns/net", "/run/netns/default")
@@ -32,12 +37,42 @@ def wireguard():
if "vpn" in vpn_devices():
subprocess.run(["ip", "link", "del", "dev", "vpn"])
if "vpn" in default_devices():
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"])
subprocess.run(
["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"]
)
subprocess.run(["modprobe", "wireguard"])
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "add", "dev", "vpn", "type", "wireguard"])
subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "set", "dev", "vpn", "netns", "vpn"])
subprocess.run(["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner_basic.sh"], env=newenv)
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"add",
"dev",
"vpn",
"type",
"wireguard",
]
)
subprocess.run(
[
"nsenter",
"--net=/proc/1/ns/net",
"ip",
"link",
"set",
"dev",
"vpn",
"netns",
"vpn",
]
)
subprocess.run(
["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner_basic.sh"],
env=newenv,
)
try:
self_ns = os.readlink("/proc/self/ns/net")
@@ -49,4 +84,3 @@ else:
wireguard()
else:
print("This script should be called from the VPN network namespace.")

12
src/enter_vpn.c
View File

@@ -1,11 +1,11 @@
#define _GNU_SOURCE
#include <sched.h>
#include <fcntl.h>
#include <pwd.h>
#include <sched.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <unistd.h>
int main() {
char shell[128] = {0};
@@ -17,20 +17,20 @@ int main() {
int fd = open("/run/vpn/net", 0);
if(fd > 0) {
if (fd > 0) {
int failure = setns(fd, CLONE_NEWNET);
if(failure) {
if (failure) {
perror("setns /run/vpn/net");
}
close(fd);
if(failure) {
if (failure) {
return 1;
}
} else {
perror("open /run/vpn/net");
return 1;
}
execl(shell, shell, NULL);
execl("csshell", "bshell", NULL);
perror(NULL);
return 0;
}

6
src/resolve.c
View File

@@ -4,21 +4,21 @@ extern int override_socket(int domain, int type, int protocol);
extern int override_setns(int fd, int nstype);
int socket(int domain, int type, int protocol) {
if(domain > 15) {
if (domain > 15) {
return override_socket(domain, type, protocol);
}
int fda = override_open("/proc/1/ns/net", 0);
int fdb = override_open("/run/netns/vpn", 0);
int retval = 0;
if(fda > 0) {
if (fda > 0) {
override_setns(fda, 0);
override_close(fda);
}
retval = override_socket(domain, type, protocol);
if(fdb > 0) {
if (fdb > 0) {
override_setns(fdb, 0);
override_close(fdb);
}

8
src/wireguard-mount.c
View File

@@ -1,19 +1,19 @@
#include <sys/mount.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/mount.h>
#include <systemd/sd-daemon.h>
#include <unistd.h>
int main() {
char mount_path[32] = {0};
snprintf(mount_path, sizeof(mount_path), "/proc/%d/ns", getpid());
int err = mount(mount_path, "/run/vpn", NULL, MS_BIND, NULL);
if(err) {
if (err) {
perror("Error");
return 1;
}
sd_notify(0, "READY=1");
while(1) {
while (1) {
sleep(10);
}
return 1;