From 243f72c103f139f7ab857527d95a05be3fd3605d Mon Sep 17 00:00:00 2001 From: Roy Olav Purser Date: Fri, 9 Feb 2024 19:49:10 +0100 Subject: [PATCH] add tool to enter vpn --- .clang-format | 12 ++++++ Makefile | 16 +++++++- scripts/connect.py | 79 ++++++++++++++++++++++++++++++++++------ scripts/connect_basic.py | 48 ++++++++++++++++++++---- src/enter_vpn.c | 12 +++--- src/resolve.c | 6 +-- src/wireguard-mount.c | 8 ++-- 7 files changed, 148 insertions(+), 33 deletions(-) create mode 100644 .clang-format diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..6b462a7 --- /dev/null +++ b/.clang-format @@ -0,0 +1,12 @@ +--- +AccessModifierOffset: 0 +IndentAccessModifiers: true +AlignTrailingComments: true +AllowShortFunctionsOnASingleLine: false +AllowShortIfStatementsOnASingleLine: true +AllowShortLoopsOnASingleLine: true +BreakBeforeBinaryOperators: false +IndentWidth: 4 +SortIncludes: false +NamespaceIndentation: All +... diff --git a/Makefile b/Makefile index 5021e81..4443193 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ CFLAGS = -std=gnu99 -pie -fPIC -pedantic -Wno-imports -Wunused -Wno-missing-field-initializers -Wextra -Wunreachable-code -O3 -all: wireguard_mount wireguard_resolve +all: wireguard_mount wireguard_resolve enter_vpn wireguard_mount: src/wireguard-mount.c mkdir -p bin @@ -10,7 +10,16 @@ wireguard_resolve: src/resolve.c src/resolve.s mkdir -p bin gcc -shared -o bin/wireguard-resolve.so -nostdlib -fPIC src/resolve.c src/resolve.s -install_mount: systemd bin: +enter_vpn: src/enter_vpn.c + mkdir -p bin + gcc $(CFLAGS) -o bin/enter_vpn src/enter_vpn.c + +format: src scripts + clang-format -i src/*.c + ruff --fix scripts + black scripts + +install_mount: systemd bin mkdir -p /snacks/wireguard/bin cp bin/wireguard-mount /snacks/wireguard/bin/wireguard-mount cp systemd/wireguard-mount.service /etc/systemd/system/wireguard-mount.service @@ -28,3 +37,6 @@ install_basic: systemd scripts bin cp scripts/inner_basic.sh /snacks/wireguard/scripts/inner_basic.sh chmod -R 755 /snacks/wireguard systemctl daemon-reload + + + diff --git a/scripts/connect.py b/scripts/connect.py index 25fdc9e..4aade0c 100644 --- a/scripts/connect.py +++ b/scripts/connect.py @@ -1,21 +1,26 @@ #!/usr/bin/env python3 -import subprocess,os +import subprocess, os + newenv = os.environ.copy() newenv["LD_PRELOAD"] = "/snacks/wireguard/bin/wireguard-resolve.so" + def default_devices(): with open("/proc/1/net/dev", "r") as f: return f.read() + + def vpn_devices(): with open("/proc/self/net/dev", "r") as f: return f.read() + def wireguard(): try: os.mkdir("/run/netns") except FileExistsError: pass - + try: os.symlink("/run/vpn/net", "/run/netns/vpn") os.symlink("/proc/1/ns/net", "/run/netns/default") @@ -37,19 +42,72 @@ def wireguard(): subprocess.run(["ip", "link", "del", "dev", "vpn"]) if "mynet0" not in vpn_devices(): subprocess.run(["ip", "link", "add", "name", "mynet0", "type", "bridge"]) - + if "veth-inner" in default_devices(): - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "veth-inner"]) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "del", + "dev", + "veth-inner", + ] + ) if "veth-outer" in default_devices(): - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "veth-outer"]) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "del", + "dev", + "veth-outer", + ] + ) if "vpn" in default_devices(): - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"]) + subprocess.run( + ["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"] + ) subprocess.run(["modprobe", "wireguard"]) - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "add", "dev", "vpn", "type", "wireguard"]) - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "set", "dev", "vpn", "netns", "vpn"]) - subprocess.run(["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner.sh"], env=newenv) - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "/snacks/wireguard/scripts/outer.sh"], env=newenv) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "add", + "dev", + "vpn", + "type", + "wireguard", + ] + ) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "set", + "dev", + "vpn", + "netns", + "vpn", + ] + ) + subprocess.run( + ["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner.sh"], + env=newenv, + ) + subprocess.run( + ["nsenter", "--net=/proc/1/ns/net", "/snacks/wireguard/scripts/outer.sh"], + env=newenv, + ) + try: self_ns = os.readlink("/proc/self/ns/net") @@ -61,4 +119,3 @@ else: wireguard() else: print("This script should be called from the VPN network namespace.") - diff --git a/scripts/connect_basic.py b/scripts/connect_basic.py index 1cefaf7..fcdf2b5 100644 --- a/scripts/connect_basic.py +++ b/scripts/connect_basic.py @@ -1,21 +1,26 @@ #!/usr/bin/env python3 -import subprocess,os +import subprocess, os + newenv = os.environ.copy() newenv["LD_PRELOAD"] = "/snacks/wireguard/bin/wireguard-resolve.so" + def default_devices(): with open("/proc/1/net/dev", "r") as f: return f.read() + + def vpn_devices(): with open("/proc/self/net/dev", "r") as f: return f.read() + def wireguard(): try: os.mkdir("/run/netns") except FileExistsError: pass - + try: os.symlink("/run/vpn/net", "/run/netns/vpn") os.symlink("/proc/1/ns/net", "/run/netns/default") @@ -32,12 +37,42 @@ def wireguard(): if "vpn" in vpn_devices(): subprocess.run(["ip", "link", "del", "dev", "vpn"]) if "vpn" in default_devices(): - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"]) + subprocess.run( + ["nsenter", "--net=/proc/1/ns/net", "ip", "link", "del", "dev", "vpn"] + ) subprocess.run(["modprobe", "wireguard"]) - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "add", "dev", "vpn", "type", "wireguard"]) - subprocess.run(["nsenter", "--net=/proc/1/ns/net", "ip", "link", "set", "dev", "vpn", "netns", "vpn"]) - subprocess.run(["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner_basic.sh"], env=newenv) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "add", + "dev", + "vpn", + "type", + "wireguard", + ] + ) + subprocess.run( + [ + "nsenter", + "--net=/proc/1/ns/net", + "ip", + "link", + "set", + "dev", + "vpn", + "netns", + "vpn", + ] + ) + subprocess.run( + ["nsenter", "--net=/run/vpn/net", "/snacks/wireguard/scripts/inner_basic.sh"], + env=newenv, + ) + try: self_ns = os.readlink("/proc/self/ns/net") @@ -49,4 +84,3 @@ else: wireguard() else: print("This script should be called from the VPN network namespace.") - diff --git a/src/enter_vpn.c b/src/enter_vpn.c index fdc1a1c..bbbd180 100644 --- a/src/enter_vpn.c +++ b/src/enter_vpn.c @@ -1,11 +1,11 @@ #define _GNU_SOURCE -#include #include #include +#include #include -#include #include +#include int main() { char shell[128] = {0}; @@ -17,20 +17,20 @@ int main() { int fd = open("/run/vpn/net", 0); - if(fd > 0) { + if (fd > 0) { int failure = setns(fd, CLONE_NEWNET); - if(failure) { + if (failure) { perror("setns /run/vpn/net"); } close(fd); - if(failure) { + if (failure) { return 1; } } else { perror("open /run/vpn/net"); return 1; } - execl(shell, shell, NULL); + execl("csshell", "bshell", NULL); perror(NULL); return 0; } diff --git a/src/resolve.c b/src/resolve.c index 33bab69..0612c0e 100644 --- a/src/resolve.c +++ b/src/resolve.c @@ -4,21 +4,21 @@ extern int override_socket(int domain, int type, int protocol); extern int override_setns(int fd, int nstype); int socket(int domain, int type, int protocol) { - if(domain > 15) { + if (domain > 15) { return override_socket(domain, type, protocol); } int fda = override_open("/proc/1/ns/net", 0); int fdb = override_open("/run/netns/vpn", 0); int retval = 0; - if(fda > 0) { + if (fda > 0) { override_setns(fda, 0); override_close(fda); } retval = override_socket(domain, type, protocol); - if(fdb > 0) { + if (fdb > 0) { override_setns(fdb, 0); override_close(fdb); } diff --git a/src/wireguard-mount.c b/src/wireguard-mount.c index 0514565..4ba9be5 100644 --- a/src/wireguard-mount.c +++ b/src/wireguard-mount.c @@ -1,19 +1,19 @@ -#include -#include #include +#include #include +#include int main() { char mount_path[32] = {0}; snprintf(mount_path, sizeof(mount_path), "/proc/%d/ns", getpid()); int err = mount(mount_path, "/run/vpn", NULL, MS_BIND, NULL); - if(err) { + if (err) { perror("Error"); return 1; } sd_notify(0, "READY=1"); - while(1) { + while (1) { sleep(10); } return 1;