1VPNNS(1)                    General Commands Manual                   VPNNS(1)
2
3
4

NAME

6       vpnns - per-app VPN using namespaces
7

SYNOPSIS

9       vpnns [--name=identifier] -- command
10
11       vpnns [--name=identifier] [--script=path] --attach
12

DESCRIPTION

14       vpnns  isolates  VPN-related  network traffic and applications inside a
15       separate network namespace.  Applications intended to be used with  the
16       VPN cannot bypass the VPN to access the internet directly, and applica‐
17       tions not intended to be used with the VPN cannot send traffic  through
18       the VPN tunnel.
19

USAGE

21       This starts up an application in a fresh user/net/uts/mount namespace:
22
23              vpnns -- google-chrome --user-data-dir=/tmp/vpntest
24
25              vpnns -- firefox -no-remote -P vpn
26
27              vpnns -- transmission-gtk
28
29       Initially  it  will  not  have any network access as the only interface
30       present in the netns is the loopback device.   The  application  should
31       still be able to talk to Xorg through UNIX sockets in /tmp.
32
33       The  next step is to connect to a VPN and invoke vpnns --attach to pass
34       the VPN traffic back and forth:
35
36              openconnect --script  "vpnns  --attach"  --script-tun  vpn.exam‐
37              ple.com
38
39              openvpn   --script-security   2   --config   example.ovpn  --dev
40              "|HOME=$HOME vpnns --attach"
41
42       These commands connect to an ocserv or openvpn gateway, then tell vpnns
43       to  set  up  a tunnel device, default route, and resolv.conf inside the
44       namespace created above.  On success, the web browser will have connec‐
45       tivity.  When the VPN disconnects, the browser will lose all connectiv‐
46       ity, preventing leaks.
47
48       vpnns can be rerun multiple times if the connection fails or if the VPN
49       client  crashes.  If run without arguments, it will open a shell inside
50       the namespace.
51

OPTIONS

53       -n, --name identifier
54              vpnns is designed to allow multiple instances to coexist on  the
55              same  system.   This  feature  could be useful for connecting to
56              multiple  VPNs  at  the  same  time.   identifier  defaults   to
57              "default" but can be overridden through the --name option.
58
59       -s, --script path
60              Invoke  the  program  at path to set up and tear down the tunnel
61              device's IP configuration, instead of letting  vpnns  handle  it
62              internally.  $TUNDEV will be set to the device name (e.g. tun0).
63              $reason will be set to either connect  or  disconnect.   Any  IP
64              configuration variables such as $INTERNAL_IP4_ADDRESS set by the
65              VPN client will be inherited, so it is possible for  a  modified
66              vpnc-script  to  be  used.   This  option  only has an effect if
67              --attach is also specified.
68

CAVEATS

70       vpnns is not a security tool.  It cannot prevent malicious applications
71       from bypassing the namespace restrictions.
72
73       While  OpenConnect  works  with vpnns out of the box, OpenVPN currently
74       (as of 2017-01-08) requires out-of-tree  patches  to  support  non-root
75       operation.
76
77       If /etc/resolv.conf is a symbolic link to a file that is regenerated on
78       network connection changes, the bind mount used by  vpnns  to  override
79       the  DNS configuration can be inadvertently deleted.  vpnns attempts to
80       work around this by using overlayfs to override  /etc/resolv.conf,  but
81       that does not work on all systems.
82
83       Some  distributions  patch  their kernels to prevent unprivileged users
84       from creating namespaces, resulting in  a  "can't  unshare  namespaces:
85       Operation  not permitted" error.  This security feature can be disabled
86       using the following command:
87
88              sudo sysctl -w kernel.unprivileged_userns_clone=1
89
90       To make the change permanent, edit /etc/sysctl.conf.
91

FILES

93       ~/.vpnns-identifier
94              State directory for a given vpnns instance.  By  default,  vpnns
95              uses ~/.vpnns-default.
96

SEE ALSO

98       ocproxy(1), openconnect(8), openvpn(8)
99
100
101
102                                January 8, 2017                       VPNNS(1)
Impressum