1VPNNS(1) General Commands Manual VPNNS(1)
2
3
4
6 vpnns - per-app VPN using namespaces
7
9 vpnns [--name=identifier] -- command
10
11 vpnns [--name=identifier] [--script=path] --attach
12
14 vpnns isolates VPN-related network traffic and applications inside a
15 separate network namespace. Applications intended to be used with the
16 VPN cannot bypass the VPN to access the internet directly, and applica‐
17 tions not intended to be used with the VPN cannot send traffic through
18 the VPN tunnel.
19
21 This starts up an application in a fresh user/net/uts/mount namespace:
22
23 vpnns -- google-chrome --user-data-dir=/tmp/vpntest
24
25 vpnns -- firefox -no-remote -P vpn
26
27 vpnns -- transmission-gtk
28
29 Initially it will not have any network access as the only interface
30 present in the netns is the loopback device. The application should
31 still be able to talk to Xorg through UNIX sockets in /tmp.
32
33 The next step is to connect to a VPN and invoke vpnns --attach to pass
34 the VPN traffic back and forth:
35
36 openconnect --script "vpnns --attach" --script-tun vpn.exam‐
37 ple.com
38
39 openvpn --script-security 2 --config example.ovpn --dev
40 "|HOME=$HOME vpnns --attach"
41
42 These commands connect to an ocserv or openvpn gateway, then tell vpnns
43 to set up a tunnel device, default route, and resolv.conf inside the
44 namespace created above. On success, the web browser will have connec‐
45 tivity. When the VPN disconnects, the browser will lose all connectiv‐
46 ity, preventing leaks.
47
48 vpnns can be rerun multiple times if the connection fails or if the VPN
49 client crashes. If run without arguments, it will open a shell inside
50 the namespace.
51
53 -n, --name identifier
54 vpnns is designed to allow multiple instances to coexist on the
55 same system. This feature could be useful for connecting to
56 multiple VPNs at the same time. identifier defaults to
57 "default" but can be overridden through the --name option.
58
59 -s, --script path
60 Invoke the program at path to set up and tear down the tunnel
61 device's IP configuration, instead of letting vpnns handle it
62 internally. $TUNDEV will be set to the device name (e.g. tun0).
63 $reason will be set to either connect or disconnect. Any IP
64 configuration variables such as $INTERNAL_IP4_ADDRESS set by the
65 VPN client will be inherited, so it is possible for a modified
66 vpnc-script to be used. This option only has an effect if
67 --attach is also specified.
68
70 vpnns is not a security tool. It cannot prevent malicious applications
71 from bypassing the namespace restrictions.
72
73 While OpenConnect works with vpnns out of the box, OpenVPN currently
74 (as of 2017-01-08) requires out-of-tree patches to support non-root
75 operation.
76
77 If /etc/resolv.conf is a symbolic link to a file that is regenerated on
78 network connection changes, the bind mount used by vpnns to override
79 the DNS configuration can be inadvertently deleted. vpnns attempts to
80 work around this by using overlayfs to override /etc/resolv.conf, but
81 that does not work on all systems.
82
83 Some distributions patch their kernels to prevent unprivileged users
84 from creating namespaces, resulting in a "can't unshare namespaces:
85 Operation not permitted" error. This security feature can be disabled
86 using the following command:
87
88 sudo sysctl -w kernel.unprivileged_userns_clone=1
89
90 To make the change permanent, edit /etc/sysctl.conf.
91
93 ~/.vpnns-identifier
94 State directory for a given vpnns instance. By default, vpnns
95 uses ~/.vpnns-default.
96
98 ocproxy(1), openconnect(8), openvpn(8)
99
100
101
102 January 8, 2017 VPNNS(1)