Initial commit

cynecx · Mar 16, 2019 · 5973d7a · 5973d7a
commit 5973d7a
Show file tree

Hide file tree

Showing 6 changed files with 208 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -0,0 +1,8 @@
+.PHONY: install
+
+install:
+	cp netns-ctwg0 /etc/default/netns-ctwg0
+	cp *.service /usr/lib/systemd/system/
+	cp wireguard-nsinit /usr/bin/
+
+	systemctl daemon-reload
diff --git a/netns-ctwg0 b/netns-ctwg0
@@ -0,0 +1,4 @@
+WIREGUARD_CONF=wg0
+INTER_GATEWAY="192.168.30.0/24"
+INTER_IP_HOST="192.168.30.1/32"
+INTER_IP_CONT="192.168.30.2/32"
diff --git a/[email protected] b/[email protected]
@@ -0,0 +1,18 @@
+[Unit]
+Description=WireGuard service for netns %I
+
+BindsTo=netns@%i.service
+After=netns@%i.service network.target network-online.target
+
+[Install]
+WantedBy=network-online.target
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/etc/default/netns-%I
+
+ExecStart=/usr/bin/env wireguard-nsinit up %I
+ExecStop=/usr/bin/env wireguard-nsinit down %I
+ExecStopPost=/usr/bin/env wireguard-nsinit cleanup %I
diff --git a/[email protected] b/[email protected]
@@ -0,0 +1,23 @@
+[Unit]
+Description=Named network namespace %I
+
+After=network-pre.target
+Before=network.target network-online.target
+
+[Install]
+WantedBy=network-online.target
+WantedBy=multi-user.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+PrivateNetwork=yes
+
+ExecStartPre=-/usr/bin/env ip netns delete %I
+
+ExecStart=/usr/bin/env ip netns add %I
+ExecStart=/usr/bin/env umount /var/run/netns/%I
+ExecStart=/usr/bin/env mount --bind /proc/self/ns/net /var/run/netns/%I
+
+ExecStop=/usr/bin/env ip netns delete %I
+
diff --git a/[email protected] b/[email protected]
@@ -0,0 +1,15 @@
+[Unit]
+Description=qbittorrent-nox Daemon (wg0)
+Documentation=https://github.com/qbittorrent/qBittorrent/wiki
+BindsTo[email protected]
+After[email protected]
+JoinsNamespaceOf[email protected]
+
+[Service]
+User=%i
+Type=forking
+ExecStart=/usr/bin/qbittorrent-nox --daemon
+PrivateNetwork=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/wireguard-nsinit b/wireguard-nsinit
@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+
+set -e -o pipefail
+shopt -s extglob
+export LC_ALL=C
+
+CONTAINER=""
+INTER_HOSTIF=""
+INTER_CONTIF=""
+
+WG_CONFIG=""
+INTERFACE=""
+ADDRESSES=( )
+MTU=""
+DNS=( )
+TABLE=""
+PRE_UP=( )
+POST_UP=( )
+PRE_DOWN=( )
+POST_DOWN=( )
+SAVE_CONFIG=0
+CONFIG_FILE=""
+PROGRAM="${0##*/}"
+ARGS=( "$@" )
+
+die() {
+	echo "$PROGRAM: $*" >&2
+	exit 1
+}
+
+# from https://github.com/WireGuard/WireGuard/blob/master/src/tools/wg-quick/linux.bash
+parse_options() {
+	local interface_section=0 line key value stripped
+	CONFIG_FILE="$1"
+	[[ $CONFIG_FILE =~ ^[a-zA-Z0-9_=+.-]{1,15}$ ]] && CONFIG_FILE="/etc/wireguard/$CONFIG_FILE.conf"
+	[[ -e $CONFIG_FILE ]] || die "\`$CONFIG_FILE' does not exist"
+	[[ $CONFIG_FILE =~ (^|/)([a-zA-Z0-9_=+.-]{1,15})\.conf$ ]] || die "The config file must be a valid interface name, followed by .conf"
+	CONFIG_FILE="$(readlink -f "$CONFIG_FILE")"
+	((($(stat -c '0%#a' "$CONFIG_FILE") & $(stat -c '0%#a' "${CONFIG_FILE%/*}") & 0007) == 0)) || echo "Warning: \`$CONFIG_FILE' is world accessible" >&2
+	INTERFACE="${BASH_REMATCH[2]}"
+	shopt -s nocasematch
+	while read -r line || [[ -n $line ]]; do
+		stripped="${line%%\#*}"
+		key="${stripped%%=*}"; key="${key##*([[:space:]])}"; key="${key%%*([[:space:]])}"
+		value="${stripped#*=}"; value="${value##*([[:space:]])}"; value="${value%%*([[:space:]])}"
+		[[ $key == "["* ]] && interface_section=0
+		[[ $key == "[Interface]" ]] && interface_section=1
+		if [[ $interface_section -eq 1 ]]; then
+			case "$key" in
+			Address) ADDRESSES+=( ${value//,/ } ); continue ;;
+			MTU) MTU="$value"; continue ;;
+			DNS) DNS+=( ${value//,/ } ); continue ;;
+			Table) TABLE="$value"; continue ;;
+			PreUp) PRE_UP+=( "$value" ); continue ;;
+			PreDown) PRE_DOWN+=( "$value" ); continue ;;
+			PostUp) POST_UP+=( "$value" ); continue ;;
+			PostDown) POST_DOWN+=( "$value" ); continue ;;
+			SaveConfig) read_bool SAVE_CONFIG "$value"; continue ;;
+			esac
+		fi
+		WG_CONFIG+="$line"$'\n'
+	done < "$CONFIG_FILE"
+	shopt -u nocasematch
+
+	INTERFACE="ns${INTERFACE}"
+	INTER_HOSTIF="veth_m$CONTAINER"
+	INTER_CONTIF="veth_s$CONTAINER"
+}
+
+cmd_up() {
+	ip link add "$INTERFACE" type wireguard
+	ip link set "$INTERFACE" netns "$CONTAINER"
+
+	for i in "${ADDRESSES[@]}"; do
+		ip -n "$CONTAINER" addr add "$i" dev "$INTERFACE"
+	done;
+
+	ip netns exec "$CONTAINER" wg setconf "$INTERFACE" <(echo "$WG_CONFIG")
+
+	ip -n "$CONTAINER" link set "$INTERFACE" mtu 1420 up
+	ip -n "$CONTAINER" route add default dev "$INTERFACE"
+
+	ip link add "$INTER_HOSTIF" type veth peer name "$INTER_CONTIF"
+	ip link set "$INTER_CONTIF" netns "$CONTAINER"
+
+	ip addr add "$INTER_IP_HOST" dev "$INTER_HOSTIF"
+	ip -n "$CONTAINER" addr add "$INTER_IP_CONT" dev "$INTER_CONTIF"
+
+	ip link set "$INTER_HOSTIF" up
+	ip -n "$CONTAINER" link set "$INTER_CONTIF" up
+
+	ip route add "$INTER_GATEWAY" dev "$INTER_HOSTIF"
+	ip -n "$CONTAINER" route add "$INTER_GATEWAY" dev "$INTER_CONTIF"
+}
+
+cmd_down() {
+	ip -n "$CONTAINER" route delete default
+	ip -n "$CONTAINER" link set "$INTERFACE" down
+	ip -n "$CONTAINER" link delete "$INTERFACE"
+
+	ip -n "$CONTAINER" route delete "$INTER_GATEWAY"
+	ip -n "$CONTAINER" link set "$INTER_CONTIF" down
+
+	ip route delete "$INTER_GATEWAY"
+	ip link set "$INTER_HOSTIF" down
+	ip link delete "$INTER_HOSTIF"
+}
+
+cmd_cleanup() {
+	set +e +o pipefail
+	cmd_down
+	set -e -o pipefail
+}
+
+if [[ ! $# -eq 2 ]]; then
+	die 'invalid number of arguments'
+fi;
+
+CMD="$1"
+CONTAINER="$2"
+
+if [[ -z "$WIREGUARD_CONF" ]] || [[ -z "$INTER_GATEWAY" ]] || [[ -z "$INTER_IP_HOST" ]] || [[ -z "$INTER_IP_CONT" ]]; then
+	die 'wireguard config not specified'
+fi;
+
+if [[ -z "$CONTAINER" ]]; then
+	die 'container not specified'
+fi;
+
+parse_options "$WIREGUARD_CONF"
+
+if [[ $CMD == up ]]; then
+	cmd_up
+elif [[ $CMD == down ]]; then
+	cmd_down
+elif [[ $CMD == cleanup ]]; then
+	cmd_cleanup
+else
+	exit 1
+fi;