>>102407613
>I don't know how that works.
Create a network namespace:
#!/bin/sh
ip netns add vpn
# create the interface
ip link add v-eth1 type veth peer name v-peer1
# add the v-peer1 to the namespace vpn
ip link set v-peer1 netns vpn
# set IP to the interface in root namespace
ip addr add 10.200.1.1/24 dev v-eth1
# make the interface active
ip link set v-eth1 up
# add ip to the interface in the vpn namespace with a corresponding netmask.
ip netns exec vpn ip addr add 10.200.1.2/24 dev v-peer1
# make the interface active
ip -n vpn link set v-peer1 up
# add a loopback interface in vpn namespace
ip -n vpn link set lo up
# make the traffic in vpn namespace go to root namespace through veth
ip -n vpn route add default via 10.200.1.1
echo 1 > /proc/sys/net/ipv4/ip_forward
# Flush forward rules, policy DROP by default.
iptables -P FORWARD DROP
iptables -F FORWARD
# Flush nat rules.
iptables -t nat -F
# Enable masquerading of 10.200.1.0.
iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o eth0 -j MASQUERADE
# Allow forwarding between eth0 and v-eth1.
iptables -A FORWARD -i eth0 -o v-eth1 -j ACCEPT
iptables -A FORWARD -o eth0 -i v-eth1 -j ACCEPT
# Allow all output traffic
iptables -P OUTPUT ACCEPT
Enter the network namespace:
sudo ip netns exec vpn /bin/bash -l
Then start your VPN, then start your applications inside of the namespace like:
sudo ip netns exec vpn sudo -u $USER -- firefox
Anything ran in the namespace will go through the VPN. Anything ran outside of it in your root namespace won't.