• the_third@feddit.de
    link
    fedilink
    English
    arrow-up
    2
    ·
    edit-2
    7 months ago

    When I design something, critical applications get their own network namespace with only the VPN interface inside anyway. So, yeah.

      • originalucifer@moist.catsweat.com
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        i think docker allows for this configuration. i use a gluetun container for the network definition of the torrent container to prevent leaking. the torrent container knows of no other network than the vpn container.

      • the_third@feddit.de
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.

        I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:

        https://github.com/dadevel/wg-netns

        cat /etc/systemd/system/wg-qbittorrent.service
        [Unit]
        Description=WireGuard Network Namespace for qBittorrent
        Wants=network-online.target nss-lookup.target
        After=network-online.target nss-lookup.target
        
        [Service]
        Type=oneshot
        Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
        Environment=WG_VERBOSE=1
        ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml
        ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml
        RemainAfterExit=yes
        
        WorkingDirectory=%E/wireguard
        ConfigurationDirectory=wireguard
        ConfigurationDirectoryMode=0700
        
        CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
        LimitNOFILE=4096
        LimitNPROC=512
        LockPersonality=true
        MemoryDenyWriteExecute=true
        NoNewPrivileges=true
        ProtectClock=true
        ProtectHostname=true
        RemoveIPC=true
        RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
        RestrictNamespaces=mnt net
        RestrictRealtime=true
        RestrictSUIDSGID=true
        SystemCallArchitectures=native
        
        [Install]
        WantedBy=multi-user.target
        

        Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static

        …and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:

        cat /etc/systemd/system/qbittorrent-nox.service 
        
        [Unit]
        Description=qBittorrent-nox service
        Wants=network-online.target wg-qbittorrent.service 
        After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
        
        [Service]
        Type=simple
        PrivateTmp=false
        #User=qbittorrent
        ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox
        TimeoutStopSec=1800
        RestartSec=15
        RestartMaxDelaySec=600
        RestartSteps=10
        Restart=always
        
        [Install]
        WantedBy=multi-user.target
        
        

        To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:

        cat /etc/systemd/system/qbittorrent-webui.service 
        [Unit]
        Description=qBittorrent-nox webui forwarding into its namespace
        Wants=network-online.target wg-qbittorrent.service 
        After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 
        
        [Service]
        Type=simple
        PrivateTmp=false
        ExecStart=/opt/qbittorrent/forward-webinterface.sh
        TimeoutStopSec=1800
        Restart=always
        RestartSec=10
        
        [Install]
        WantedBy=multi-user.target
        
        cat /opt/qbittorrent/forward-webinterface.sh
        #!/bin/sh
        set -eu
        
        exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"
        
        

        Works, is reboot safe, stopped caring about beauty at that point.