Normal behavior that the created tun0 interface is not visible with ifconfig?

Question

Normal behavior that the created tun0 interface is not visible with ifconfig?

Denio888 opened this issue 6 years ago · 5 comments

I am trying to set firewall protection for unauthorized incoming traffic to tun0, but the tun0 Interface doesn`t appear in the normal system environment. Is it necessary to set up the firewall specially for the namespace to get it working? I have no real clue how to get this done yet.

Answer 1 · 2019-01-29T16:52:45.000Z

do you mean traffic to tun0 from unauthorized machines on your network or do you mean inbound to the tun0 interface? In that case, what would be unauthorized?

Answer 2 · 2019-01-29T20:28:36.000Z

Sorry I missed this. The new namespace has a completely separate iptables/nftables from the root namespace, so yeah, the behavior you're seeing is expected:

The tunnel interface will not be visible in ip link and ip addr output in the root namespace, only in, e.g., ip netns exec protected ip addr
Any firewall rules for the protected namespace must be set up independently. You can do this with a --up script, as discussed here: #12 (comment) (Note that the --up script will run in the root namespace; if you want commands to affect the protected namespace, you'll have to prepend them with ip netns exec protected or the like.)

Answer 3 · 2019-01-30T21:18:46.000Z

Hmm, i think i have tunX in root and netspace :( i'll have to verify.

Answer 4 · 2019-01-31T13:10:59.000Z

Sorry I missed this. The new namespace has a completely separate iptables/nftables from the root namespace, so yeah, the behavior you're seeing is expected:

1. The tunnel interface will not be visible in `ip link` and `ip addr` output in the root namespace, only in, e.g., `ip netns exec protected ip addr`

2. Any firewall rules for the protected namespace must be set up independently. You can do this with a `--up` script, as discussed here: [#12 (comment)](https://github.com/slingamn/namespaced-openvpn/issues/12#issuecomment-454880205) (Note that the `--up` script will run in the root namespace; if you want commands to affect the protected namespace, you'll have to prepend them with `ip netns exec protected` or the like.)

Thanks a lot, it is working this way.
Blocked all unauthorized incoming traffic to tun0.
Now it is a real secure vpn solution, even when you don`t trust the vpn network you are connected to completely.

Answer 5 · 2019-01-31T17:42:30.000Z

This concern came up before, so I added a note about firewalling with --up to the readme. Thanks!