rtinst icon indicating copy to clipboard operation
rtinst copied to clipboard

Published 20 hours ago verified publisher icon arakasi72

Cannot be run as root, or with sudo

Open Hightmar opened this issue 3 years ago • 1 comments

I don't know if I can really say it's an issue, but it's certainly a problem for me.

I wanted to create a network namespace to launch rtorrent and a VPN. However to launch something in the namespace I have to use sudo, so I can't launch rtorrent.

The goal was to download through the VPN but access my server from the internet.

Is there a way around this?

Hightmar avatar Oct 20 '21 09:10 Hightmar

I have a fork of this project that is meant to work with Wireguard. You can use iptables to split tunnel traffic with this protocol. So port 22 for SSH and ports 80/443 (for ruTorrent) go through your server. And the rest of the traffic goes through the Wireguard VPN. All you need is a subscription to Private Internet Access and a couple changes to their script.

My version of rtinst: https://github.com/stickz/rtinst PIA Wireguard VPN script: https://github.com/pia-foss/manual-connections Post about script changes: https://github.com/pia-foss/manual-connections/issues/62#issuecomment-748414682

Run this as root: echo "2 pia" >> /etc/iproute2/rt_tables

Changes to connect_to_wireguard_with_token.sh.

export sys_gateway=$(/sbin/ip route | awk '/default/ { print $3 }')
export sys_interface=$(/sbin/ip route | awk '/default/ { print $5 }')

echo "
[Interface]
Address = $(echo "$wireguard_json" | jq -r '.peer_ip')
PrivateKey = $privKey
DNS= 1.1.1.1

PostUp = ip -4 route add default via "$sys_gateway" dev "$sys_interface" proto static onlink table pia
PostUp = ip -4 rule add fwmark 0x2 table pia
PostUp = iptables -A OUTPUT -t mangle -o pia -p tcp --sport 22 -j MARK --set-mark 2
PostUp = iptables -A OUTPUT -t mangle -o pia -p tcp --sport 80 -j MARK --set-mark 2
PostUp = iptables -A OUTPUT -t mangle -o pia -p tcp --sport 443 -j MARK --set-mark 2

PreDown = iptables -D OUTPUT -t mangle -o pia -p tcp --sport 22 -j MARK --set-mark 2
PreDown = iptables -D OUTPUT -t mangle -o pia -p tcp --sport 80 -j MARK --set-mark 2
PreDown = iptables -D OUTPUT -t mangle -o pia -p tcp --sport 443 -j MARK --set-mark 2
PreDown = ip -4 rule del fwmark 0x2 table pia
PreDown = ip -4 route del default via "$sys_gateway" dev "$sys_interface" proto static onlink table pia

[Peer]
PersistentKeepalive = 25
PublicKey = $(echo "$wireguard_json" | jq -r '.server_key')
AllowedIPs = 0.0.0.0/0
Endpoint = ${WG_SERVER_IP}:$(echo "$wireguard_json" | jq -r '.server_port')
" > /etc/wireguard/pia.conf || exit 1

If you have any questions about this, feel free to ask. I have this working currently. You'll also need to modify or delete the crontab -e entries. So it doesn't restart rTorrent when you're not connected to the VPN. Also to disable IPV6 properly on your system to prevent traffic from routing outside the VPN. My rtinst script is fully compatible with IPV6 being disabled.

Furthermore, there's some patch work you need to do on your OS like installing jq and iptables etc. I haven't gotten around to adding this to my rtinst script yet. I just fixed resolvconf a week ago to be compatible with dnsmasq.

stickz avatar Nov 07 '21 15:11 stickz