M content/post/2009/2009-11-23 Before the Internet.md => content/post/2009/2009-11-23 Before the Internet.md +1 -0
@@ 8,6 8,7 @@ tags:
- internet
images:
- /img/2009/before_the_internet.jpg
+comments: b510fc84-8392-456b-87d3-a00e0e18ce74
---
[  ](http://www.sharesomecandy.com/2009/10/lee-crutchley.html)
M content/post/2009/2009-11-23 Zombie Jesus.md => content/post/2009/2009-11-23 Zombie Jesus.md +1 -0
@@ 9,6 9,7 @@ tags:
- zombie
images:
- /img/2009/jesus_zombie.gif
+comments: 52a23176-c066-408d-8e4c-94dde1399467
---
[  ](http://www.clusterflock.org/2009/11/i-thirst.html)
M content/post/2010/2010-03-17--piled-higher-and-deeper-in-france.md => content/post/2010/2010-03-17--piled-higher-and-deeper-in-france.md +1 -0
@@ 11,6 11,7 @@ tags:
- PHD Comics
images:
- /img/2010/phd1292_1.gif
+comments: 49cbec5c-5b88-4701-b873-30473b035d65
---
This morning I read the [latest *Piled Higher & Deeper*][phd] about *égalité des
M content/post/2010/2010-03-22-howto-backup-your-gnupg-secret-key-on-paper.md => content/post/2010/2010-03-22-howto-backup-your-gnupg-secret-key-on-paper.md +1 -0
@@ 8,6 8,7 @@ tags:
- howto
- backup
- gnupg
+comments: 7c6da4ae-7400-4f04-bad7-03c8c563987b
---
Paper is a safe way to backup a secret key: you can't hack into it remotely, you
M content/post/2011/2011-04-21-iphone-tracking.md => content/post/2011/2011-04-21-iphone-tracking.md +1 -0
@@ 9,6 9,7 @@ tags:
- gps
- python3
- apple
+comments: 87f17f27-640b-41b3-8d0c-8ff061947a70
---
There has recently been a
M content/post/2014/2014-05-28 ZSH completion for git-annex.md => content/post/2014/2014-05-28 ZSH completion for git-annex.md +1 -0
@@ 7,6 7,7 @@ categories:
tags:
- zsh
- git-annex
+comments: 95f7ee29-fb1d-4976-a597-a5436c475a6d
---
I love [git-annex][]. It works extremely well, its documentation is excellent, and Joey Hess, its main developper, is
M content/post/2014/2014-08-12 lighttpd and SSL client certificates.md => content/post/2014/2014-08-12 lighttpd and SSL client certificates.md +1 -0
@@ 9,6 9,7 @@ tags:
- lighttpd
- SSL
- security
+comments: bfa09278-5e96-47f7-9551-d7cb7114b9da
---
I recently configured my [lighttpd][] server to enable authentication based on SSL client certificates on a private
M content/post/2014/2014-08-13 Flashing a stock Android image without wiping user data.md => content/post/2014/2014-08-13 Flashing a stock Android image without wiping user data.md +1 -0
@@ 7,6 7,7 @@ categories:
- Software
tags:
- Android
+comments: 92c7f352-dc8d-4583-8393-cd3a9ddd6892
---
Until today my [Nexus 10][] was running Android 4.4.2 (stock firmware from Google). I couldn't install the OTA update to
M content/post/2014/2014-09-10 TLSA records on OVH.md => content/post/2014/2014-09-10 TLSA records on OVH.md +1 -0
@@ 13,6 13,7 @@ tags:
- TLSA
images:
- /img/2014/tlsa-url.png
+comments: ae0eaa33-fa52-4762-8bad-eed06e3fbec3
---
[DANE][] is a great way of improving security on the web by replacing SSL certificate authorities with DNS records
M content/post/2014/2014-12-12 OpenVPN for a single application.md => content/post/2014/2014-12-12 OpenVPN for a single application.md +1 -0
@@ 11,6 11,7 @@ tags:
- privacy
- security
- vpn
+comments: be4d6b64-a63c-402c-afba-50675e4edfb8
---
It's sometimes useful to run a single application through a VPN for [privacy reasons][popcorntime]. There are many ways
M content/post/2015/2015-11-25 Letsencrypt and client certificates.md => content/post/2015/2015-11-25 Letsencrypt and client certificates.md +1 -0
@@ 10,6 10,7 @@ tags:
images:
- https://letsencrypt.org/certs/isrg-keys.png
- https://imgs.xkcd.com/comics/security.png
+comments: 82726be7-fd03-46d6-940f-647f7bb270e9
---
A few days ago I switched to [Let's Encrypt][] certificates for this site (instead of StartSSL).
A => +4 -0
@@ 0,0 1,4 @@
[[comments]]
date = "2011-01-20T15:56:18Z"
author = "Hel"
text = "Actually PhD also asks to do 50+ + many weekend (depending on your field) hours job some months but at least it is not borring :)"
A => +4 -0
@@ 0,0 1,4 @@
[[comments]]
date = "2011-05-29T13:35:48Z"
author = "Fillot"
text = "Very funny!I like this kind of humour!"
A => +10 -0
@@ 0,0 1,10 @@
[[comments]]
date = "2011-04-20T15:51:01Z"
author = "Oliver"
text = "i tried to restore an printed test key but dmtxread can't decode them any hints? i printed the key on two pages of DIN A4 Paper and made a picture of the DataMatrix with high contrast. dmtxread won't work. it don't detect the Datamatrix i think. Only for the orignial picture before printing work."
[[comments]]
date = "2011-04-20T16:17:51Z"
author = "Schnouki"
is_owner = true
text = "According to the [libdmtx FAQ](http://libdmtx.wikidot.com/libdmtx-faq), this could be due to an insufficient “quiet zone”:\n\n\n> The Data Matrix standard, and therefore libdmtx, requires a “quiet zone” to surround every barcode region. If your image is cropped so the Data Matrix symbol is touching or nearly touching the image boundary, this might be preventing a successful scan.\n> \n> \n\nIf this is not enough, you should try using the -v flag to have a more precise error message — and maybe ask people who know better about libdmtx: see the “Get support” link on http://www.libdmtx.org/."
A => +15 -0
@@ 0,0 1,15 @@
[[comments]]
date = "2015-11-25T14:01:55Z"
author = "utopiah"
text = "But that wrench is so unsexy! Anyway thanks a lot for the clarification."
[[comments]]
date = "2019-05-09T04:32:03.710282Z"
author = "Antony"
text = "Hi Thomas, not sure if that first part is correct anymore as LetsEncrypt apparently include the OID for Client Authentication in their certificates. See this post: https://community.letsencrypt.org/t/extendedkeyusage-tls-client-authentication-in-tls-server-certificates/59140"
[[comments]]
date = "2019-05-09T09:29:17.399485Z"
author = "Schnouki"
is_owner = true
text = "Thanks for pointing this out Antony!\n\n Indeed these certificates *can* be used as client certificates, as explained in the post you linked: a mail server (or XMPP server) can use such a certificate to prove its identity while establishing a connection to another server (mail relay, or just XMPP federation...).\n\nBut I was talking about client certificates as in certs used by a browser to authenticate against a web server. In that use case, your certificate is probably not for a domain name, but rather a user name or an email address, in which case you can't have a LetsEncrypt certificate, since they are only validated by domain name."
A => +24 -0
@@ 0,0 1,24 @@
[[comments]]
_id = 6
date = "2011-04-21T20:09:04Z"
author = "Paul"
text = "i cannot seem to get the script to work. i have python 3.2 and i run the script and i keep getting and error saying SyntaxError: invalid syntax. Do i just type in `./iphone-tracker.py path/to/consolidated.db > output.kml` into python command line?"
[[comments]]
_id = 7
date = "2011-04-21T20:23:01Z"
author = "Samat Jain"
_orig_text = "You should turn this into a web service (AGPL, of course, so people can download it and set it up for themselves should they not trust you)."
text = "You should turn this into a web service (AGPL, of course, so people can download it and set it up for themselves should they not trust you)."
[[comments]]
date = "2011-04-21T21:34:56Z"
author = "Schnouki"
is_owner = true
text = "@Paul, You should just have to run that in your terminal (or you can explicitely run it with the Python 3 interpreter: `python3 iphone-tracker.py consolidated.db > output.kml`.If you still have this issue, could you please post the full traceback (especially the line that triggers that error) so I can see where this happens?"
[[comments]]
date = "2011-04-21T21:38:31Z"
author = "Schnouki"
is_owner = true
text = "@Samat, that would be nice... but I honestly don't care enough to spend the time necessary to write something reliable and secure. Feel free to do it yourself if you're interested though -- my script is licensed under the WTFPL, so you can use it in an AGPL web service ;-)"
A => +56 -0
@@ 0,0 1,56 @@
[[comments]]
date = "2014-11-19T23:50:56Z"
author = "Nathan"
text = "OTA is meant to be used on 4.4.3, not 4.4.2."
[[comments]]
date = "2014-11-30T04:53:54Z"
author = "Makunada Shrestha"
text = "Nice article. It worked flawlessly for me. Thanks"
[[comments]]
date = "2015-05-27T10:35:21Z"
author = "Old Man"
text = "Great article, short and precise. Worked perfectly updating from 5.1 to 5.1.1 on a rooted nexus 7 2012 mobile. Thanks"
[[comments]]
date = "2015-06-10T15:33:02Z"
author = "Kemal Tolga Oksay"
text = "Thanks man used it for 2 times, works flawlessly."
[[comments]]
date = "2015-07-18T13:54:00Z"
author = "Said Tahsin Dane"
text = "This is actually really useful. Thank you very much.The same weird problem is happening to me everytime. For example I had Android 5.1 with TWRP installed on Nexus 5 and I tried to flash the official update \"to 5.1.1 from 5.1\" and the error said \"you have release keys of 5.0.2\" and expect me to flash the update for 5.0.2 which also doesn't work.It is really really weird and it happens all the time when I root my phone. This is the best way to update the rom. I wish we had a better way."
[[comments]]
date = "2015-07-20T08:04:06Z"
author = "Schnouki"
is_owner = true
text = "@Said I had the same issue when upgrading from Kitkat to Lollipop on my OPO. If I remember correctly, you have to upgrade TWRP to the latest version available. It's required to install recent ROMs."
[[comments]]
date = "2015-08-22T04:56:47Z"
author = "Wadee Bashour"
text = "Thank you very much !!!!! now i can update via OTA"
[[comments]]
date = "2016-03-09T21:15:42Z"
author = "Bogdan"
text = "Would this work with a custom kernel?"
[[comments]]
date = "2016-03-29T12:43:35Z"
author = "Schnouki"
is_owner = true
text = "@Bogdan, depends on the kernel, but I've used it in the past with my Galaxy Nexus and custom kernels. You can flash the kernel with \"fastboot flash boot.img\" in bootloader mode, or a kernel .zip from recovery."
[[comments]]
date = "2016-10-09T03:36:15Z"
author = "Kai Yang Lim"
text = "I am using nexus 6p, in my image factory file, I don't have boot.img, system.img, recovery.img .."
[[comments]]
date = "2017-06-01T15:50:47Z"
author = "massster21"
text = "Worked for me as well... \nAfter bricking my software, I stuck on load screen, so I tried so many ways to flash original Rom for my Huawei G6-L11, but always had some errors . And this method worked like a charm. All I did was flashing system.img and my phone was back to life."
A => +20 -0
@@ 0,0 1,20 @@
[[comments]]
date = "2014-05-28T07:33:27Z"
author = "ft"
text = "Nice to see someone picking it up to bring it up to speed with current git-annex behaviour.\n\nBTW, you don't need to manually mark the function file for autoloading if the directory you keep it in is a member of `$fpath` by the time you call ‘compinit’. So add `$HOME/.config/zsh/completion` to `$fpath` you call compinit and you can drop the autoload call.\n\nFinally, if you think the function is good enough for inclusion in zsh, then you might consider submitting it to zsh's development team. Git-annex would then enjoy context sensitive completion out of the box for zsh users.\n\nRegards, Frank"
[[comments]]
date = "2014-05-28T07:36:42Z"
author = "ft"
text = "That should be \"before you call compinit\"."
[[comments]]
date = "2014-05-28T08:21:30Z"
author = "Schnouki"
is_owner = true
text = "Frank, thanks for this! :)\n\nI'd love for this function to be included in zsh, but IMO it's too soon: there are still some details to review for arguments (I think too many args are proposed for some commands), the completion for add / drop / get / ... is still lacking, and there are other things to improve first.\n\nAnd most important, I'm not sure the zsh devs would accept a completion function that depends on Python... but I haven't found any easy way to parse JSON directly from zsh :/"
[[comments]]
date = "2014-05-28T09:19:20Z"
author = "ft"
text = "No rush! :)\n\nWhen I first read \"Depends on Python\", I was also like \"Wat.\" - But then I skimmed through the code and saw that it was about parsing JSON, which is legitimate, I guess. Directly mapping JSON to zsh datastructures is probably hard anyway, since you can't have lists of lists or maps of lists etc. natively in zsh.\n\nI'd say, if it doesn't fail when python is not available, upstream inclusion shouldn't be a problem. There is one or the other completion, that uses Perl here and there as well. You should just ask on the zsh-workers mailing list once you're happy with the code.\n\nRegards, Frank"
A => +20 -0
@@ 0,0 1,20 @@
[[comments]]
date = "2014-10-13T12:59:07Z"
author = "Jo"
text = "I can't make it work. If I try to add a line to my OVH Bind configuration file (exactly like your `_443._tcp.example.com. IN TYPE52 \\# 35 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345`, except that I stripped `.example.com`), OVH says success, but then no TLSA record is added. \nI noticed that you use standard OVH NS, while I'm using OVH Anycast NS. \nDid you just copy the line that tlsa outputs? Thanks"
[[comments]]
date = "2014-10-13T15:29:34Z"
author = "Schnouki"
is_owner = true
text = "Yep, I just copied the line from tlsa. Using the standard OVH NS, with the old manager, in \"expert\" mode (i.e. editing the raw zone file without any helper). I'm not sure it can even be done with the new manager..."
[[comments]]
date = "2014-10-14T08:52:34Z"
author = "Jo"
text = "I used the old manager in \"expert\" mode. The messagge \"success\" appears but then no TLSA (or TYPE52) record appears in my DNS. I even tried with another domain which uses standard OVH NS, but in vain. I checked with dig and if I watch your TLSA, it appears, even if it's different from what hash-slinger generates.\n\n\n```\n_443._tcp.schnouki.net TLSA_443._tcp.schnouki.net. 300 IN TLSA 1 1 1 07725B09B288B124093EB6A4FA2B699B98191FC3BDD1A583462E224A 9CCF3D1B\n```\nNo success with my domains. I saw you use dns12.ovh.net as NS, while mine are dns109.ovh.net and dns200.anycast.me"
[[comments]]
date = "2015-03-15T14:48:32Z"
author = "flohtux"
text = "You have to switch into the \"expert mode\" (checkbox) - the text editor mode is also possible in non-expert mode, but it will silently (\"Successfully...\") delete the TYPE52 records. So make sure you enter the expert mode before inserting the TYPE52 records. (TLSA record format still is not supported and will give an error on re-entering the editor)I had the same problem, so I post my answer for anyone finding this thread - like I was via a dominating search engine :)"
A => +4 -0
@@ 0,0 1,4 @@
[[comments]]
date = "2011-01-20T16:28:35Z"
author = "Hel"
text = "That's true :) Well i played more video game and also read more."
A => +169 -0
@@ 0,0 1,169 @@
[[comments]]
date = "2015-01-17T13:30:08Z"
author = "scoobynz"
text = "Hi. Thanks for this guide. Im about to try this but first have a question. When you set the ip address 10.200.200.1/24 to vpn0, is this an arbitrary ip address of the address system of you LAN?"
[[comments]]
date = "2015-01-19T11:03:40Z"
author = "Schnouki"
is_owner = true
text = "Hi scoobnyz. 10.200.200.1 is an arbitrary IP address; my LAN is in the 192.168.0.0/16 range. I even used this script when on a 10.0.0.0/8 LAN and it worked just fine (as the VPN vpn0 interface was restricted to a /24 inside this /8)."
[[comments]]
date = "2015-05-30T14:54:54Z"
author = "James McMurray"
text = "This is amazing. The only problem I had was that I had to disable UFW with `sudo disable ufw` first."
[[comments]]
date = "2015-10-27T21:50:21Z"
author = "sphrak"
text = "Hi, im a little late to the game - but I followed your tutorial but beforehand I did some experiements with netns. It appears to be that a namespace is destroyed upon reboot? Is there a way to prevent this?"
[[comments]]
date = "2015-10-28T11:13:08Z"
author = "Schnouki"
is_owner = true
text = "@sphrak: No way to prevent this, namespaces are runtime only and have to be recreated after rebooting :("
[[comments]]
date = "2015-10-28T18:01:07Z"
author = "sphrak"
_orig_text = "I see well thanks for clearing that out - should be possible to run a script on boot though - that creates said ns :)"
text = "I see well thanks for clearing that out - should be possible to run a script on boot though - that creates said ns :)"
[[comments]]
date = "2015-10-31T17:12:45Z"
author = "sphrak"
text = "Hi again schnouki, \nI just wanted to show my implementation of this into a start-stop-daemon script. :) \nhttp://blog.mineville.nu/2015/10/31/update-rc-d-rtorrent-defaults-99/"
[[comments]]
date = "2016-01-26T17:41:41Z"
author = "pskiebe"
text = "Hi schnouki, I stumbled upon your guide, I was able to adapt it to my needs and do have an actual VPN connection inside a network namespace now. Thank you very much for that. However, I have one problem that I couldn't resolve on my own, no matter how hard I tried. I do want to forward a port from the host system to the application running inside the namespace. Any help would be very much appreciated, please have a look: https://unix.stackexchange.com/questions/257510/port-forwarding-to-application-in-network-namespace-with-vpn"
[[comments]]
date = "2016-02-01T00:28:30Z"
author = "Schnouki"
is_owner = true
text = "Hi pskiebe, very interesting question indeed! I [replied on StackExchange](https://unix.stackexchange.com/questions/257510/port-forwarding-to-application-in-network-namespace-with-vpn/258967#258967) with a simple solution that uses socat. Please tell me if it works or doesn't work for you!"
[[comments]]
date = "2016-02-01T22:00:15Z"
author = "pskiebe"
text = "Thank you so much! With your help, I was able to accomplish exactly, what I was trying to do. If anyone else is running an application inside the namespace with a web interface and doesn't want to connect through the vpn to it, try this: `socat -4 TCP-LISTEN:<port>,reuseaddr,fork TCP:10.200.200.2:<port>`"
[[comments]]
date = "2016-03-08T13:37:56Z"
author = "henk1122"
text = "Hi. When i try doing this, the interface lost connection after 10-20 seconds. The ping command can ping google for like 15 seconds, but then the destination host is unreachable. This is without my vpn started. Why does this happen and how can i solve this?"
[[comments]]
date = "2016-03-12T01:39:00Z"
author = "mdstest"
text = "Hi, Your tutorial is amazing. I am looking of a way to use namespace to accomodate openvpn as a server.\n\nSo lets say I have these namespace REMOTE1 and REMOTE2. The openvpn server will be running in each namespace. \nREMOTE1 Openvpn server 10.10.10.1 \nREMOTE2 Openvon server 10.10.20.1 \nSo if the server host has a public ip of 1.1.1.1.\n\nHow can an outside openvpn client reach the inside REMOTE vpn?"
[[comments]]
date = "2016-03-28T22:49:08Z"
author = "Benny"
text = "Thanks for the terrific guide. There are few issues that I see.\n\n1.) if the connection the VPN server goes down, traffic gets routed through the default interface due to the veth link. To avoid traffic leaking outside of the VPN, how can we create a fallback route that blocks traffic?\n\n2.) For some reason when I use transmission-gtk within the vpn namespace it does not work. other things such as ping, traceroute, or chromium work just fine. transmission-gtk also works fine if I start the VPN connection in the main namespace (i.e. not using a separate namespace as in your tutorial). So there must be some port or route that isn't going through. Any way to debug this?\n\n3.) It would be nice to have the update-resolv-conf script that's run on the VPN connection coming up and down update the /etc/netns/<namespace>/resolv.conf that is used by the VPN namespace."
[[comments]]
date = "2016-03-29T12:45:20Z"
author = "Schnouki"
is_owner = true
text = "@henk1122: Sorry, no idea about that :( Perhaps a firewall that is a little too regarding on what goes out from your computer?"
[[comments]]
date = "2016-03-29T12:50:42Z"
author = "Schnouki"
is_owner = true
text = "@mdstest: You'll need to redirect incoming connections on the outside address to the inside address. IMHO the easiest way to do so is with socat, as explained here: http://unix.stackexchange.com/a/258967/8826 (from another comment here).\n\nYou will probably open 2 ports on the public IP, such as 1194 and 1195, with 1194 redirecting traffic to the first namespace, and 1195 to the second one. And you'll need to configure your client to connect to 1.1.1.1 (public IP) with port 1194 or 1195.\n\nIf you do that however you will not be able to see the \"source\" IP of incoming connections from the OpenVPN logs: everything will be coming from your server's IP inside each namespace (e.g. 10.10.10.1 and 10.10.20.1)."
[[comments]]
date = "2016-03-29T13:05:57Z"
author = "Schnouki"
is_owner = true
text = "@Benny:\n\n1. is actually quite easy: remove the default route! Or rather don't add it (so no \"ip route add default ...\"). Instead, just add routes to reach your VPN server and optionnaly your DNS servers: \"ip netns exec $VPN ip route add 1.2.3.4/32 via 10.200.200.1 dev vpn1\". You won't be able to ping anything except for the whitelisted IPs until your VPN is connected.\n\n2. not sure as it works for me. Do you have a firewall that filters incoming connection on your computer?\n\n3. I don't use update-resolv-conf so I couldn't tell, sorry :/"
[[comments]]
date = "2016-03-31T16:30:36Z"
author = "Benny"
text = "Thanks. I went ahead and came up with a complete solution that addresses the concerns I had. Instead of namespaces, I used control groups, which are in many ways superior. You can grant a non-root user access to run processes in the isolated cgroup and using two instances of dnsmasq can separate DNS queries. More at the link.\n\nhttp://serverfault.com/a/766290/345463"
[[comments]]
date = "2016-09-07T11:53:02Z"
author = "Jason Heeris"
text = "Second question: in the not-namespace (root namespace?), I tried your `iptables` commands. But the result of `iptables -S` is just:\n\n\n```\n# iptables -A INPUT \\! -i vpn0 -s 10.200.200.0/24 -j DROP \n# iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o eth0 -j MASQUERADE \n# iptables -S \n-P INPUT ACCEPT \n-P FORWARD ACCEPT \n-P OUTPUT ACCEPT \n-A INPUT -s 10.200.200.0/24 ! -i vpn0 -j DROP \n\n```\nIt seems to be ignoring the second one, which I think is causing problems later on. What is going wrong here? I'm on Ubuntu 14.04.5, if that's a factor."
[[comments]]
date = "2016-09-07T12:01:47Z"
author = "Jason Heeris"
text = "Oh, I needed to do `iptables -t nat -v -x -n -L` to see the NAT rules. It's there (four times, in fact, because I thought maybe if I typed louder it would work).\n\nSo after fixing all that up, my real problem is: even after adding the default route (in the namespace) and enabling NAT (outside the NS), I can't ping anything from within the namespace. I'm not even trying to use names here (I haven't set up DNS yet). I just see (from inside the NS):\n\n\n```\n# ping 8.8.8.8 \nFrom 10.200.200.2 icmp\\_seq=1 Destination Host Unreachable \nFrom 10.200.200.2 icmp\\_seq=2 Destination Host Unreachable \nFrom 10.200.200.2 icmp\\_seq=3 Destination Host Unreachable \n^C \n\n```\nAny suggestions?"
[[comments]]
date = "2016-09-08T10:19:09Z"
author = "Jason Heeris"
text = "I'll post the answer to this here in case anyone else has this problem: on my system, the effect of `ip addr add 10.200.200.1/24 dev vpn0` was being mysteriously reversed after a while by... something. Could be Network Manager.\n\nIn other words, the line from `ip addr show` (in the root namespace) that looked like this:\n\n\n```\ninet 10.200.200.2/24 scope global vpn1 \n\n```\n...was disappearing. I had to run that first command again.\n\n**Update:** It *was* network manager! Thanks to [this thread](https://github.com/jpetazzo/pipework/issues/72 \"https://github.com/jpetazzo/pipework/issues/72\") I found that if you name your virtual interface ends `veth0` and `veth1` they will be ignored by network manager, and everything works.\n\nThanks for the excellent tutorial!"
[[comments]]
date = "2016-09-08T12:31:52Z"
author = "Jason Heeris"
text = "@Benny:\n\n1. Will cause problems if you actually want your VPN to set the default route (which most do, eg. with `redirect-gateway def1` in the pushed parameters or config). It'll fail with:\n\n\n```\nNOTE: unable to redirect default gateway -- Cannot read current default gateway from system\n```\n...and there will be no default route out of your namespace."
[[comments]]
_id = 55
date = "2016-12-21T17:42:03Z"
author = "Anonymous"
text = "Using this with dante-server as socks proxy, this is amazing !"
[[comments]]
date = "2017-01-11T12:14:56Z"
author = "Алексей Кузнецов"
text = "Thanks for your tutorial. It works, I use it widely. Do you think it's possible to put squid proxy server in front of the system so that every proxied request will go through vpn that lives inside the network namespace?\n\nI mean we can run `ip netns exec frootvpn curl ipv4.icanhazip.com` that gives us vpn's IP, but it seems to be more convenient to run just `curl ipv4.icanhazip.com -x localhost:3128`. Here I assumed that we have proxy server running on 3128 port that sends every request to the vpn in frootvpn namespace. The only problem is that I can't set it up.\n\nWe have vpn0<->vpn1 link for accessing the real world from inside the namespace. Is it possible to use it in reverse way, send something to vpn0 interface (from the root namespace) and get result from the vpn? I played with iptables rules to make `curl ipv4.icanhazip.com --interface vpn0` work with no success. I also added the second vpn2<->vpn3 link and tried to send something through the following chain: root.vpn2 -> frootvpn.vpn3 -> vpn -> frootvpn.vpn1 -> root.vpn0 with no success either.\n\nIt would be great if you share any thoughts about this case."
[[comments]]
date = "2017-05-09T05:15:08Z"
author = "Giorgos"
text = "Hello, I just managed to make this work, I had to modify the /lib/systemd/system/transmission-daemon.service under [these instructions](https://askubuntu.com/questions/888927/run-service-in-its-own-ip-netns-namespace-on-ubuntu-16-04) to make it working under Ubuntu 16.04. My problem is I can't access the web interface anymore. Any suggestions;"
[[comments]]
date = "2017-05-09T07:36:19Z"
author = "Schnouki"
is_owner = true
text = "Hi Giorgos! I haven't tested this with transmission-daemon, but I quickly read some docs and I think you'll have to: \n- configure transmssion-daemon to allow connections from the default namespace. If you're using the same config as me, this means adding \"10.200.200.*\" to the rpc-whitelist config as documented in [https://github.com/transmis...](https://github.com/transmission/transmission/wiki/Editing-Configuration-Files \"https://github.com/transmission/transmission/wiki/Editing-Configuration-Files\") \n- restart transmission-daemon \n- connect to http://10.200.200.2:9091 instead of http://localhost:9091. \nPlease tell me if this works!"
[[comments]]
date = "2017-05-09T15:53:44Z"
author = "Giorgos"
text = "Actually I run the system headless and I have access to it's web gui via a local desktop. So it must be something else to do the trick. I tried with your suggestion though. Also pinging 10.200.200.2(odroid) from the local(desktop) doesn't return anything, but it Works! Any suggestion much appreciated."
[[comments]]
date = "2017-05-25T20:29:31Z"
author = "Schnouki"
is_owner = true
text = "Sorry for the delay. \nWhen you say \"local desktop\", you mean another (desktop) computer on the same LAN, right? In that case, you may have some luck with socat as described here: [https://unix.stackexchange....](https://unix.stackexchange.com/questions/257510/port-forwarding-to-application-in-network-namespace-with-vpn/258967#258967 \"https://unix.stackexchange.com/questions/257510/port-forwarding-to-application-in-network-namespace-with-vpn/258967#258967\") (and in the other comments). You will still have to configure transmission-daemon to accept connections from 10.200.200.* though. Hope this helps."
[[comments]]
date = "2017-06-21T15:47:26Z"
author = "Justin Kromlinger"
text = "Note that you might want to limit all outgoing connections to the VPN domain and udp port, basically a killswitch: \niptables -t nat -A POSTROUTING -d $VPN\\_DOMAIN -p udp --dport 1195 -s 10.200.200.0/24 -o wl+ -j MASQUERADE"
[[comments]]
date = "2017-08-31T09:07:54Z"
author = "A"
text = "Thanks so much for this tutorial. I vaguely knew that (network) namespaces existed, but didn't think they are so easy to use. This was exactly what I was looking for. Except for the Netfilter part - as I was already using nftables on that machine. Got it working with the following:\n\nnft add rule inet filter input iif != vpn0 ip saddr 10.200.200.0/24 drop \nnft add rule nat postrouting ip saddr 10.200.200.0/24 oif eth0 masquerade\n\nThanks again!"
[[comments]]
date = "2017-12-05T16:58:45Z"
author = "forevertheuni"
text = "Hi. It doesn't work in my case (ubuntu 17.04).\n\nthen I try to start vpn (either with .ovpn of .conf) it just gets stuck at:\n\nTue Dec 5 10:52:21 2017 UDP link local: (not bound) \nTue Dec 5 10:52:21 2017 UDP link remote: [AF\\_INET]\"IP.ADD.RE.SS\":1194\n\nI start it with: \nsudo ip netns exec namedvpn openvpn fileto.ovpn \nor: \nsudo ip netns exec namedvpn openvpn --config /etc/openvpn/blablabal.conf.\n\nIf I just do \"sudo openvpn file.ovpn\" everything works fine. \nAny hints for me? \n(I tried both the vppn.sh and manually). zsh vppn.sh up has no error messages and creates all the stuff.\n\nThank you!"
[[comments]]
date = "2019-01-11T16:52:03.526305Z"
author = "pjotruk"
text = "Giorgos: Well, you can actually use the solution you mentioned here already and it is also submitted as solution here:\nhttps://unix.stackexchange.com/questions/257510/port-forwarding-to-application-in-network-namespace-with-vpn\nWith Transmission-daemon default web ports and config described in this tutorial your approach would be like this:\n\n\n\n\n`sudo apt-get install socat`\n\n`socat tcp-listen:9091,reuseaddr,fork tcp-connect:10.200.200.2:9091`And Schnouki btw, this post is just amazing. I have a lot to learn from this. Thank you."
[[comments]]
date = "2019-02-26T21:18:28.479644Z"
author = "pstryk"
text = "@Benny: Question about 1.\nThe kill switch seems not to work. When the VPN is down deluge is still downloading the torrent.\nThis is what I have for routes:\n\nip netns exec deluge ip route add 1.2.3.4/32 via 10.200.200.1 dev vpn1\nip netns exec deluge ip route add 8.8.8.8 via 10.200.200.1 dev vpn1\n(default route removed)\nAny way to fix it ?"
A => +31 -0
@@ 0,0 1,31 @@
[[comments]]
date = "2014-11-11T22:33:02Z"
author = "Luis Jimenez"
text = "Which one is the ca-client.pem?"
[[comments]]
date = "2014-11-13T13:01:21Z"
author = "Schnouki"
is_owner = true
text = "It's the ca.crt created at step 2."
[[comments]]
date = "2018-02-22T10:24:37Z"
author = "Patrik Iselind"
text = "What's in your openssl.cnf? After creating my own OpenSSL based CA and creating my certificates i can still not use them as they where not signed by any CA in my target system's trusted CA bundle. Did you just inject your own CA's certificate into the trusted CA bundle of your target system?"
[[comments]]
date = "2019-02-24T03:08:08.903692Z"
author = "Craig"
text = "What about ssl.verifyclient.depth?"
[[comments]]
date = "2019-02-24T03:59:08.374592Z"
author = "Craig"
text = "Mine didn't work at first but fortunately I left the browser there hanging. Then when I moved to another desktop/workspace to do something else, I accidentally hit the windows key which caused every window in the workspace to miniaturize, and then I saw the Firefox prompt window waiting for me to press OK. \nTo summarize, Firefox put up a query box on another workspace than the browser, and hid it under existing windows. I believe that's called security by obfuscation."
[[comments]]
date = "2019-02-27T15:03:53.044105Z"
author = "Schnouki"
is_owner = true
text = "@Craig: No idea. Never used it, and I don't even use lighttpd anymore..."