From 67ca600fc60d9f836a6c76fa9d4f214e8026af97 Mon Sep 17 00:00:00 2001
From: Jendrik Weise <jewe37@gmail.com>
Date: Fri, 9 Sep 2022 06:47:50 +0200
Subject: [PATCH 1/3] allow using preshared keys

---
 README.md                              |  2 ++
 bin/namespaced-wireguard-vpn-interface | 20 +++++++++++++++-----
 conf/namespaced-wireguard-vpn.conf     |  3 +++
 3 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 951b1e1..4e0c05a 100644
--- a/README.md
+++ b/README.md
@@ -73,6 +73,8 @@ expected values are set by default, most with dummy default values.
   The endpoint of the VPN provider's WireGuard server.
 - `WIREGUARD_VPN_PUBLIC_KEY`:
   The public key of the VPN provider's WireGuard peer.
+- `WIREGUARD_VPN_PPRESHARED_KEY`:
+  The preshared key of the VPN provider's WireGuard peer. Set to - to disable.
 - `WIREGUARD_ALLOWED_IPS`:
   Comma-separated list of IP addresses that may be contacted using the
   WireGuard interface. For a namespaced VPN, where the goal is to force all
diff --git a/bin/namespaced-wireguard-vpn-interface b/bin/namespaced-wireguard-vpn-interface
index 69a04c9..ab37907 100755
--- a/bin/namespaced-wireguard-vpn-interface
+++ b/bin/namespaced-wireguard-vpn-interface
@@ -9,11 +9,21 @@ case "$1" in
     up)
         ip link add "$WIREGUARD_NAME" mtu $WIREGUARD_INITIAL_MTU type wireguard || die
 
-        wg set "$WIREGUARD_NAME" \
-            private-key <(echo "$WIREGUARD_PRIVATE_KEY") \
-            peer "$WIREGUARD_VPN_PUBLIC_KEY" \
-                endpoint "$WIREGUARD_ENDPOINT" \
-                allowed-ips "$WIREGUARD_ALLOWED_IPS" || die
+        if [ "$WIREGUARD_VPN_PRESHARED_KEY" == "-" ]
+        then
+            wg set "$WIREGUARD_NAME" \
+                private-key <(echo "$WIREGUARD_PRIVATE_KEY") \
+                peer "$WIREGUARD_VPN_PUBLIC_KEY" \
+                    endpoint "$WIREGUARD_ENDPOINT" \
+                    allowed-ips "$WIREGUARD_ALLOWED_IPS" || die
+        else
+            wg set "$WIREGUARD_NAME" \
+                private-key <(echo "$WIREGUARD_PRIVATE_KEY") \
+                peer "$WIREGUARD_VPN_PUBLIC_KEY" \
+                preshared-key <(echo "$WIREGUARD_VPN_PRESHARED_KEY") \
+                    endpoint "$WIREGUARD_ENDPOINT" \
+                    allowed-ips "$WIREGUARD_ALLOWED_IPS" || die
+        fi
 
         ip link set "$WIREGUARD_NAME" netns "$NETNS_NAME" || die
 
diff --git a/conf/namespaced-wireguard-vpn.conf b/conf/namespaced-wireguard-vpn.conf
index 3fff4b5..f187347 100644
--- a/conf/namespaced-wireguard-vpn.conf
+++ b/conf/namespaced-wireguard-vpn.conf
@@ -13,6 +13,9 @@ WIREGUARD_ENDPOINT=1.2.3.4:56789
 # Public key of the VPN WireGuard peer
 WIREGUARD_VPN_PUBLIC_KEY=abcdFAKEefghFAKEijklFAKEmnopFAKEqrstFAKEuvw=
 
+# Preshared key of the VPN WireGuard peer, set to - to disable
+WIREGUARD_VPN_PRESHARED_KEY=-
+
 # Comma-separated list of allowed IP addresses for the VPN WireGuard interface
 WIREGUARD_ALLOWED_IPS=0.0.0.0/0,::0/0
 

From 74b912309c621c8001b8f2d8328217df1120bac6 Mon Sep 17 00:00:00 2001
From: Jendrik Weise <jewe37@gmail.com>
Date: Fri, 9 Sep 2022 06:52:12 +0200
Subject: [PATCH 2/3] documentation note about nsswitch

---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4e0c05a..917cd4e 100644
--- a/README.md
+++ b/README.md
@@ -159,7 +159,10 @@ $ ip netns exec $NETNS_NAME nslookup example.com
 While `ip netns exec` is handy for one-off commands, this project is most
 useful to allow running other systemd units in a VPN-only namespace. This is accomplished by
 adding a drop-in override file to the unit. In the following example, we'll configure
-Transmission Daemon to run in our namespace.
+Transmission Daemon to run in our namespace. Beware that is used in conjunction with the 
+`nsswitch.conf` and `resolv.conf` tweaks above this will not work correctly, as systemd
+does not mount them into the right locations. There using `ip netns exec` may be more
+appropriate.
 
 #### `/etc/systemd/system/transmission-daemon.service.d/10-vpn-netns.conf`:
 

From 28fc70fd5bfbc975f5ab0d923c4e35c09a9c75cd Mon Sep 17 00:00:00 2001
From: Jendrik Weise <jewe37@gmail.com>
Date: Fri, 9 Sep 2022 18:09:17 +0200
Subject: [PATCH 3/3] Document iptables possibility

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index 917cd4e..777eab9 100644
--- a/README.md
+++ b/README.md
@@ -109,6 +109,22 @@ This package provides a tunnel between the init namesapce and the created VPN
 namespace so, e.g., you can control services inside the VPN namespace from
 outside. If you don't need or want the tunnel, just set `TUNNEL_ENABLE=0`.
 
+##### iptables rules
+
+To control the services from outside the VPN as though they were running in the
+physical namespace, rather than only having the accessible from this host, a 
+few iptables rules are required. Here I'm assuming that `net.ipv4.ip_forward=1`
+and that the `FORWARD` table is allowing forwarding between interfaces. 
+```
+iptables -t nat -A PREROUTING -i [PHYSICAL] -p tcp -m tcp --dport [PORT] -j DNAT --to-destination [TUNNEL_VPN_IP_ADDRESSES]:[PORT]
+iptables -t nat -A POSTROUTING -d [TUNNEL_VPN_IP_ADDRESSES] -o [TUNNEL_VPN_NAME] -p tcp -m tcp --dport [PORT] -j MASQUERADE
+```
+For example with the standard settings to forward port 8000 from `eth0` you may use
+```
+iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 10.127.0.2:8000
+iptables -t nat -A POSTROUTING -d 10.127.0.2/32 -o veth-vpn0 -p tcp -m tcp --dport 8000 -j MASQUERADE
+```
+
 #### Namespace Overlay
 
 Most likely, there will be some additional configuration that you will want to