vpn-ns.service

[Unit]
Description=Network namespace for VPN
After=syslog.target network.target
StopWhenUnneeded=false
RefuseManualStart=false
RefuseManualStop=false

[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/sbin/ip netns add vpn
ExecStart=/sbin/ip netns exec vpn ip addr add 127.0.0.1/8 dev lo
ExecStart=/sbin/ip netns exec vpn ip link set lo up
ExecStart=/sbin/ip link add vpn0 type veth peer name vpn1
ExecStart=/sbin/ip link set vpn0 up
ExecStart=/sbin/ip link set vpn1 netns vpn up
ExecStart=/sbin/ip addr add 10.10.10.1/24 dev vpn0
ExecStart=/sbin/ip netns exec vpn ip addr add 10.10.10.2/24 dev vpn1
ExecStart=/sbin/ip netns exec vpn ip route add default via 10.10.10.1 dev vpn1
ExecStart=/sbin/iptables -A INPUT ! -i vpn0 -s 10.10.10.0/24 -j DROP
ExecStart=/sbin/ip netns exec vpn iptables -A OUTPUT -m owner ! --uid-owner root ! -o tun+ -j DROP
ExecStart=/sbin/sysctl -q net.ipv4.ip_forward=1
ExecStart=/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
ExecStart=/bin/mkdir -p /etc/netns/vpn
ExecStart=/bin/sh -c "echo $'nameserver 8.8.8.8\nnameserver 8.8.4.4' | tee /etc/netns/vpn/resolv.conf"
ExecStart=/bin/firewall-cmd --add-masquerade

ExecStop=/bin/rm -rf /etc/netns/vpn
ExecStop=/sbin/sysctl -w net.ipv4.ip_forward=0
ExecStop=/sbin/sysctl -w net.ipv6.conf.all.forwarding=1
ExecStop=/sbin/ip link del vpn0
ExecStop=/sbin/ip netns delete vpn

[Install]
WantedBy=multi-user.target