bypassing wireguard using firejail
Sitaram Chamarty
sitaramc at gmail.com
Fri May 10 13:54:45 CEST 2019
I am able to bypass the VPN by using firejail (which is a
sandbox program to run untrusted applications).
Below, the IP addresses and domain names are fake but that
should not matter:
# wg
interface: wg0
public key: ....
private key: (hidden)
listening port: 59457
fwmark: 0xca6c
peer: ....
endpoint: 11.22.33.44:51820
allowed ips: 0.0.0.0/0
latest handshake: 41 seconds ago
transfer: 35.42 MiB received, 2.74 MiB sent
$ curl zx2c4.com/ip
11.22.33.44 <--- my wg VPN end point IP
static.44.33.22.11.elided.tld
curl/7.64.0
$ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
55.66.77.88 <--- my actual external IP
elided.hostname.myisp.in
curl/7.64.0
My questions:
1. I know firejail is suid root, but still... is there any way
to prevent this from happening, or at least make it less
trivial?
I'm OK with a "this is the way it is, if your untrusted app
is running as root you're already toast" response; just want
to make sure I'm not missing a bet here.
2. I guess I don't know as much about Linux networking as I
*thought* I knew, especially about policy routing, so I am
feeling a bit lost here.
I would prefer not to have to learn lots of things about
policy routing and so on, so I wonder if there is a simple,
(wireguard-specific, if possible) explanation of how linux
policy routing and iptables work behind the scenes to direct
packets when wireguard is in play?
regards
sitaram
More information about the WireGuard
mailing list