bypassing wireguard using firejail

[Jordan Glover]

On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc at gmail.com> wrote:

> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>
> Below, the IP addresses and domain names are fake but that
> should not matter:
>
> # wg
> interface: wg0
> public key: ....
> private key: (hidden)
> listening port: 59457
> fwmark: 0xca6c
>
> peer: ....
> endpoint: 11.22.33.44:51820
> allowed ips: 0.0.0.0/0
> latest handshake: 41 seconds ago
> transfer: 35.42 MiB received, 2.74 MiB sent
>
> $ curl zx2c4.com/ip
> 11.22.33.44 <--- my wg VPN end point IP
> static.44.33.22.11.elided.tld
> curl/7.64.0
>
> $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> 55.66.77.88 <--- my actual external IP
> elided.hostname.myisp.in
> curl/7.64.0
>
> My questions:
>
> 1.  I know firejail is suid root, but still... is there any way
>     to prevent this from happening, or at least make it less
>     trivial?
>
>     I'm OK with a "this is the way it is, if your untrusted app
>     is running as root you're already toast" response; just want
>     to make sure I'm not missing a bet here.
>
> 2.  I guess I don't know as much about Linux networking as I
>     thought I knew, especially about policy routing, so I am
>     feeling a bit lost here.
>
>     I would prefer not to have to learn lots of things about
>     policy routing and so on, so I wonder if there is a simple,
>     (wireguard-specific, if possible) explanation of how linux
>     policy routing and iptables work behind the scenes to direct
>     packets when wireguard is in play?
>
>     regards
>     sitaram
>
>

This is known firejail feature[1]. If you want to prevent yourself
from this footgun you may add "restricted-network yes" in
/etc/firejail/firejail.config

I don't see anything from wireguard to do here. If system admin want
to bypass the routes, they will.

[1] https://github.com/netblue30/firejail/issues/2665

Jordan