Fwd: bypassing wireguard using firejail
Sitaram Chamarty
sitaramc at gmail.com
Sat May 11 03:08:57 CEST 2019
On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
> [sent to author only originally by mistake - I hate Gmail]
>
> On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <sitaramc at gmail.com> wrote:
>
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
>
> I'm not 100% clear on your setup .. Have you got a network namespace set
> up? If not, you haven't got much security anyway, I suspect. It turns out
> it's not too hard .. you're welcome to my hacky scripts if you're
> interested.
I don't think it has anything to do with my wireguard setup.
If you meant firejail setup, it is when I use "--net" (which,
according to the manpage, "Enable[s] a new network namespace and
connect[s] it to this ethernet interface", that the bypass
happens.
> Not sure if firejail would still be able to escape a network namespace by
> default, but I'm sure it's possible to drop a capability somewhere or
> similar if it is.
The answer, as I'd kinda suspected (and indicated in my original
mail) is that root can always bypass the vpn. For firejail
specifically there's a setting (thanks Jordan Glover) to prevent
that specific escape, which I have now set.
Some other tool, if it's running as root or is suid root, can
still bypass wireguard, regardless of how it is setup.
More information about the WireGuard
mailing list