Fwd: bypassing wireguard using firejail

Steve Dodd steved424 at gmail.com
Sat May 11 13:34:18 CEST 2019


On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc at gmail.com> wrote:

> On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:
>


> > I'm not 100% clear on your setup .. Have you got a network namespace set
> > up? If not, you haven't got much security anyway, I suspect. It turns out
> > it's not too hard .. you're welcome to my hacky scripts if you're
> > interested.
>
> I don't think it has anything to do with my wireguard setup.
>

Network namespaces are worth looking into - it's what I used to avoid
things "escaping" the VPN. They literally can't see any other interfaces,
get their own routing table, etc.

Hacky scripts:

setup: https://pastebin.com/TChbUfL5
teardown: https://pastebin.com/ghYGJQEw
runas: https://pastebin.com/h9vEvryt (this needs to be run by sudo - edit
sudoers appropriately)

WG website has gory details:

https://www.wireguard.com/netns/


> If you meant firejail setup, it is when I use "--net" (which,
> according to the manpage, "Enable[s] a new network namespace and
> connect[s] it to this ethernet interface", that the bypass
> happens.
>

I was meaning setting up a namespace before running firejail .. I actually
find it's tidier and avoids confusion about default routes, etc. Then the
interesting question would be if firejail could break out of that
namespace, and if so how to stop it.


> Some other tool, if it's running as root or is suid root, can
> still bypass wireguard, regardless of how it is setup.
>

I suspect that can be prevented - on modern systems being root isn't
necessarily the be-all and end-all. Capabilities and namespaces can still
be used to  constrain applications in lots of ways.

S.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190511/0a2b46b4/attachment.html>


More information about the WireGuard mailing list