WireGuard namespacing/isolation on Windows

Madars Virza madars at gmail.com
Mon Oct 31 03:26:57 UTC 2022


Consider the following use case: preventing accidental WebRTC-style
information leaks. These leaks used to happen because WebRTC JS API
exposes IP enumeration even if no packets get sent over the
corresponding interfaces (i.e., even though the default route is the
VPN endpoint, WebRTC API would "betray" information about other
interfaces visible to the browser.)

In Linux, an elegant way around such leakage is to run your
application in a separate network namespace a la
https://www.wireguard.com/netns/ . For example, you can launch your
browser/BitTorrent client/etc in a separate netns that only sees wgN
so that even if there were WebRTC-style leaks, the application would
not immediately see interfaces outside its network namespace.

What would one do to achieve a similar result for WireGuard clients on Windows?

I'd be happy to write a little bit of code / accept solutions that are
not production-grade (this is all meant for a developer workstation).


More information about the WireGuard mailing list