On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <[email protected]> wrote:
> I am able to bypass the VPN by using firejail (which is a > sandbox program to run untrusted applications). > > Below, the IP addresses and domain names are fake but that > should not matter: > > # wg > interface: wg0 > public key: .... > private key: (hidden) > listening port: 59457 > fwmark: 0xca6c > > peer: .... > endpoint: 11.22.33.44:51820 > allowed ips: 0.0.0.0/0 > latest handshake: 41 seconds ago > transfer: 35.42 MiB received, 2.74 MiB sent > > $ curl zx2c4.com/ip > 11.22.33.44 <--- my wg VPN end point IP > static.44.33.22.11.elided.tld > curl/7.64.0 > > $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip > 55.66.77.88 <--- my actual external IP > elided.hostname.myisp.in > curl/7.64.0 > > My questions: > > 1. I know firejail is suid root, but still... is there any way > to prevent this from happening, or at least make it less > trivial? > > I'm OK with a "this is the way it is, if your untrusted app > is running as root you're already toast" response; just want > to make sure I'm not missing a bet here. > > 2. I guess I don't know as much about Linux networking as I > thought I knew, especially about policy routing, so I am > feeling a bit lost here. > > I would prefer not to have to learn lots of things about > policy routing and so on, so I wonder if there is a simple, > (wireguard-specific, if possible) explanation of how linux > policy routing and iptables work behind the scenes to direct > packets when wireguard is in play? > > regards > sitaram > > This is known firejail feature[1]. If you want to prevent yourself from this footgun you may add "restricted-network yes" in /etc/firejail/firejail.config I don't see anything from wireguard to do here. If system admin want to bypass the routes, they will. [1] https://github.com/netblue30/firejail/issues/2665 Jordan _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
