On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote: > [sent to author only originally by mistake - I hate Gmail] > > On Fri, 10 May 2019 at 12:56, Sitaram Chamarty <[email protected]> wrote: > > > I am able to bypass the VPN by using firejail (which is a > > sandbox program to run untrusted applications). > > > > I'm not 100% clear on your setup .. Have you got a network namespace set > up? If not, you haven't got much security anyway, I suspect. It turns out > it's not too hard .. you're welcome to my hacky scripts if you're > interested.
I don't think it has anything to do with my wireguard setup. If you meant firejail setup, it is when I use "--net" (which, according to the manpage, "Enable[s] a new network namespace and connect[s] it to this ethernet interface", that the bypass happens. > Not sure if firejail would still be able to escape a network namespace by > default, but I'm sure it's possible to drop a capability somewhere or > similar if it is. The answer, as I'd kinda suspected (and indicated in my original mail) is that root can always bypass the vpn. For firejail specifically there's a setting (thanks Jordan Glover) to prevent that specific escape, which I have now set. Some other tool, if it's running as root or is suid root, can still bypass wireguard, regardless of how it is setup. _______________________________________________ WireGuard mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/wireguard
