[prev in list] [next in list] [prev in thread] [next in thread]
List: wireguard
Subject: Re: bypassing wireguard using firejail
From: Sitaram Chamarty <sitaramc () gmail ! com>
Date: 2019-05-10 14:51:46
Message-ID: 20190510143946.GA14042 () sita-dell
[Download RAW message or body]
On Fri, May 10, 2019 at 02:06:04PM +0000, Jordan Glover wrote:
> On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:
>
> > I am able to bypass the VPN by using firejail (which is a
> > sandbox program to run untrusted applications).
> >
> > Below, the IP addresses and domain names are fake but that
> > should not matter:
> >
> > # wg
> > interface: wg0
> > public key: ....
> > private key: (hidden)
> > listening port: 59457
> > fwmark: 0xca6c
> >
> > peer: ....
> > endpoint: 11.22.33.44:51820
> > allowed ips: 0.0.0.0/0
> > latest handshake: 41 seconds ago
> > transfer: 35.42 MiB received, 2.74 MiB sent
> >
> > $ curl zx2c4.com/ip
> > 11.22.33.44 <--- my wg VPN end point IP
> > static.44.33.22.11.elided.tld
> > curl/7.64.0
> >
> > $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> > 55.66.77.88 <--- my actual external IP
> > elided.hostname.myisp.in
> > curl/7.64.0
> >
> > My questions:
> >
> > 1. I know firejail is suid root, but still... is there any way
> > to prevent this from happening, or at least make it less
> > trivial?
> >
> > I'm OK with a "this is the way it is, if your untrusted app
> > is running as root you're already toast" response; just want
> > to make sure I'm not missing a bet here.
> >
> > 2. I guess I don't know as much about Linux networking as I
> > thought I knew, especially about policy routing, so I am
> > feeling a bit lost here.
> >
> > I would prefer not to have to learn lots of things about
> > policy routing and so on, so I wonder if there is a simple,
> > (wireguard-specific, if possible) explanation of how linux
> > policy routing and iptables work behind the scenes to direct
> > packets when wireguard is in play?
> >
> > regards
> > sitaram
> >
> >
>
> This is known firejail feature[1]. If you want to prevent yourself
> from this footgun you may add "restricted-network yes" in
> /etc/firejail/firejail.config
Thanks.
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic