On Sat, 11 May 2019 at 02:09, Sitaram Chamarty <sitaramc@gmail.com> wrote:

On Fri, May 10, 2019 at 05:18:39PM +0100, Steve Dodd wrote:

> I'm not 100% clear on your setup .. Have you got a network namespace set
> up? If not, you haven't got much security anyway, I suspect. It turns out
> it's not too hard .. you're welcome to my hacky scripts if you're
> interested.

I don't think it has anything to do with my wireguard setup.

Network namespaces are worth looking into - it's what I used to avoid things "escaping" the VPN. They literally can't see any other interfaces, get their own routing table, etc.

Hacky scripts:

setup: https://pastebin.com/TChbUfL5

teardown: https://pastebin.com/ghYGJQEw

runas: https://pastebin.com/h9vEvryt (this needs to be run by sudo - edit sudoers appropriately)

WG website has gory details:

https://www.wireguard.com/netns/

If you meant firejail setup, it is when I use "--net" (which,
according to the manpage, "Enable[s] a new network namespace and
connect[s] it to this ethernet interface", that the bypass
happens.

I was meaning setting up a namespace before running firejail .. I actually find it's tidier and avoids confusion about default routes, etc. Then the interesting question would be if firejail could break out of that namespace, and if so how to stop it.

Some other tool, if it's running as root or is suid root, can
still bypass wireguard, regardless of how it is setup.

I suspect that can be prevented - on modern systems being root isn't necessarily the be-all and end-all. Capabilities and namespaces can still be used to constrain applications in lots of ways.