From: Jordan Glover <Golden_Miller83@protonmail.ch>
To: Sitaram Chamarty <sitaramc@gmail.com>
Cc: "wireguard@lists.zx2c4.com" <wireguard@lists.zx2c4.com>
Subject: Re: bypassing wireguard using firejail
Date: Fri, 10 May 2019 14:06:04 +0000 [thread overview]
Message-ID: <e8xbxVAEDF-AAUjQOklv4K5j-1bQo1VS-JS07WCoG_RyC4crpfDxeEOfg_VH6EQQvKAd0W-1ACbi6XXFR80vA6Lkw1Zin-lTQSVDCnIp4OA=@protonmail.ch> (raw)
In-Reply-To: <20190510115445.GA29887@sita-dell>
On Friday, May 10, 2019 11:54 AM, Sitaram Chamarty <sitaramc@gmail.com> wrote:
> I am able to bypass the VPN by using firejail (which is a
> sandbox program to run untrusted applications).
>
> Below, the IP addresses and domain names are fake but that
> should not matter:
>
> # wg
> interface: wg0
> public key: ....
> private key: (hidden)
> listening port: 59457
> fwmark: 0xca6c
>
> peer: ....
> endpoint: 11.22.33.44:51820
> allowed ips: 0.0.0.0/0
> latest handshake: 41 seconds ago
> transfer: 35.42 MiB received, 2.74 MiB sent
>
> $ curl zx2c4.com/ip
> 11.22.33.44 <--- my wg VPN end point IP
> static.44.33.22.11.elided.tld
> curl/7.64.0
>
> $ firejail --net=wlp2s0 --dns=8.8.8.8 curl zx2c4.com/ip
> 55.66.77.88 <--- my actual external IP
> elided.hostname.myisp.in
> curl/7.64.0
>
> My questions:
>
> 1. I know firejail is suid root, but still... is there any way
> to prevent this from happening, or at least make it less
> trivial?
>
> I'm OK with a "this is the way it is, if your untrusted app
> is running as root you're already toast" response; just want
> to make sure I'm not missing a bet here.
>
> 2. I guess I don't know as much about Linux networking as I
> thought I knew, especially about policy routing, so I am
> feeling a bit lost here.
>
> I would prefer not to have to learn lots of things about
> policy routing and so on, so I wonder if there is a simple,
> (wireguard-specific, if possible) explanation of how linux
> policy routing and iptables work behind the scenes to direct
> packets when wireguard is in play?
>
> regards
> sitaram
>
>
This is known firejail feature[1]. If you want to prevent yourself
from this footgun you may add "restricted-network yes" in
/etc/firejail/firejail.config
I don't see anything from wireguard to do here. If system admin want
to bypass the routes, they will.
[1] https://github.com/netblue30/firejail/issues/2665
Jordan
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
next prev parent reply other threads:[~2019-05-10 14:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-10 11:54 bypassing wireguard using firejail Sitaram Chamarty
2019-05-10 14:06 ` Jordan Glover [this message]
2019-05-10 14:39 ` Sitaram Chamarty
[not found] ` <CAJ6XMjFxfm=0L2URLzn8pkZY1y4zU+mskgd7ykRKOjXSza4tSA@mail.gmail.com>
2019-05-10 16:18 ` Fwd: " Steve Dodd
2019-05-11 1:08 ` Sitaram Chamarty
2019-05-11 11:34 ` Steve Dodd
2019-05-14 4:05 ` Sitaram Chamarty
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='e8xbxVAEDF-AAUjQOklv4K5j-1bQo1VS-JS07WCoG_RyC4crpfDxeEOfg_VH6EQQvKAd0W-1ACbi6XXFR80vA6Lkw1Zin-lTQSVDCnIp4OA=@protonmail.ch' \
--to=golden_miller83@protonmail.ch \
--cc=sitaramc@gmail.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).