Firejail: Run program with the tun0 interface

Created on 5 Jul 2018  路  14Comments  路  Source: netblue30/firejail

Hi,

I would like to run firefox only in my VPN interface (disconnect if my VPN picks up).
I tried adding net tun0 in the profile or running it with this command: firejail --net=tun0 firefox. I have that mistake:

Reading profile /etc/firejail/firefox-developer-edition.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 13426, child pid 13427
RTNETLINK answers: Invalid argument
Error: failed to run /usr/lib/firejail/fnet
Error ioctl: interface.c:98 net_if_up: No such device
Error: failed to run /usr/lib/firejail/fnet
Error: proc 13426 cannot sync with peer: unexpected EOF
Peer 13427 unexpectedly exited with status 1

Is it possible it could work?

enhancement
Source
picture Bundy01

Most helpful comment

This is an old issue #59. Many VPN providers don't support tap interfaces, so please find a solution, maybe with network namespaces?

picture sebastianst on 17 Oct 2018
👍4

All 14 comments

I did some experiments here, it should definitely work. I'll bring in support for tap devices in two or three days.What tunneling software are you using: openvpn, wireguard ...?

Also, when you set the tunnel, does it assign an address to your tap interface? If you do /sbin/ifconfig or "ip addr show" what address do you get? I'm asking because the sandbox will automatically assign an address for the interface connected to your tap device and we need to make sure the address is on the same network as the tap device.

netblue30 picture netblue30 on 6 Jul 2018

Hi,
I use openvpn and my interface name is tun0 and that of my ethernet connection enp3s0f1.
Thanks

Bundy01 picture Bundy01 on 12 Jul 2018

tun device will not work, you need a tap device. Move openvpn to a bridging configuration, they have an example here: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html. Basically you must use server-bridge and dev tap instead of server and dev tun in your configuration.

On the client you connect firejail to the tap device. Use the firejail version in git, I just added support for tap devices.
(this is a simple sandboxed /bin/bash session) $ firejail --net=tap0 --noprofile
Then, try to ping the server end of the tunnel. There could be a problem with how openvpn assigns the address, but we'll figure it out.

There is also a similar discussion going on here: #2046

netblue30 picture netblue30 on 17 Jul 2018

Is this why routed network setups (--net=br0) are broken when the OS openvpn connection is activated? My direct networked ethernet devices (--net=eth0) allow me to activate/deactivate a VPN through the system network manager seamlessly, but on wifi devices activating openvpn breaks the connection on firejailed network namespaced sandboxes.

Futureknows picture Futureknows on 18 Jul 2018

I've checked the tap interface of my vpn provider, but unfortunately I can't connect with tap :(

Bundy01 picture Bundy01 on 21 Jul 2018

In the case that this isn't added, you could look into something like vpnfailsafe, which uses iptables to prevent internet access if the VPN tunnel drops (thereby preventing IP and DNS leaks).

veloute picture veloute on 23 Jul 2018

Hi,
I finally opted for ufw, the following rules seem to work:

ufw default deny incoming
ufw default deny outgoing
ufw allow out on tun0
ufw allow out on enp3s0f1 proto udp from 192.168.1.1 to any port 1194
Bundy01 picture Bundy01 on 23 Jul 2018

This is an old issue #59. Many VPN providers don't support tap interfaces, so please find a solution, maybe with network namespaces?

sebastianst picture sebastianst on 17 Oct 2018
👍4

I +1 the request to be able to direct the traffic directly to a vpn (--net=tun0)

kramer9 picture kramer9 on 5 Nov 2018
👍3

+1 Definitely would like to see support for tun.

rugabunda picture rugabunda on 18 Feb 2019
👍2

An other solution is to use a bridge and iptables to route the jail over the tun interface https://firejail.wordpress.com/documentation-2/basic-usage/#routed (require masquerade and vlan kernel modules + ip_forward enabled) ...
supporting tun interface would really be amazing

intika picture intika on 9 Apr 2019

Is this a duplicate of #1814? If so, we can close.

rusty-snake picture rusty-snake on 27 Nov 2019

@rusty-snake you are right ;)

intika picture intika on 27 Nov 2019

Duplicate of #1814

rusty-snake picture rusty-snake on 27 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

reinerh picture reinerh  路  3Comments
ghost picture ghost  路  3Comments
polyzen picture polyzen  路  4Comments
nuxwin picture nuxwin  路  3Comments
Vincent43 picture Vincent43  路  3Comments