Namespace, ip netns tun0, pvpnksintrf0

[realjench]

Hi

Sorry to bother you, I know I suck this time.

But I did look a lot did try a lot

I want a to use netns with firejail

I did try

sudo ip netns add vpn_namespace
sudo ip tuntap add mode tun tun0
sudo ip link set tun0 netns vpn_namespace
sudo ip netns exec vpn_namespace ip addr add 10.8.0.2/24 dev tun0
sudo ip netns exec vpn_namespace ip link set tun0 up

and with pvpnksintrf0

No success, used no profile........
Want to isolate an app trough VPN, I saw default in the "permanent kill switch of my vpn"
I'm not good on this.

I'm really stuck on this, shame but 5 hours, now I'm crazy

Thanks a lot

[glitsj16]

Hi. Can you post output from the firejail command(s) you have been trying? After you've created that named, persistent network namespace, something like the below is needed for sandboxing the app in question with firejail:

$ firejail --netns=vpn_namespace /path/to/program

HTH

[realjench]

Hi
@glitsj16

Thanks for your answer, I even run app using firejail -- noprofile --netns=vpn_namespace /path/to/program

But the real problem, is the way I make the name space, I want to use an existing tun0... Might disappear and address change...

Bridge or move the tun0 inside, there's a killswitch but if an app is not binded to tun0 it's leak even with it.

Here's all interfaces in virtualbox:

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::9f56:c1df:9b83:59d5  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:52:dd:5f  txqueuelen 1000  (Ethernet)
        RX packets 18380  bytes 24254869 (23.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 10191  bytes 1303474 (1.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Boucle locale)
        RX packets 68  bytes 6128 (5.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 68  bytes 6128 (5.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

pvpnksintrf1: flags=195<UP,BROADCAST,RUNNING,NOARP>  mtu 1500
        inet 100.85.0.1  netmask 255.255.255.0  broadcast 100.85.0.255
        inet6 fe80::c1e2:9b10:ec1:2d4b  prefixlen 64  scopeid 0x20<link>
        inet6 fdeb:446c:912d:8da::  prefixlen 64  scopeid 0x0<global>
        ether 92:47:cc:b3:0e:1d  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 220 (220.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.96.0.6  netmask 255.255.0.0  destination 10.96.0.6
        inet6 fe80::4d7e:7e63:c275:f7a7  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3  bytes 156 (156.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Then DNS, gateway ....

Thanks a lot

[realjench]

@glitsj16

I've been down the rabbit hole of ancient debates about that pesky layer 3 tun0 problem, which seems destined to never get native firejail support. I've tried every namespace bridge trick and tun0 shuffle... The secret sauce? It's iptables!

But the real star of the show is opensnitch (Be sure to use this version, it's highly customizable!

) with its delightful GUI, making it super adjustable!

To add an extra layer of security, I've even put the VM on lockdown from the host, letting it chat only with the VPN server. So, I'm feeling pretty good about firejailing with apparmor (each doing its own thing). Fingers crossed, right? SELINUX might be the belle of the ball, but...

And voila, the grand plan!