xabadak

sharing my simple wireguard kill-switch for Linux

https://lemmings.world/post/8926406

sharing my simple wireguard kill-switch for Linux - Lemmings.world

cross-posted from: https://lemmings.world/post/8926396 [https://lemmings.world/post/8926396] > In light of the recent TunnelVision vulnerability [https://tunnelvisionbug.com/] I wanted to share a simple firewall that I wrote for wireguard VPNs. > > https://codeberg.org/xabadak/wg-lockdown [https://codeberg.org/xabadak/wg-lockdown] > > If you use a fancy official VPN client from Mullvad, PIA, etc, you won’t need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here [https://news.ycombinator.com/item?id=40280496]). > > A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here [https://news.ycombinator.com/item?id=40280296]). Unfortunately I’m a noob and I couldn’t find any scripts or tools to do it that way.

May 9, 2024 at 7:26amWeb
Show threadMalReynoldsMay 9, 2024
In what way are you not re-inventing the gluetun wheel ? Not trying to put you down, just that I’d need a good reason to consider anything less battle hardened.
GitHub - qdm12/gluetun: VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in. - qdm12/gluetun

GitHub
Show threadslacktoidMay 9, 2024
Or even just a list of design considerations and tradeoffs tbh
Show threadxabadakMay 10, 2024

I’m no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: github.com/mullvad/mullvadvpn-app/…/security.md.

Though if you have any alternatives for vanilla wireguard users like me, I’ll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?

mullvadvpn-app/docs/security.md at main · mullvad/mullvadvpn-app

The Mullvad VPN client app for desktop and mobile. Contribute to mullvad/mullvadvpn-app development by creating an account on GitHub.

GitHub
Show threadslacktoidMay 10, 2024

No worries thats cool and a great contribution. (didnt mean to attack your work).

i have only used gluetun in a docker like context so i cant honestly tell you but you can have vpn and non vpn traffic on your system and you just proxy traffic.

also, now i can see the reason for this (work) and why its cool, which was missing in your post. Also knowing your approach helps others point you to ways to improve what youve done. Thanks you!

Show threadxabadakMay 10, 2024
No offense taken, on the contrary thanks for the constructive criticism! I’ll add some more details to my repo to make things more clear.
Show threadslacktoidMay 10, 2024
Of course! And anytime!!
Show threadxabadakMay 10, 2024
Isn’t gluetun for docker? Are there people running it on the host system?
Show threadMalReynoldsMay 10, 2024
Just use its proxy for the host system’s needs…
Show threadxabadakMay 10, 2024
How do you route all your host system’s traffic through Gluetun? If you use routing tables, wouldn’t it similarly be affected by TunnelVision? In which case you would still need a firewall on the host…
Show threadMalReynoldsMay 10, 2024
I don’t route all my system’s traffic through Gluetun, my threat model doesn’t need it, I just route relevant apps, e.g. package management is in the clear but firefox, SearXNG, and nicotine go via gluetun. SSH can look after itself, or I’m in dire trouble. If my threat model did need it, I’d be considering a similar solution to yours, but it’d be heavily cribbed from the known good of gluetun, basically the docker (podman) put to bare metal.
Show threadxabadakMay 10, 2024
Yeah, it does come down to threat model and preference. If you only need to route specific apps, Gluetun sounds like a great solution.