TunnelVision vulnerability has existed since 2002 and may already be known to attackers.
  • the_third@feddit.deEnglish
    2·
    2 months ago

    When I design something, critical applications get their own network namespace with only the VPN interface inside anyway. So, yeah.

      • originalucifer@moist.catsweat.com
        3·
        2 months ago

        i think docker allows for this configuration. i use a gluetun container for the network definition of the torrent container to prevent leaking. the torrent container knows of no other network than the vpn container.

      • the_third@feddit.deEnglish
        1·
        2 months ago

        There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.

        I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:

        https://github.com/dadevel/wg-netns

        cat /etc/systemd/system/wg-qbittorrent.service
[Unit]
Description=WireGuard Network Namespace for qBittorrent
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target

[Service]
Type=oneshot
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
Environment=WG_VERBOSE=1
ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml
ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml
RemainAfterExit=yes

WorkingDirectory=%E/wireguard
ConfigurationDirectory=wireguard
ConfigurationDirectoryMode=0700

CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
LimitNOFILE=4096
LimitNPROC=512
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
ProtectClock=true
ProtectHostname=true
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=mnt net
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

        Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static

        …and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:

        cat /etc/systemd/system/qbittorrent-nox.service 

[Unit]
Description=qBittorrent-nox service
Wants=network-online.target wg-qbittorrent.service 
After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 

[Service]
Type=simple
PrivateTmp=false
#User=qbittorrent
ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox
TimeoutStopSec=1800
RestartSec=15
RestartMaxDelaySec=600
RestartSteps=10
Restart=always

[Install]
WantedBy=multi-user.target

        To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:

        cat /etc/systemd/system/qbittorrent-webui.service 
[Unit]
Description=qBittorrent-nox webui forwarding into its namespace
Wants=network-online.target wg-qbittorrent.service 
After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 

[Service]
Type=simple
PrivateTmp=false
ExecStart=/opt/qbittorrent/forward-webinterface.sh
TimeoutStopSec=1800
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

        cat /opt/qbittorrent/forward-webinterface.sh
#!/bin/sh
set -eu

exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"

        Works, is reboot safe, stopped caring about beauty at that point.