Novel attack against virtually all VPN apps neuters their entire purpose

jeffw@lemmy.world · 7 months ago

Novel attack against virtually all VPN apps neuters their entire purpose

barsquid@lemmy.world · 7 months ago

How do you set this up?

originalucifer@moist.catsweat.com · 7 months ago

i think docker allows for this configuration. i use a gluetun container for the network definition of the torrent container to prevent leaking. the torrent container knows of no other network than the vpn container.

the_third@feddit.de · 7 months ago

There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.

I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:

https://github.com/dadevel/wg-netns

cat /etc/systemd/system/wg-qbittorrent.service
[Unit]
Description=WireGuard Network Namespace for qBittorrent
Wants=network-online.target nss-lookup.target
After=network-online.target nss-lookup.target

[Service]
Type=oneshot
Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
Environment=WG_VERBOSE=1
ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml
ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml
RemainAfterExit=yes

WorkingDirectory=%E/wireguard
ConfigurationDirectory=wireguard
ConfigurationDirectoryMode=0700

CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN
LimitNOFILE=4096
LimitNPROC=512
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
ProtectClock=true
ProtectHostname=true
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=mnt net
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native

[Install]
WantedBy=multi-user.target

Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static

…and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:

cat /etc/systemd/system/qbittorrent-nox.service 

[Unit]
Description=qBittorrent-nox service
Wants=network-online.target wg-qbittorrent.service 
After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 

[Service]
Type=simple
PrivateTmp=false
#User=qbittorrent
ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox
TimeoutStopSec=1800
RestartSec=15
RestartMaxDelaySec=600
RestartSteps=10
Restart=always

[Install]
WantedBy=multi-user.target

To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:

cat /etc/systemd/system/qbittorrent-webui.service 
[Unit]
Description=qBittorrent-nox webui forwarding into its namespace
Wants=network-online.target wg-qbittorrent.service 
After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service 

[Service]
Type=simple
PrivateTmp=false
ExecStart=/opt/qbittorrent/forward-webinterface.sh
TimeoutStopSec=1800
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

cat /opt/qbittorrent/forward-webinterface.sh
#!/bin/sh
set -eu

exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"

Works, is reboot safe, stopped caring about beauty at that point.

barsquid@lemmy.world · 7 months ago

This is so cool, thank you!