jeffw@lemmy.world to Technology@lemmy.worldEnglish · 7 months agoNovel attack against virtually all VPN apps neuters their entire purposearstechnica.comexternal-linkmessage-square63fedilinkarrow-up1355cross-posted to: android
arrow-up1355external-linkNovel attack against virtually all VPN apps neuters their entire purposearstechnica.comjeffw@lemmy.world to Technology@lemmy.worldEnglish · 7 months agomessage-square63fedilinkcross-posted to: android
minus-squarethe_third@feddit.delinkfedilinkEnglisharrow-up1·7 months agoThere’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me. I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it: https://github.com/dadevel/wg-netns cat /etc/systemd/system/wg-qbittorrent.service [Unit] Description=WireGuard Network Namespace for qBittorrent Wants=network-online.target nss-lookup.target After=network-online.target nss-lookup.target [Service] Type=oneshot Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity Environment=WG_VERBOSE=1 ExecStart=/opt/wg-netns/bin/wg-netns up /etc/wireguard/wgconfig.yaml ExecStop=/opt/wg-netns/bin/wg-netns down /etc/wireguard/wgconfig.yaml RemainAfterExit=yes WorkingDirectory=%E/wireguard ConfigurationDirectory=wireguard ConfigurationDirectoryMode=0700 CapabilityBoundingSet=CAP_NET_ADMIN CAP_SYS_ADMIN LimitNOFILE=4096 LimitNPROC=512 LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true ProtectClock=true ProtectHostname=true RemoveIPC=true RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=mnt net RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native [Install] WantedBy=multi-user.target Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static …and stuffed the result into a systemd service that runs it in the namespace wg-netns provides: cat /etc/systemd/system/qbittorrent-nox.service [Unit] Description=qBittorrent-nox service Wants=network-online.target wg-qbittorrent.service After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service [Service] Type=simple PrivateTmp=false #User=qbittorrent ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox TimeoutStopSec=1800 RestartSec=15 RestartMaxDelaySec=600 RestartSteps=10 Restart=always [Install] WantedBy=multi-user.target To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network: cat /etc/systemd/system/qbittorrent-webui.service [Unit] Description=qBittorrent-nox webui forwarding into its namespace Wants=network-online.target wg-qbittorrent.service After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service [Service] Type=simple PrivateTmp=false ExecStart=/opt/qbittorrent/forward-webinterface.sh TimeoutStopSec=1800 Restart=always RestartSec=10 [Install] WantedBy=multi-user.target cat /opt/qbittorrent/forward-webinterface.sh #!/bin/sh set -eu exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork" Works, is reboot safe, stopped caring about beauty at that point.
There’s readily available docker containers for it but I wanted to build it by hand. Well, more or less, Extremely hacky but it works, so fine for me.
I started out with cheating and used this wrapper around wg-quick that gives us a persistent network namespace with the tunnel interface in it:
https://github.com/dadevel/wg-netns
Then I built a static binary of qbittorrent using this really neat docker image: https://github.com/userdocs/qbittorrent-nox-static
…and stuffed the result into a systemd service that runs it in the namespace wg-netns provides:
cat /etc/systemd/system/qbittorrent-nox.service [Unit] Description=qBittorrent-nox service Wants=network-online.target wg-qbittorrent.service After=local-fs.target network-online.target nss-lookup.target wg-qbittorrent.service [Service] Type=simple PrivateTmp=false #User=qbittorrent ExecStart=/usr/sbin/ip netns exec ns-qbittorrent sudo -u qbittorrent /opt/qbittorrent/qbittorrent-nox TimeoutStopSec=1800 RestartSec=15 RestartMaxDelaySec=600 RestartSteps=10 Restart=always [Install] WantedBy=multi-user.target
To get the webui out of that I stuck two instances of socat together at the stdout and from there it depends on whatever you want to use as a reverse proxy on the host - or you bind to a network interface if you trust the network:
cat /opt/qbittorrent/forward-webinterface.sh #!/bin/sh set -eu exec socat tcp6-listen:"8080",reuseaddr,fork,range=[::1]/128 "exec:ip netns exec ns-qbittorrent socat stdio 'tcp-connect:127.0.0.1:8080',nofork"
Works, is reboot safe, stopped caring about beauty at that point.
This is so cool, thank you!