49
submitted 6 months ago by xabadak@lemmings.world to c/privacy@lemmy.ml

cross-posted from: https://lemmings.world/post/8926396

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

you are viewing a single comment's thread
view the rest of the comments
[-] slacktoid@lemmy.ml 1 points 6 months ago

Or even just a list of design considerations and tradeoffs tbh

[-] xabadak@lemmings.world 2 points 6 months ago

I'm no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md.

Though if you have any alternatives for vanilla wireguard users like me, I'll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?

[-] slacktoid@lemmy.ml 1 points 6 months ago

No worries thats cool and a great contribution. (didnt mean to attack your work).

i have only used gluetun in a docker like context so i cant honestly tell you but you can have vpn and non vpn traffic on your system and you just proxy traffic.

also, now i can see the reason for this (work) and why its cool, which was missing in your post. Also knowing your approach helps others point you to ways to improve what youve done. Thanks you!

[-] xabadak@lemmings.world 1 points 5 months ago

No offense taken, on the contrary thanks for the constructive criticism! I'll add some more details to my repo to make things more clear.

[-] slacktoid@lemmy.ml 2 points 5 months ago

Of course! And anytime!!

this post was submitted on 09 May 2024
49 points (98.0% liked)

Privacy

31601 readers
309 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS