github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1844] Support wireguard interfaces on firejail's --net option #1251

New issue

Closed

opened 2026-05-05 07:43:37 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:43:37 -06:00

Owner

Originally created by @Piraty on GitHub (Mar 28, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1844

Using the --net=<interface> option does currently not work for wireguard interfaces.

I encountered this on a Void Linux System, x86_64 glibc.
linux 4.14.29 and lower
wireguard 0.0.20180304
firejail 0.9.52

# ip link add wg0 type wireguard
# ip address add dev wg0 192.168.2.1/24
$ firejail --net=wg0 /bin/bash
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 13726, child pid 13727
RTNETLINK answers: Invalid argument
Error: failed to run /usr/lib/firejail/fnet
Error ioctl: interface.c:98 net_if_up: No such device
Error: failed to run /usr/lib/firejail/fnet
Error: proc 13726 cannot sync with peer: unexpected EOF
Peer 13727 unexpectedly exited with status 1

Here is an strace of the process: <removed>

Originally created by @Piraty on GitHub (Mar 28, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1844 Using the `--net=<interface>` option does currently not work for [wireguard](https://www.wireguard.com/) interfaces. I encountered this on a Void Linux System, x86_64 glibc. `linux 4.14.29` and lower `wireguard 0.0.20180304` `firejail 0.9.52` ``` # ip link add wg0 type wireguard # ip address add dev wg0 192.168.2.1/24 $ firejail --net=wg0 /bin/bash Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 13726, child pid 13727 RTNETLINK answers: Invalid argument Error: failed to run /usr/lib/firejail/fnet Error ioctl: interface.c:98 net_if_up: No such device Error: failed to run /usr/lib/firejail/fnet Error: proc 13726 cannot sync with peer: unexpected EOF Peer 13727 unexpectedly exited with status 1 ``` Here is an strace of the process: `<removed>`

gitea-mirror closed this issue

2026-05-05 07:43:39 -06:00

gitea-mirror commented

2026-05-05 07:43:41 -06:00

Author

Owner

@atlaua commented on GitHub (Mar 28, 2018):

Firejail's --net option uses macvlan under the hood and hence only works with L2 ethernet devices (as documented in the man page). Therefore, it can obviously not be used directly with a wireguard tunnel which operates at L3.

@atlaua commented on GitHub (Mar 28, 2018): Firejail's --net option uses macvlan under the hood and hence only works with L2 ethernet devices (as documented in the man page). Therefore, it can obviously not be used directly with a wireguard tunnel which operates at L3.

gitea-mirror commented

2026-05-05 07:43:42 -06:00

Author

Owner

@Vincent43 commented on GitHub (Mar 29, 2018):

You can try firejail --netns with https://www.wireguard.com/netns/

@Vincent43 commented on GitHub (Mar 29, 2018): You can try `firejail --netns` with https://www.wireguard.com/netns/

gitea-mirror commented

2026-05-05 07:43:44 -06:00

Author

Owner

@Piraty commented on GitHub (Mar 29, 2018):

Thanks, i will look into it.
Definetely missed the L2 part in the manpage...

@Piraty commented on GitHub (Mar 29, 2018): Thanks, i will look into it. Definetely missed the `L2` part in the manpage...

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1251

No description provided.

Rows
Columns