[GH-ISSUE #2032] Run program with the tun0 interface

gitea-mirror commented

2026-05-05 07:57:18 -06:00

Owner

Originally created by @Bundy01 on GitHub (Jul 5, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2032

Hi,

I would like to run firefox only in my VPN interface (disconnect if my VPN picks up).
I tried adding net tun0 in the profile or running it with this command: firejail --net=tun0 firefox. I have that mistake:

Reading profile /etc/firejail/firefox-developer-edition.profile
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 13426, child pid 13427
RTNETLINK answers: Invalid argument
Error: failed to run /usr/lib/firejail/fnet
Error ioctl: interface.c:98 net_if_up: No such device
Error: failed to run /usr/lib/firejail/fnet
Error: proc 13426 cannot sync with peer: unexpected EOF
Peer 13427 unexpectedly exited with status 1

Is it possible it could work?

Originally created by @Bundy01 on GitHub (Jul 5, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2032 Hi, I would like to run firefox only in my VPN interface (disconnect if my VPN picks up). I tried adding `net tun0` in the profile or running it with this command: `firejail --net=tun0 firefox`. I have that mistake: ``` Reading profile /etc/firejail/firefox-developer-edition.profile Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 13426, child pid 13427 RTNETLINK answers: Invalid argument Error: failed to run /usr/lib/firejail/fnet Error ioctl: interface.c:98 net_if_up: No such device Error: failed to run /usr/lib/firejail/fnet Error: proc 13426 cannot sync with peer: unexpected EOF Peer 13427 unexpectedly exited with status 1 ``` Is it possible it could work?

gitea-mirror

2026-05-05 07:57:18 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 07:57:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 6, 2018):

I did some experiments here, it should definitely work. I'll bring in support for tap devices in two or three days.What tunneling software are you using: openvpn, wireguard ...?

Also, when you set the tunnel, does it assign an address to your tap interface? If you do /sbin/ifconfig or "ip addr show" what address do you get? I'm asking because the sandbox will automatically assign an address for the interface connected to your tap device and we need to make sure the address is on the same network as the tap device.

@netblue30 commented on GitHub (Jul 6, 2018): I did some experiments here, it should definitely work. I'll bring in support for tap devices in two or three days.What tunneling software are you using: openvpn, wireguard ...? Also, when you set the tunnel, does it assign an address to your tap interface? If you do /sbin/ifconfig or "ip addr show" what address do you get? I'm asking because the sandbox will automatically assign an address for the interface connected to your tap device and we need to make sure the address is on the same network as the tap device.

gitea-mirror commented

2026-05-05 07:57:28 -06:00

Author

Owner

@Bundy01 commented on GitHub (Jul 12, 2018):

Hi,
I use openvpn and my interface name is tun0 and that of my ethernet connection enp3s0f1.
Thanks

@Bundy01 commented on GitHub (Jul 12, 2018): Hi, I use openvpn and my interface name is `tun0` and that of my ethernet connection `enp3s0f1`. Thanks

gitea-mirror commented

2026-05-05 07:57:30 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 17, 2018):

tun device will not work, you need a tap device. Move openvpn to a bridging configuration, they have an example here: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html. Basically you must use server-bridge and dev tap instead of server and dev tun in your configuration.

On the client you connect firejail to the tap device. Use the firejail version in git, I just added support for tap devices.

(this is a simple sandboxed /bin/bash session)
$ firejail --net=tap0 --noprofile

Then, try to ping the server end of the tunnel. There could be a problem with how openvpn assigns the address, but we'll figure it out.

There is also a similar discussion going on here: #2046

@netblue30 commented on GitHub (Jul 17, 2018): tun device will not work, you need a tap device. Move openvpn to a bridging configuration, they have an example here: https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html. Basically you must use server-bridge and dev tap instead of server and dev tun in your configuration. On the client you connect firejail to the tap device. Use the firejail version in git, I just added support for tap devices. ````` (this is a simple sandboxed /bin/bash session) $ firejail --net=tap0 --noprofile ````` Then, try to ping the server end of the tunnel. There could be a problem with how openvpn assigns the address, but we'll figure it out. There is also a similar discussion going on here: #2046

gitea-mirror commented

2026-05-05 07:57:33 -06:00

Author

Owner

@Futureknows commented on GitHub (Jul 18, 2018):

Is this why routed network setups (--net=br0) are broken when the OS openvpn connection is activated? My direct networked ethernet devices (--net=eth0) allow me to activate/deactivate a VPN through the system network manager seamlessly, but on wifi devices activating openvpn breaks the connection on firejailed network namespaced sandboxes.

@Futureknows commented on GitHub (Jul 18, 2018): Is this why routed network setups (--net=br0) are broken when the OS openvpn connection is activated? My direct networked ethernet devices (--net=eth0) allow me to activate/deactivate a VPN through the system network manager seamlessly, but on wifi devices activating openvpn breaks the connection on firejailed network namespaced sandboxes.

gitea-mirror commented

2026-05-05 07:57:37 -06:00

Author

Owner

@Bundy01 commented on GitHub (Jul 21, 2018):

I've checked the tap interface of my vpn provider, but unfortunately I can't connect with tap :(

@Bundy01 commented on GitHub (Jul 21, 2018): I've checked the tap interface of my vpn provider, but unfortunately I can't connect with tap :(

gitea-mirror commented

2026-05-05 07:57:38 -06:00

Author

Owner

@veloute commented on GitHub (Jul 22, 2018):

In the case that this isn't added, you could look into something like vpnfailsafe, which uses iptables to prevent internet access if the VPN tunnel drops (thereby preventing IP and DNS leaks).

@veloute commented on GitHub (Jul 22, 2018): In the case that this isn't added, you could look into something like [vpnfailsafe](https://github.com/wknapik/vpnfailsafe), which uses iptables to prevent internet access if the VPN tunnel drops (thereby preventing IP and DNS leaks).

gitea-mirror commented

2026-05-05 07:57:42 -06:00

Author

Owner

@Bundy01 commented on GitHub (Jul 23, 2018):

Hi,
I finally opted for ufw, the following rules seem to work:

ufw default deny incoming
ufw default deny outgoing
ufw allow out on tun0
ufw allow out on enp3s0f1 proto udp from 192.168.1.1 to any port 1194

@Bundy01 commented on GitHub (Jul 23, 2018): Hi, I finally opted for ufw, the following rules seem to work: ``` ufw default deny incoming ufw default deny outgoing ufw allow out on tun0 ufw allow out on enp3s0f1 proto udp from 192.168.1.1 to any port 1194 ```

gitea-mirror commented

2026-05-05 07:57:44 -06:00

Author

Owner

@sebastianst commented on GitHub (Oct 17, 2018):

This is an old issue #59. Many VPN providers don't support tap interfaces, so please find a solution, maybe with network namespaces?

@sebastianst commented on GitHub (Oct 17, 2018): This is an old issue #59. Many VPN providers don't support tap interfaces, so please find a solution, maybe with network namespaces?

gitea-mirror commented

2026-05-05 07:57:47 -06:00

Author

Owner

@kramer9 commented on GitHub (Nov 5, 2018):

I +1 the request to be able to direct the traffic directly to a vpn (--net=tun0)

@kramer9 commented on GitHub (Nov 5, 2018): I +1 the request to be able to direct the traffic directly to a vpn (--net=tun0)

gitea-mirror commented

2026-05-05 07:57:50 -06:00

Author

Owner

@rugabunda commented on GitHub (Feb 18, 2019):

+1 Definitely would like to see support for tun.

@rugabunda commented on GitHub (Feb 18, 2019): +1 Definitely would like to see support for tun.

gitea-mirror commented

2026-05-05 07:57:51 -06:00

Author

Owner

@intika commented on GitHub (Apr 9, 2019):

An other solution is to use a bridge and iptables to route the jail over the tun interface https://firejail.wordpress.com/documentation-2/basic-usage/#routed (require masquerade and vlan kernel modules + ip_forward enabled) ...
supporting tun interface would really be amazing

@intika commented on GitHub (Apr 9, 2019): An other solution is to use a bridge and iptables to route the jail over the tun interface https://firejail.wordpress.com/documentation-2/basic-usage/#routed (require masquerade and vlan kernel modules + ip_forward enabled) ... supporting tun interface would really be amazing

gitea-mirror commented

2026-05-05 07:57:52 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 27, 2019):

Is this a duplicate of #1814? If so, we can close.

@rusty-snake commented on GitHub (Nov 27, 2019): Is this a duplicate of #1814? If so, we can close.

gitea-mirror commented

2026-05-05 07:57:53 -06:00

Author

Owner

@intika commented on GitHub (Nov 27, 2019):