github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3238] tor browser fails with netns #2033

New issue

Closed

opened 2026-05-05 08:42:18 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 08:42:18 -06:00

Owner

Originally created by @ghost on GitHub (Feb 23, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3238

Fedora 31 firejail stable

profile doesn't appear to e the cause.

firejail --noprofile --netns=tor ~/jailed/tor/tor-browser/Browser/start-tor-browser

Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start.

google chrome and torrent clients work with a netns set up in exactly the same way.

network namespace setup:

NETNS_NAME="tor"
DEV_NAME="wg0"
INTERNAL_IP="<ip>/32"
# Create a Wireguard network interface in the default namespace.
sudo ip link add $DEV_NAME type wireguard
# Load the Wireguard configuration.
sudo wg setconf $DEV_NAME /home/xxx/vpn/$NETNS_NAME.conf
# Create a new network namespace.
sudo ip netns add $NETNS_NAME
# Move the Wireguard interface to the network namespace.
sudo ip link set $DEV_NAME netns $NETNS_NAME
# Set the IP address of the Wireguard interface.
sudo ip -n $NETNS_NAME addr add $INTERNAL_IP dev $DEV_NAME
# Bring up the Wireguard interface.
sudo ip -n $NETNS_NAME link set $DEV_NAME up
# Make the Wireguard interface the default route.
sudo ip -n $NETNS_NAME route add default dev $DEV_NAME

going inside the jail terminal and running ifconfig only shows wg0, ping/mtr/dig all work fine inside it all showing correct route through vpn.

It's worth mentioning I have had the exact same problem without netns when I had an already running instance of tor browser and I didn't specify the following:

--env=TOR_SOCKS_PORT=9750 --env=TOR_CONTROL_PORT=9751

I made sure that no instance of tor browser or tor was running and no choice of ports or leaving it out helped. The error however was identical.

In both cases the torrc logs the dialogue offered to copy into clipboard were empty (it even said that 0 logs were copied).

instead of netns using --net=wlan0 works with no issues...

Originally created by @ghost on GitHub (Feb 23, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3238 Fedora 31 firejail stable profile doesn't appear to e the cause. > firejail --noprofile --netns=tor ~/jailed/tor/tor-browser/Browser/start-tor-browser > Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start. **google chrome and torrent clients work with a netns set up in exactly the same way.** network namespace setup: ``` NETNS_NAME="tor" DEV_NAME="wg0" INTERNAL_IP="<ip>/32" # Create a Wireguard network interface in the default namespace. sudo ip link add $DEV_NAME type wireguard # Load the Wireguard configuration. sudo wg setconf $DEV_NAME /home/xxx/vpn/$NETNS_NAME.conf # Create a new network namespace. sudo ip netns add $NETNS_NAME # Move the Wireguard interface to the network namespace. sudo ip link set $DEV_NAME netns $NETNS_NAME # Set the IP address of the Wireguard interface. sudo ip -n $NETNS_NAME addr add $INTERNAL_IP dev $DEV_NAME # Bring up the Wireguard interface. sudo ip -n $NETNS_NAME link set $DEV_NAME up # Make the Wireguard interface the default route. sudo ip -n $NETNS_NAME route add default dev $DEV_NAME ``` going inside the jail terminal and running ifconfig only shows wg0, ping/mtr/dig all work fine inside it all showing correct route through vpn. It's worth mentioning I have had the exact same problem without netns when I had an already running instance of tor browser and I didn't specify the following: `--env=TOR_SOCKS_PORT=9750 --env=TOR_CONTROL_PORT=9751` I made sure that no instance of tor browser or tor was running and no choice of ports or leaving it out helped. The error however was identical. In both cases the torrc logs the dialogue offered to copy into clipboard were empty (it even said that 0 logs were copied). instead of netns using --net=wlan0 works with no issues...

gitea-mirror

2026-05-05 08:42:18 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:42:21 -06:00

Author

Owner

@ghost commented on GitHub (Feb 23, 2020):

solution:

# Create lo interface
sudo ip -n $NETNS_NAME link set dev lo up

@ghost commented on GitHub (Feb 23, 2020): solution: ``` # Create lo interface sudo ip -n $NETNS_NAME link set dev lo up ```

gitea-mirror referenced this issue

2026-05-05 10:14:51 -06:00

[PR #2033] [MERGED] additional whitelist hardening #4158

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2033

No description provided.

Rows
Columns