[GH-ISSUE #3266] VPN connection for Firefox and Thunderbird in Firejail

gitea-mirror commented

2026-05-05 08:43:23 -06:00

Owner

Originally created by @davew-fj on GitHub (Mar 2, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3266

I'm new here. Network connections are confusing to me.
My system is Antix 17 (Debian Stretch based Linux, 32 bit, no systemd).

Firejail v.0.9.60.2
Apparmor v. 2.11.0-3
Firefox-esr v.68.5.0esr-1
Thunderbird v.68.5.0-1
All work well together.

I have just added VPN service (AirVPN with Eddie-ui, and Windscribe cli program). Both VPNs work well with browser and email programs outside of firejail. But when firejailed, browser and email have no internet connection (browser and email programs run in separate firejail sandboxes). Network is managed by ceni and wicd.

Please steer me to the information that I need.
Thanks!

Originally created by @davew-fj on GitHub (Mar 2, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3266 I'm new here. Network connections are confusing to me. My system is Antix 17 (Debian Stretch based Linux, 32 bit, no systemd). - Firejail v.0.9.60.2 - Apparmor v. 2.11.0-3 - Firefox-esr v.68.5.0esr-1 - Thunderbird v.68.5.0-1 All work well together. I have just added VPN service (AirVPN with Eddie-ui, and Windscribe cli program). Both VPNs work well with browser and email programs outside of firejail. But when firejailed, browser and email have no internet connection (browser and email programs run in separate firejail sandboxes). Network is managed by ceni and wicd. Please steer me to the information that I need. Thanks!

gitea-mirror closed this issue

2026-05-05 08:43:24 -06:00

gitea-mirror commented

2026-05-05 08:43:25 -06:00

Author

Owner

@davew-fj commented on GitHub (Mar 4, 2020):

Both of the previously mentioned VPNs are based on openvpn. Since writing the above post, I have found that this has been a long-standing area of discussion. Is the following thread the most up to date? RTNETLINK error using "--net" option #2046

The discussion, in that thread, from Intika was very helpful... but a little beyond my level. I was hoping for an "easier" route. But I'll begin to explore those.

@davew-fj commented on GitHub (Mar 4, 2020): Both of the previously mentioned VPNs are based on openvpn. Since writing the above post, I have found that this has been a long-standing area of discussion. Is the following thread the most up to date? RTNETLINK error using "--net" option #2046 The discussion, in that thread, from Intika was very helpful... but a little beyond my level. I was hoping for an "easier" route. But I'll begin to explore those.

gitea-mirror commented

2026-05-05 08:43:26 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 4, 2020):

https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#rtnetlink-error

@rusty-snake commented on GitHub (Mar 4, 2020): https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#rtnetlink-error

gitea-mirror commented

2026-05-05 08:43:27 -06:00

Author

Owner

@matu3ba commented on GitHub (Apr 10, 2020):

@davew-fj Does it work?

@matu3ba commented on GitHub (Apr 10, 2020): @davew-fj Does it work?

gitea-mirror commented

2026-05-05 08:43:27 -06:00

Author

Owner

@davew-fj commented on GitHub (Apr 10, 2020):

Thanks for asking.
No, it's not working.
Awhile back, this thread was attached to "RTNETLINK error using "--net" option #2046"
So, I thought that is where any further comments should be posted. A few days ago, I did make a post there, about whether macvlan or macvtap can be used to interface to the vpn. (As of today, it's at the end of that thread. There was no answer.) So far, I can use either of those to get to eth0 for direct internet connection out of firejail... but not to tun0 for vpn. My attempts to use the other methods suggested in the # 2046 thread have been unfruitful... between limitations of my system... and mostly my own ignorance.

@davew-fj commented on GitHub (Apr 10, 2020): Thanks for asking. No, it's not working. Awhile back, this thread was attached to "RTNETLINK error using "--net" option #2046" So, I thought that is where any further comments should be posted. A few days ago, I did make a post there, about whether macvlan or macvtap can be used to interface to the vpn. (As of today, it's at the end of that thread. There was no answer.) So far, I can use either of those to get to eth0 for direct internet connection out of firejail... but not to tun0 for vpn. My attempts to use the other methods suggested in the # 2046 thread have been unfruitful... between limitations of my system... and mostly my own ignorance.

gitea-mirror commented

2026-05-05 08:43:28 -06:00

Author

Owner

@rusty-snake commented on GitHub (May 6, 2020):

Any progress?

@rusty-snake commented on GitHub (May 6, 2020): Any progress?

gitea-mirror commented

2026-05-05 08:43:29 -06:00

Author

Owner

@davew-fj commented on GitHub (May 6, 2020):

No progress. Thanks for asking. After going around in circles for a few weeks, I have given up on connecting to a VPN with firejailed firefox. If I have nothing better to do, at some future date, I may make another attempt, with a different kernel version (current version 4.9.212). Meanwhile, perhaps someone will come up with a simple ready-made solution. Thank you.

@davew-fj commented on GitHub (May 6, 2020): No progress. Thanks for asking. After going around in circles for a few weeks, I have given up on connecting to a VPN with firejailed firefox. If I have nothing better to do, at some future date, I may make another attempt, with a different kernel version (current version 4.9.212). Meanwhile, perhaps someone will come up with a simple ready-made solution. Thank you.

gitea-mirror commented

2026-05-05 08:43:30 -06:00

Author

Owner

@kris7t commented on GitHub (May 7, 2020):

@davew-fj In general, I found it best to treat firejail containers as if they were virtual machines: create a bridged network and run DNS (and maybe even DHCP) for them. I also use AirVPN, and my firejail contaners can access the internet through it fine (no leaks detected via ipleak.net).

You can either create a bridge interface manually, or let libvirt manage it. I run KVM virtual machines with libvirt, so I opted for libvirt, and specify --net=virbr0 for my firejail containers.
firejail assigns IPv4 addresses to containers by ARP scanning. If you have virtual machines on your bridge interface, this may not be a good idea, because their IPs are assigned by the dnsmasq DHCP server ran by libvirt instead. To let dnsmasq know about firejail containers, you can use --ip=dhcp (but this can be significantly slower at container startup than ARP).
To automatically assign an IPv6 address to firejail containers, you can use --ip6=dhcp. This will either need configuring IPv6 prefix delegation in libvirt, or setting up NAT66 (which is an ugly hack, but AirVPN already uses it to prove IPv6 connectivity, so setting it up won't make your configuration any uglier than it was).
libvirt will take care of most of the iptables rules for IPv4 forwarding, but you will need to add ip6tables rules and set the net.ipv6.conf sysctl parameters for forwarding. If you use NAT66, make sure to accept router advertisements on external network interfaces, and only broadcast them on the bridge interface (it would be bad manners to advertise a private prefix externally).
In terms of DNS, letting dnsmasq be the DNS server for your containers can be a DNS leak (it won't switch to delegating to the AirVPN server instead of your ISP's server whenever you activate VPN). You may be able to use systemd-resolved instead, but I find it much easier to run unbound as my recursive DNS resolver or DoT forwarder. DHCP will set the DNS servers appropriately for the container, but if you use ARP-based or manual IP assignment instead, you can set them with --dns=.

Mandatory disclaimer: VPNs do very little in the way of anonimity, security, or even privacy. They are only useful for stopping ISPs meddling with non-encrypted connection. For actual anonimity, you should use Tor. In that case, you should forego containers and run Tails or WHONIX in a virutual machine (on a trusted, open-source host) or on physical hardware in order to minimize fingerprinting.

@kris7t commented on GitHub (May 7, 2020): @davew-fj In general, I found it best to treat firejail containers as if they were virtual machines: create a bridged network and run DNS (and maybe even DHCP) for them. I also use AirVPN, and my firejail contaners can access the internet through it fine (no leaks detected via ipleak.net). * You can either create a bridge interface manually, or let libvirt manage it. I run KVM virtual machines with libvirt, so I opted for libvirt, and specify `--net=virbr0` for my firejail containers. * firejail assigns IPv4 addresses to containers by ARP scanning. If you have virtual machines on your bridge interface, this may not be a good idea, because their IPs are assigned by the dnsmasq DHCP server ran by libvirt instead. To let dnsmasq know about firejail containers, you can use `--ip=dhcp` (but this can be significantly slower at container startup than ARP). * To automatically assign an IPv6 address to firejail containers, you can use `--ip6=dhcp`. This will either need configuring IPv6 prefix delegation in libvirt, or setting up [NAT66](https://mcilloni.ovh/2018/01/20/oh-god-why-NAT66) (which is an ugly hack, but AirVPN already uses it to prove IPv6 connectivity, so setting it up won't make your configuration any uglier than it was). * libvirt will take care of most of the iptables rules for IPv4 forwarding, but you will need to add ip6tables rules and set the `net.ipv6.conf` sysctl parameters for forwarding. If you use NAT66, make sure to accept router advertisements on external network interfaces, and only broadcast them on the bridge interface (it would be bad manners to advertise a private prefix externally). * In terms of DNS, letting dnsmasq be the DNS server for your containers can be a DNS leak (it won't switch to delegating to the AirVPN server instead of your ISP's server whenever you activate VPN). You may be able to use `systemd-resolved` instead, but I find it much easier to run `unbound` as my recursive DNS resolver or DoT forwarder. DHCP will set the DNS servers appropriately for the container, but if you use ARP-based or manual IP assignment instead, you can set them with `--dns=`. _Mandatory disclaimer: VPNs do [very little](https://www.privacytools.io/providers/vpn/#info) in the way of anonimity, security, or even privacy. They are only useful for stopping ISPs meddling with non-encrypted connection. For actual anonimity, you should use Tor. In that case, you should forego containers and run Tails or WHONIX in a virutual machine (on a trusted, open-source host) or on physical hardware in order to minimize fingerprinting._

gitea-mirror commented

2026-05-05 08:43:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 4, 2020):

I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jun 4, 2020): I'm closing here due to inactivity, please fell free to reopen if you have more questions.

gitea-mirror referenced this issue

2026-05-05 10:14:51 -06:00

[PR #2052] [MERGED] Create standardnotes-desktop.profile #4157

Rows
Columns

[GH-ISSUE #3266] VPN connection for Firefox and Thunderbird in Firejail #2052