github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #59] OpenVPN integration #31

New issue
Open
opened 2026-05-05 04:48:53 -06:00 by gitea-mirror · 15 comments
gitea-mirror commented 2026-05-05 04:48:53 -06:00
Owner
Copy link

Originally created by @vrs on GitHub (Sep 9, 2015).
Original GitHub issue: https://github.com/netblue30/firejail/issues/59

I have an OpenVPN setup that spawns the tun interface in its own namespace, thus obviating the need for bridge interfaces (detailed here).
--net and sudo exist, but I would rather pass --netns (or --net=ns:foo to stay within style) to firejail than use my rather hacky sudo line.
If necessary I could implement it myself and submit a PR, but my C is minimal.

Originally created by @vrs on GitHub (Sep 9, 2015). Original GitHub issue: https://github.com/netblue30/firejail/issues/59 I have an OpenVPN setup that spawns the tun interface in its own namespace, thus obviating the need for bridge interfaces (detailed [here](http://www.synkretie.net/writings/easy%20namespaced%20openvpn.html)). --net and sudo exist, but I would rather pass --netns (or --net=ns:foo to stay within style) to firejail than use my rather hacky sudo line. If necessary I could implement it myself and submit a PR, but my C is minimal.
gitea-mirror added the
enhancement
 label 2026-05-05 04:48:53 -06:00
gitea-mirror commented 2026-05-05 04:48:58 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 10, 2015):

Thanks, I'll do it myself, the network code is very convoluted in this moment.

I don't know how bringing in the sandbox an external network namespace will work. The easy way would be to bring in the tunnel interface (--net=tun2). I also have to add support to set mtu for the interface (--mtu=1500). I'll have something in the next two weeks.

<!-- gh-comment-id:139220379 --> @netblue30 commented on GitHub (Sep 10, 2015): Thanks, I'll do it myself, the network code is very convoluted in this moment. I don't know how bringing in the sandbox an external network namespace will work. The easy way would be to bring in the tunnel interface (--net=tun2). I also have to add support to set mtu for the interface (--mtu=1500). I'll have something in the next two weeks.
gitea-mirror commented 2026-05-05 04:49:00 -06:00
Author
Owner
Copy link

@vrs commented on GitHub (Sep 10, 2015):

"to bring in the tunnel interface" I tried that but an interface that moves namespaces loses all configuration. Which is why I configure the tun again once it's in the new namespace instead of grabbing it with firejail.
Spawning in an existing network namespace is a matter of ip netns exec $ns firejail $cmd - if you want only one namespace. But ip netns exec needs root and thus my hacky sudo setup.

<!-- gh-comment-id:139298669 --> @vrs commented on GitHub (Sep 10, 2015): "to bring in the tunnel interface" I tried that but an interface that moves namespaces loses all configuration. Which is why I configure the tun again once it's in the new namespace instead of grabbing it with firejail. Spawning in an existing network namespace is a matter of ip netns exec $ns firejail $cmd - if you want only one namespace. But ip netns exec needs root and thus my hacky sudo setup.
gitea-mirror commented 2026-05-05 04:49:02 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Oct 25, 2015):

I have a --interface option that moves a full network interface into a sandbox. It preserves the interface configuration. Example:

$ firejail --interface=tun2

I still have to look how can this be integrated with OpenVPN.

<!-- gh-comment-id:150920017 --> @netblue30 commented on GitHub (Oct 25, 2015): I have a --interface option that moves a full network interface into a sandbox. It preserves the interface configuration. Example: ``` $ firejail --interface=tun2 ``` I still have to look how can this be integrated with OpenVPN.
gitea-mirror commented 2026-05-05 04:49:05 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Nov 20, 2015):

From an user on wordpress:

— CONFLICT between –net=eth0 and active VPN (OpenVPN) client —

When my OpenVPN client is active, I lose all –dns capability, as if the Dynamic Network Service isn’t there.

As stated in netblue30’s blog, using –net=eth0 requires –dns=x.x.x.x also.
This works well for me, whether –private is employed or not.
However, activating my OpenVPN client and then calling $ firejail –net=eth0 –dns=8.8.8.8 firefox results in Firefox loading without any DN Service whatsoever.
On the other hand, losing my network isolation above (-A OUTPUT -d 192.168.0.0/16 -j DROP) because –netfilter can’t be active during VPN sessions isn’t a loss, because I’m not concerned with hackers coming through the encrypted VPN door to access other servers on my local network

<!-- gh-comment-id:158401253 --> @netblue30 commented on GitHub (Nov 20, 2015): From an user on wordpress: — CONFLICT between –net=eth0 and active VPN (OpenVPN) client — When my OpenVPN client is active, I lose all –dns capability, as if the Dynamic Network Service isn’t there. As stated in netblue30’s blog, using –net=eth0 requires –dns=x.x.x.x also. This works well for me, whether –private is employed or not. However, activating my OpenVPN client and then calling $ firejail –net=eth0 –dns=8.8.8.8 firefox results in Firefox loading without any DN Service whatsoever. On the other hand, losing my network isolation above (-A OUTPUT -d 192.168.0.0/16 -j DROP) because –netfilter can’t be active during VPN sessions isn’t a loss, because I’m not concerned with hackers coming through the encrypted VPN door to access other servers on my local network
gitea-mirror commented 2026-05-05 04:49:07 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 14, 2016):

https://github.com/netblue30/firejail/issues/214

<!-- gh-comment-id:171719104 --> @netblue30 commented on GitHub (Jan 14, 2016): https://github.com/netblue30/firejail/issues/214
gitea-mirror commented 2026-05-05 04:49:08 -06:00
Author
Owner
Copy link

@sebastianst commented on GitHub (Sep 27, 2016):

What's the current status? I still couldn't manage to restrict a firejailed application to an openvpn connection/interface.

<!-- gh-comment-id:249812291 --> @sebastianst commented on GitHub (Sep 27, 2016): What's the current status? I still couldn't manage to restrict a firejailed application to an openvpn connection/interface.
gitea-mirror commented 2026-05-05 04:49:09 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 27, 2016):

I didn't get a chance to look into it. I'll try to put it in the next release.

<!-- gh-comment-id:249891987 --> @netblue30 commented on GitHub (Sep 27, 2016): I didn't get a chance to look into it. I'll try to put it in the next release.
gitea-mirror commented 2026-05-05 04:49:11 -06:00
Author
Owner
Copy link

@sebastianst commented on GitHub (Sep 27, 2016):

Thanks! I thought I missed something because you closed the issue in February ;)

<!-- gh-comment-id:249912163 --> @sebastianst commented on GitHub (Sep 27, 2016): Thanks! I thought I missed something because you closed the issue in February ;)
gitea-mirror commented 2026-05-05 04:49:13 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Sep 27, 2016):

Sorry, one of them was supposed to remain open! Track this issue, I'll close it when is done.

<!-- gh-comment-id:249943905 --> @netblue30 commented on GitHub (Sep 27, 2016): Sorry, one of them was supposed to remain open! Track this issue, I'll close it when is done.
gitea-mirror commented 2026-05-05 04:49:14 -06:00
Author
Owner
Copy link

@sebastianst commented on GitHub (Sep 28, 2016):

Is there was a way to let firejail attach to an already existing network namespace, like firejail --netns=vpn? That would be great since then I could start openvpn and let it set up the namespace and then start firejail, attaching to that namespace.

<!-- gh-comment-id:250173459 --> @sebastianst commented on GitHub (Sep 28, 2016): Is there was a way to let firejail attach to an already existing network namespace, like `firejail --netns=vpn`? That would be great since then I could start openvpn and [let it set up the namespace](http://unix.stackexchange.com/a/196116/26774) and then start firejail, attaching to that namespace.
gitea-mirror commented 2026-05-05 04:49:17 -06:00
Author
Owner
Copy link

@COLABORATI commented on GitHub (May 5, 2017):

This is a key feature to enable multiple apps use different vpn networks, what would be fantastic - any news on this? Thank you very much for your attention!

<!-- gh-comment-id:299548168 --> @COLABORATI commented on GitHub (May 5, 2017): This is a key feature to enable multiple apps use different vpn networks, what would be fantastic - any news on this? Thank you very much for your attention!
gitea-mirror commented 2026-05-05 04:49:20 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 9, 2017):

No, still no support for VPNs.

<!-- gh-comment-id:300219076 --> @netblue30 commented on GitHub (May 9, 2017): No, still no support for VPNs.
gitea-mirror commented 2026-05-05 04:49:23 -06:00
Author
Owner
Copy link

@cynecx commented on GitHub (Jun 29, 2017):

Is there any progress on this feature? It would be great if firejail could probably work with openvpn.

Also, I am not that much experienced here but how would this work? I am currently starting openvpn with a tun setup which does not use any default routing. Is it possible somehow to setup routes to the tun0 device inside firejail?

<!-- gh-comment-id:312045871 --> @cynecx commented on GitHub (Jun 29, 2017): Is there any progress on this feature? It would be great if firejail could probably work with openvpn. Also, I am not that much experienced here but how would this work? I am currently starting openvpn with a tun setup which does not use any default routing. Is it possible somehow to setup routes to the tun0 device inside firejail?
gitea-mirror commented 2026-05-05 04:49:25 -06:00
Author
Owner
Copy link

@tonsimple commented on GitHub (Feb 28, 2018):

@netblue30

Do I understand correctly that as of now bringing in a tun into firejail jail is completely impossible?

I try

user@scomp:~$ firejail --noprofile --net=tun0 /bin/bash

I get:

Parent pid 10420, child pid 10421
RTNETLINK answers: Invalid argument
Error: cannot bring up interface eth0-10420
Error ioctl: network.c:208 net_if_up: No such device
Error: cannot establish communication with the parent, exiting...

Trying running firejail as root changes nothing...

<!-- gh-comment-id:369293117 --> @tonsimple commented on GitHub (Feb 28, 2018): @netblue30 Do I understand correctly that as of now bringing in a tun into firejail jail is completely impossible? I try user@scomp:~$ firejail --noprofile --net=tun0 /bin/bash I get: Parent pid 10420, child pid 10421 RTNETLINK answers: Invalid argument Error: cannot bring up interface eth0-10420 Error ioctl: network.c:208 net_if_up: No such device Error: cannot establish communication with the parent, exiting... Trying running firejail as root changes nothing...
gitea-mirror commented 2026-05-05 04:49:27 -06:00
Author
Owner
Copy link

@Boyardism commented on GitHub (Mar 13, 2018):

FYI the --interface option also doesn't work for tun interfaces

<!-- gh-comment-id:372708019 --> @Boyardism commented on GitHub (Mar 13, 2018): FYI the --interface option also doesn't work for tun interfaces
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#31
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?