Closed davew-fj closed 4 years ago
Both of the previously mentioned VPNs are based on openvpn. Since writing the above post, I have found that this has been a long-standing area of discussion. Is the following thread the most up to date? RTNETLINK error using "--net" option #2046
The discussion, in that thread, from Intika was very helpful... but a little beyond my level. I was hoping for an "easier" route. But I'll begin to explore those.
@davew-fj Does it work?
Thanks for asking. No, it's not working. Awhile back, this thread was attached to "RTNETLINK error using "--net" option #2046" So, I thought that is where any further comments should be posted. A few days ago, I did make a post there, about whether macvlan or macvtap can be used to interface to the vpn. (As of today, it's at the end of that thread. There was no answer.) So far, I can use either of those to get to eth0 for direct internet connection out of firejail... but not to tun0 for vpn. My attempts to use the other methods suggested in the # 2046 thread have been unfruitful... between limitations of my system... and mostly my own ignorance.
Any progress?
No progress. Thanks for asking. After going around in circles for a few weeks, I have given up on connecting to a VPN with firejailed firefox. If I have nothing better to do, at some future date, I may make another attempt, with a different kernel version (current version 4.9.212). Meanwhile, perhaps someone will come up with a simple ready-made solution. Thank you.
@davew-fj In general, I found it best to treat firejail containers as if they were virtual machines: create a bridged network and run DNS (and maybe even DHCP) for them. I also use AirVPN, and my firejail contaners can access the internet through it fine (no leaks detected via ipleak.net).
--net=virbr0
for my firejail containers.--ip=dhcp
(but this can be significantly slower at container startup than ARP).--ip6=dhcp
. This will either need configuring IPv6 prefix delegation in libvirt, or setting up NAT66 (which is an ugly hack, but AirVPN already uses it to prove IPv6 connectivity, so setting it up won't make your configuration any uglier than it was).net.ipv6.conf
sysctl parameters for forwarding. If you use NAT66, make sure to accept router advertisements on external network interfaces, and only broadcast them on the bridge interface (it would be bad manners to advertise a private prefix externally).systemd-resolved
instead, but I find it much easier to run unbound
as my recursive DNS resolver or DoT forwarder. DHCP will set the DNS servers appropriately for the container, but if you use ARP-based or manual IP assignment instead, you can set them with --dns=
.Mandatory disclaimer: VPNs do very little in the way of anonimity, security, or even privacy. They are only useful for stopping ISPs meddling with non-encrypted connection. For actual anonimity, you should use Tor. In that case, you should forego containers and run Tails or WHONIX in a virutual machine (on a trusted, open-source host) or on physical hardware in order to minimize fingerprinting.
I'm closing here due to inactivity, please fell free to reopen if you have more questions.
I'm new here. Network connections are confusing to me. My system is Antix 17 (Debian Stretch based Linux, 32 bit, no systemd).
I have just added VPN service (AirVPN with Eddie-ui, and Windscribe cli program). Both VPNs work well with browser and email programs outside of firejail. But when firejailed, browser and email have no internet connection (browser and email programs run in separate firejail sandboxes). Network is managed by ceni and wicd.
Please steer me to the information that I need. Thanks!