netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.84k stars 569 forks source link

Is there a way to force a jail outside Network Manager systemwide VPN? #3835

Open Futureknows opened 3 years ago

Futureknows commented 3 years ago

Once I enable a OpenVPN connection using network manager, is there a way to force discrete jails to connect outside the tunnel? If I use --net=enp10s0 (the default ethernet interface) it still tunnels through the OpenVPN connection. Sometimes if I open firejails this way before establishing an OpenVPN through Network manager, they remain discrete, but after enabling OpenVPN, subsequent enp10s0 jails get routed through the tunnel.

rusty-snake commented 3 years ago

Maybe with --net=br0 and an bridge that has direct inet access.

Futureknows commented 3 years ago

Thanks. I noticed if I launch a firejail on net=virbr0 (Redhat default bridge) before I connect to a VPN with Network Manager, then I can run inside and outside the systemwide VPN simultaneously with jails. However, any firejails launched with net=virbr0 after connecting to a VPN through Network manager, those firejails don't get a connection. I'm sure this can be fixed with editing iptables but it's beyond me. It would be a very handy feature.

On Tue, Apr 6, 2021 at 7:28 AM rusty-snake @.***> wrote:

Maybe with --net=br0 and an bridge that has direct inet access.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/netblue30/firejail/issues/3835#issuecomment-814166517, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFAS623OZS4YZI5CNYMLKWLTHMLBDANCNFSM4VACG35A .