Use https://github.com/planetoryd/nsproxy instead
identity isolation because environ-variable based proxying is not safe for that.
- set your firewall to allow
10.27.0.0/16
- install the following, make them available in $PATH
- for building
libnftnl
libmnl
- Configure a few persistent Network Namespaces
- Watch for new flatpak processes and configure Network Namespaces for them
Network namespace is more secure than netfilter-only approaches. When netns-proxy stops/crashes, or before it configures your app, the internet is disconnected in the netns.
The default profile (like the "base_p": {}
below) configures the associated NetNSes to be proxied by a socks5 proxy listening on host_ip:9909
. Typically you can set your proxy to listen on 0.0.0.0:9909
, and secure it with a firewall.
Notice: You need set flatpak applications to have Network
disabled, in Flatseal, in order to use this tool. Netns-proxy would try to disable it.
start it under a working directory with secret.json
and netnsp.json
(optionally) present.
{
"params": {
"base_p": {},
"proxy-a": {
"cmd": {
"program": "gost",
"argv": [
"-L=socks5://localhost:1080",
"-F=socks5://$ip_vh:9909",
"-F=socks5://user:pass@ip:port"
]
},
"chain": true
}
},
"flatpak": {
"io.github.NhekoReborn.Nheko": "base_p"
}
}
example secret.json
.
- It configures two profiles, and they will be instantiated as persistent NetNSes if you run
netnsp-main --pre
. - It matches flatpak process with app ID as they start, which you can see by
flatpak list
orflatpak ps
, and applies the profiles.
cargo b
./initial.sh # set capabilities
./setsuid.sh # run this every build
netnsp-main # starts the flatpak watcher, only
netnsp-main --pre # configures the persistent namespaces, and starts the flatpak watcher
netnsp-main exec --ns base_p # enter a shell in netns.
netnsp-main exec --ns base_p --cmd bash # specify the command to execute
with netns-main exec --ns target_ns
it can start a process with everything unchanged but netns.
sudo
with ip netns exec
would mess up a lot of things.
- use opensnitch firewall as the second layer of defense, in case you do anything wrong, like launching an app outside netns.
- enter netns with
netnsp-main exec --ns base_p
- run
./start-mullvad-browser.desktop -p
and create your profiles, name them,i2p
andbase_p
- use
./start-mullvad-browser.desktop -p base_p
next time
using the tarball of mullvadbrowser seems better than other packagings, for now.
you probably need application state isolation, for different identities.
so that, for example, IPFS does not use the same peerID with and without VPN. that achieves anonymity, even though IPFS has no anonymity whatever.
It's possible to have network namespaces recursively, but directly running this script would run into file name conflicts. You need some kind of filesystem sandbox, or modify the script to use a different directory.