Great write-up, I’ve been looking for something like this. I’ve heard of vopono and eznetns before but not namespaced-openvpn, and this is the first post I’ve seen where somebody details how they use a tool like this, so thanks! I’ll have to try setting it up some time.
Yeah, you don’t have to dig very deep to find out how insecure our networks are. Mac addresses can be spoofed, ports can be scanned, TCP numbers can be guessed, etc…
From a privacy standpoint I don’t think it would make a big difference over not using a VPN at all. It will take a bit of time but your new IP will become associated with your identity. From the perspective of Facebook and Google, it will just look like you moved and are living inside a datacenter now.
That sounds very cool, I’ve been interesting in network namespaces but it’s hard to find information on how to use them. How did you do it?
If exposing hostnames and IP addresses is dangerous
It’s not necessarily dangerous, but it’s a major privacy issue. Hiding your browsing history from other people (except for the VPN provider) is one of the main reasons why people get a commercial VPN in the first place. And this vulnerability mainly concerns those users.
I added clarification that the HTTPS part is assuming that the attacker has already performed the DHCP attack. Thanks for the note!
The DHCP race is one part I didn’t go into detail about since I’m not very familiar with the details, but what you wrote makes sense. One potential danger is a hacker at a coffee shop, where the shop owner is unlikely to be monitoring the network, and there are going to be many new connections coming in all the time. It’s still an unlikely scenario, but it also isn’t a particularly difficult attack.
No offense taken, on the contrary thanks for the constructive criticism! I’ll add some more details to my repo to make things more clear.
Yeah, it does come down to threat model and preference. If you only need to route specific apps, Gluetun sounds like a great solution.
how would you not use DHCP when connecting to coffee shop wifi?
How do you route all a host system’s traffic through Gluetun? If you use routing tables, wouldn’t it similarly be affected by TunnelVision? In which case you would still need a firewall on the host…
Also, the host system likely makes network requests right after boot, before a Gluetun container has time to start. How do you make sure those don’t leak?
I am curious though, how you were able to route all host traffic through Gluetun. I know it can be used as a http/socks proxy, but I only know of ways to configure your browser to use that. What about other applications and system-level services? What about other kinds of traffic, like ssh?
I’m no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md.
Though if you have any alternatives for vanilla wireguard users like me, I’ll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?
Isn’t gluetun for docker? Are there people running it on the host system?
So it’s really that simple…I can see why there are security issues 😅