xabadak

xabadak , 29 days ago to Technology in Novel attack against virtually all VPN apps neuters their entire purpose

No worries, and thanks for providing a response nonetheless. I'll look into your suggestion when I have the time. The official Wireguard website also had some guide on network namespaces here but afaik it didn't explain how to set it up persistently

xabadak OP , 1 month ago to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

So it's really that simple...I can see why there are security issues 😅

xabadak OP , 1 month ago to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

Great write-up, I've been looking for something like this. I've heard of vopono and eznetns before but not namespaced-openvpn, and this is the first post I've seen where somebody details how they use a tool like this, so thanks! I'll have to try setting it up some time.

xabadak OP , 1 month ago to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

Yeah, you don't have to dig very deep to find out how insecure our networks are. Mac addresses can be spoofed, ports can be scanned, TCP numbers can be guessed, etc...

xabadak , 1 month ago to Privacy in Does self-hosted VPN make sense?

From a privacy standpoint I don't think it would make a big difference over not using a VPN at all. It will take a bit of time but your new IP will become associated with your identity. From the perspective of Facebook and Google, it will just look like you moved and are living inside a datacenter now.

xabadak OP , 1 month ago to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

That sounds very cool, I've been interesting in network namespaces but it's hard to find information on how to use them. How did you do it?

xabadak OP , 1 month ago to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

If exposing hostnames and IP addresses is dangerous

It's not necessarily dangerous, but it's a major privacy issue. Hiding your browsing history from other people (except for the VPN provider) is one of the main reasons why people get a commercial VPN in the first place. And this vulnerability mainly concerns those users.

xabadak OP , 1 month ago (edited 1 month ago) to Privacy in addressing misconceptions about the recent TunnelVision vulnerability

I added clarification that the HTTPS part is assuming that the attacker has already performed the DHCP attack. Thanks for the note!

The DHCP race is one part I didn't go into detail about since I'm not very familiar with the details, but what you wrote makes sense. One potential danger is a hacker at a coffee shop, where the shop owner is unlikely to be monitoring the network, and there are going to be many new connections coming in all the time. It's still an unlikely scenario, but it also isn't a particularly difficult attack.

xabadak OP , 1 month ago to Privacy in sharing my simple wireguard kill-switch for Linux

No offense taken, on the contrary thanks for the constructive criticism! I'll add some more details to my repo to make things more clear.

xabadak OP , 1 month ago to Privacy in sharing my simple wireguard kill-switch for Linux

Yeah, it does come down to threat model and preference. If you only need to route specific apps, Gluetun sounds like a great solution.

xabadak , 1 month ago to Technology in Novel attack against virtually all VPN apps neuters their entire purpose

It all depends on how much you trust the devices on your LAN. So your ISP can't do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.

xabadak , 1 month ago to Technology in Novel attack against virtually all VPN apps neuters their entire purpose

Do you know how to make it so all the host's traffic is sent through the VPN namespace? I couldn't figure out how to do this so I ended up just writing my own firewall. Network namespaces seems like a better solution.

xabadak , 1 month ago to Technology in Novel attack against virtually all VPN apps neuters their entire purpose

I saw that but unfortunately it doesn't detail how to set it up persistently on every boot. And I also haven't seen anybody using this method, probably because of the lack of tooling around it. For example afaik the official Mullvad client on linux just uses a firewall.

xabadak OP , 1 month ago (edited 1 month ago) to Privacy in sharing my simple wireguard kill-switch for Linux

How do you route all a host system's traffic through Gluetun? If you use routing tables, wouldn't it similarly be affected by TunnelVision? In which case you would still need a firewall on the host...

Also, the host system likely makes network requests right after boot, before a Gluetun container has time to start. How do you make sure those don't leak?

I am curious though, how you were able to route all host traffic through Gluetun. I know it can be used as a http/socks proxy, but I only know of ways to configure your browser to use that. What about other applications and system-level services? What about other kinds of traffic, like ssh?

xabadak OP , 1 month ago to Privacy in sharing my simple wireguard kill-switch for Linux

I'm no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md.

Though if you have any alternatives for vanilla wireguard users like me, I'll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?