Avatar

xabadak

xabadak@lemmings.world
Joined
3 posts • 26 comments
Direct message

Using untrusted networks is quite common, like coffee shop wifi or airport wifi.

permalink
report
parent
reply

what features are you talking about?

permalink
report
parent
reply

I’m no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md.

Though if you have any alternatives for vanilla wireguard users like me, I’ll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?

permalink
report
parent
reply

Isn’t gluetun for docker? Are there people running it on the host system?

permalink
report
parent
reply

Actually my firewall is persistent, just like many of the other good VPN clients, so “kill switch” is a bit of a misnomer. Which is why I called it wg-lockdown, named after Mullvad’s lockdown mode. Persistent firewalls are effective, they just add a very tiny side-channel, as discussed in the link in my post. I just used the terms “kill switch” in my post because that’s what many other people use.

Though the point about the LAN is a good point, I didn’t consider that. I added LAN access because without it, the firewall was interfering with the networking of my docker container and virtual machines, which use local subnets. Even the official Mullvad client has issues with this. What do you recommend in this case? Manually whitelist the local subnets used by docker and my other virtual networks?

Edit: actually upon reading Mullvad’s statement on TunnelVision, I realized that my firewall is still effective because it only allows traffic directed to LAN IP’s to bypass the VPN. So regular internet traffic will be blocked if the attacker tries to redirect it to the LAN. I’m glad I used Mullvad as a reference implementation 😅

permalink
report
parent
reply

I thought TunnelVision applies to all VPN users that don’t use firewall / network namespaces

permalink
report
parent
reply