From f034f18af3b3c8df827d2ff4bb68eca5dcc8287b Mon Sep 17 00:00:00 2001 From: plein <68096727+planetoryd@users.noreply.github.com> Date: Mon, 26 Jun 2023 14:54:31 +0800 Subject: [PATCH] readme --- initial.sh | 3 +- readme.md | 141 ++++++++++++++++------------------------------------- 2 files changed, 43 insertions(+), 101 deletions(-) diff --git a/initial.sh b/initial.sh index 130183c..b7d412f 100755 --- a/initial.sh +++ b/initial.sh @@ -2,5 +2,4 @@ setcap 'cap_net_bind_service=ep' $(which dnsproxy) setcap -v 'cap_net_bind_service=ep' $(which dnsproxy) # -v does not change caps. setcap 'cap_net_bind_service=ep' $(which tun2socks) -setcap -v 'cap_net_bind_service=ep' $(which tun2socks) -# echo 1 > /proc/sys/net/ipv4/ip_forward \ No newline at end of file +setcap -v 'cap_net_bind_service=ep' $(which tun2socks) \ No newline at end of file diff --git a/readme.md b/readme.md index 78009d7..5b51434 100644 --- a/readme.md +++ b/readme.md @@ -1,93 +1,63 @@ -# netns-based selective proxying, identity isolation +# Netns-based selective proxying, for identity isolation -> Automated configuration script written in Rust, because Bash sucks. - -aka - -- Netns with default gateways to VPNs -- VPN without making it the default gateway - -it configures a few network namespaces i need, and starts `tun2socks` in some of them to turn socks proxies into VPNs. -`dnsproxy` is chosen and used in every netns. `gost` for chaining proxies, although it is be possible with nftables. - -do: - -- set your firewall to allow 10.0.0.0/8 -- read the code +- set your firewall to allow `10.27.0.0/16` - install the following, make them available in $PATH - [tun2socks](https://github.com/xjasonlyu/tun2socks) - - [dnsproxy](https://github.com/AdguardTeam/dnsproxy) + - [dnsproxy](https://github.com/AdguardTeam/dnsproxy) - for building - - libnftnl - - libmnl - -why: - -- everything is in foreground, at your will -- netns is lightweight -- ability to do everything, to be as root, while being and only being proxied (no further sandboxing by itself) - - so this is not a particular sandbox for specific flatpak-apps - - so you can do package updates -- everything JUST works, the execution environment is untampered. -- it's hard to do this safely with only nftables (as far as I know. the interfaces go down and traffic may leak) - -## usage - -```bash -cargo b -./initial.sh # set capabilities -./setsuid.sh # run this every build -netnsp-main # configures the OS, and supervises the daemons. run it under the project root directory -netnsp-main exec --ns base_p # enter a shell in netns. -``` - -with `netns-main exec --ns target_ns` it can start a process with everything unchanged but netns + - `libnftnl` + - `libmnl` -minimally obtrusive, while `sudo` messes with a lot of things +## features -by default it starts `fish` +1. Configure a few persistent Network Namespaces +2. Watch for new flatpak processes and configure Network Namespaces for them -## available NetNSes +Network namespace is more secure than netfilter-only approaches. -1. `base_p`, configured for the base proxy. intended to be a basis, crossing firewalls - - you need a socks5 proxy in the root namespace, listening on `0.0.0.0:9909` -2. `clean_ip1` and `clean_ipv6`, for second-hops, as vpn exits tend to be ip-blacklisted - - configure [secret.json](./secret.json) -3. (todo) `i2p`, netns that can only access i2p -4. (todo) `lokins` - -example `secret.json` +## usage -- Create a persistent netns named `test` with proxied internet. +start it under a working directory with `secret.json` and `netnsp.json` (optionally) present. ```json { "params": { - "test": {} + "base_p": {}, + "proxy-a": { + "cmd": { + "program": "gost", + "argv": [ + "-L=socks5://localhost:1080", + "-F=socks5://$ip_vh:9909", + "-F=socks5://user:pass@ip:port" + ] + }, + "chain": true + } + }, + "flatpak": { + "io.github.NhekoReborn.Nheko": "base_p" } } ``` -- `netnsp-main` may be run repeatedly without issues. - - in case of altered OS config state, try to reboot, or manually remove the NetNSes and `netnsp-main stop` to kill orphan processes - -## security - -- when configuring, it stores the inode number of root netns in netns.json -- when `exec`-ing, it checks if current netns matches the recorded inode number -- if it matches, the process is in the root netns, it proceeds to enter the desired netns - -## use with Flatpak - -> It's possible to use it with Flatpaks, since it is maximally non-obtrusive anyway. -> -> I'm not sure about the security implications. +example `secret.json` ```bash +cargo b +./initial.sh # set capabilities +./setsuid.sh # run this every build +netnsp-main # starts the flatpak watcher, only +netnsp-main --pre # configures the persistent namespaces, and starts the flatpak watcher netnsp-main exec --ns base_p # enter a shell in netns. -flatpak run tld.app.some +netnsp-main exec --ns base_p --cmd bash # specify the command to execute ``` +with `netns-main exec --ns target_ns` it can start a process with everything unchanged but netns. +`sudo` with `ip netns exec` would mess up a lot of things. + +- use [opensnitch firewall](https://github.com/evilsocket/opensnitch) as the second layer of defense, in case you do anything wrong, like launching an app outside netns. + ## use with mullvad-browser 0. enter netns with `netnsp-main exec --ns base_p` @@ -96,40 +66,13 @@ flatpak run tld.app.some using the tarball of mullvadbrowser seems better than other packagings, for now. -options - -1. run mullvad-browser in `base_p` and use proxy container addon for second-hop - - this is subject to random webrtc leaks and such. anyway more defenses against shitcode the better -2. run browser in `clean_ip1` - - -## alternatives - -- Application configured with proxies through environment variables - - insecure, prone to misconfiguration and DNS leaks, catastrophic to anonymity -- Netfilter, firewalls - - manual iptables fwmark + tun2socks, works but needs careful hardening - - (kinda planned) opensnitch https://github.com/evilsocket/opensnitch/issues/437 - - portmaster, which doesnt meet my needs, https://github.com/safing/portmaster/issues/1153 -- if only firejail supports specifying TUNs https://github.com/netblue30/firejail/issues/1814 -- if only flatpak/bubblewrap supports NetNSes - - https://github.com/flatpak/flatpak/issues/1202 - - https://github.com/containers/bubblewrap/issues/361 -- LXC. for me, netns is enough, and sandboxing is better done by other tooling. - -## tip - -- use [opensnitch firewall](https://github.com/evilsocket/opensnitch) as the second layer of defense, in case you do anything wrong, like launching an app outside netns. - ## random -- https://github.com/nixpak/nixpak -- https://sr.ht/~fgaz/nix-bubblewrap/ - you probably need application state isolation, for different identities. -so that, for example, IPFS does not use the same peerID with and without VPN. +so that, for example, IPFS does not use the same peerID with and without VPN. that achieves anonymity, even though IPFS has no anonymity whatever. -that achieves anonymity, even though IPFS has no anonymity whatever. +It's possible to have network namespaces recursively, but directly running this script would run into file name conflicts. You need some kind of filesystem sandbox, or modify the script to use a different directory. -It's possible to have network namespaces recursively, but directly running this script would run into file name conflicts. You need some kind of filesystem sandbox, or modify the script to use a different directory. \ No newline at end of file +- https://github.com/nixpak/nixpak +- https://sr.ht/~fgaz/nix-bubblewrap/