Use https://github.com/planetoryd/nsproxy instead
identity isolation because environ-variable based proxying is not safe for that.
- set your firewall to allow
10.27.0.0/16 - install the following, make them available in $PATH
- for building
libnftnllibmnl
- Configure a few persistent Network Namespaces
- Watch for new flatpak processes and configure Network Namespaces for them
Network namespace is more secure than netfilter-only approaches. When netns-proxy stops/crashes, or before it configures your app, the internet is disconnected in the netns.
The default profile (like the "base_p": {} below) configures the associated NetNSes to be proxied by a socks5 proxy listening on host_ip:9909. Typically you can set your proxy to listen on 0.0.0.0:9909, and secure it with a firewall.
Notice: You need set flatpak applications to have Network disabled, in Flatseal, in order to use this tool. Netns-proxy would try to disable it.
start it under a working directory with secret.json and netnsp.json (optionally) present.
{
"params": {
"base_p": {},
"proxy-a": {
"cmd": {
"program": "gost",
"argv": [
"-L=socks5://localhost:1080",
"-F=socks5://$ip_vh:9909",
"-F=socks5://user:pass@ip:port"
]
},
"chain": true
}
},
"flatpak": {
"io.github.NhekoReborn.Nheko": "base_p"
}
}example secret.json.
- It configures two profiles, and they will be instantiated as persistent NetNSes if you run
netnsp-main --pre. - It matches flatpak process with app ID as they start, which you can see by
flatpak listorflatpak ps, and applies the profiles.
cargo b
./initial.sh # set capabilities
./setsuid.sh # run this every build
netnsp-main # starts the flatpak watcher, only
netnsp-main --pre # configures the persistent namespaces, and starts the flatpak watcher
netnsp-main exec --ns base_p # enter a shell in netns.
netnsp-main exec --ns base_p --cmd bash # specify the command to executewith netns-main exec --ns target_ns it can start a process with everything unchanged but netns.
sudo with ip netns exec would mess up a lot of things.
- use opensnitch firewall as the second layer of defense, in case you do anything wrong, like launching an app outside netns.
- enter netns with
netnsp-main exec --ns base_p - run
./start-mullvad-browser.desktop -pand create your profiles, name them,i2pandbase_p - use
./start-mullvad-browser.desktop -p base_pnext time
using the tarball of mullvadbrowser seems better than other packagings, for now.
you probably need application state isolation, for different identities.
so that, for example, IPFS does not use the same peerID with and without VPN. that achieves anonymity, even though IPFS has no anonymity whatever.
It's possible to have network namespaces recursively, but directly running this script would run into file name conflicts. You need some kind of filesystem sandbox, or modify the script to use a different directory.