this post was submitted on 09 May 2024
69 points (98.6% liked)

Linux

48062 readers
701 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

you are viewing a single comment's thread
view the rest of the comments
[–] taladar@sh.itjust.works -2 points 6 months ago (1 children)

It does matter if people now advocate to routinely disable useful features by default because they are a problem for their particular use case.

[–] xabadak@lemmings.world 2 points 6 months ago (1 children)

what features are you talking about?

[–] taladar@sh.itjust.works 1 points 6 months ago (1 children)

The ability to set static routes via DHCP server or for that matter the ability to remote boot systems via DHCP server which has similar problems if you can't trust the DHCP server.

[–] xabadak@lemmings.world 1 points 6 months ago

I see what you mean now. I wouldn't advocate for people to disable DHCP features either. It should be the VPN provider's responsibility to provide a proper VPN client that mitigates attacks like these.