I'd like to share some information about a little thing I'm currently working with in my spare time. I mentioned it briefly on another thread of this newsgroup, but here I'm delving a bit more into detaiils.

== Problem description ==

I recently subscribed to a VPN service, so I can reach a number of servers and establish a tunnel (e.g. with openvpn). This connection tunnel however system-wide, and I like the idea of splitting my various online activity into different "personas" that I can use simultaneously.

For example, I'd like to systematically connect to $ONLINE_SITE[0] from Germany, while all connections to $ONLINE_SITE[1] should pass by Japan.
I'd like however to use the default gateway to reach $TRUSTED_MACHINE, since it's way faster to reach it without a VPN in the way. And finally, if I start up TOR, it should not pass through the VPN, or TOR-browsing would be extra slow!

I want to do this with as little manual work as I can get away with, because manual set-ups are likely to be wrong, besides being boring.

== Relevant technical information ==

- It is technically feasible to run a number of VPN tunnels simultaneously. Their configuration would conflict some, due to default gateway allocation,
but the gateway setting can always be rejected.

- Some programs such as curl allow to specify what network interface should be used for the connection (curl --interface tun0). Doing so explicitly forces the TCP connection through the VPN, regardless of the default gateway setting.

- The previous point does not apply to all applications, or at least not consistently. For example, I would expect firefox to have a --interface flag, and I don't really want to seek in the (sarcastic quotes) "documentation" how to do it.

- Let's focus on Linux for now: Linux has namespaces (which is what containers use to present an isolated view of the system). Network namespaces, in particular, allow a group of processes to have their local copy of the network stack, inclusive of routes, firewall rules etc.

== The idea ==

I've successfully set up something like this:

- Set-up a network namespace "foo"
- A veth(4) bridging between "foo" and the "regular" network namespace,
assigned with reasonable IP addresses
- A routing rule in "foo" using the other endpoint of the veth as a default
gateway
- A firewall rule in the regular namespace, defining MASQUERADE from the veth
to the tun0 device.

This set up can be easily set up manually, so it's just a matter of automating it into a set of convenience scripts.

What I gain is that I can kick an instance of firefox in said namespace, and force every connection (inclusive of DNS requests) through this. And maybe, why not, firewalling out all ads networks. ;-)

A different instance of firefox, handling my second identity on the network, can be kicked in a different namespace, forced into a different VPN tunnel.

== Question marks ==

I don't know enough of FreeBSD, but would FreeBSD Jails allow me something like this, maybe?

What would be the best way to accomplish this with respect to system permissions? The best thing would be to allow the mechanism to work for unprivileged local users.

== Discussion ==

Please join this thread!
--- Synchronet 3.18b-Linux NewsLink 1.113

On 2020-04-30, Dacav Doe <dacav@tilde.institute> wrote:

I recently subscribed to a VPN service, so I can reach a number of servers and
establish a tunnel (e.g. with openvpn). This connection tunnel however system-wide, and I like the idea of splitting my various online activity into different "personas" that I can use simultaneously.

I can't speak for jails or freebsd, but it seems like your goals fit the QubesOS container style well, probably with better protections.
--- Synchronet 3.18b-Linux NewsLink 1.113

On 2020-04-30, James Tomasino <tomasino@cosmic.voyage> wrote:

On 2020-04-30, Dacav Doe <dacav@tilde.institute> wrote:

I recently subscribed to a VPN service, so I can reach a number of servers and
establish a tunnel (e.g. with openvpn). This connection tunnel however
system-wide, and I like the idea of splitting my various online activity into
different "personas" that I can use simultaneously.

I can't speak for jails or freebsd, but it seems like your goals fit the QubesOS container style well, probably with better protections.

Yes, I know about QubesOS, and it's my intention to try it as soon as my new backup disk is going to be delivered. (I have to do a backup before erasing my drive, as you can guess).

I suspect that QubeOS is too fat for my poor spare machine ... :-/ this would be a nice middle ground and some interesting experiment.

Why do you think the protections are better? I'm flattered, but I would expect QubesOS to do a better job than me, as they use virtual machines, which are way more separated. If anything this is more lightweight, but I would think it's a weaker security[*].Or I might interpreted your words in reversed fashion.


[*] - it is actually just for privacy, no additional security, I'd say.
--- Synchronet 3.18b-Linux NewsLink 1.113

On 2020-04-30, Dacav Doe <dacav@tilde.institute> wrote:

Why do you think the protections are better? I'm flattered, but I
would expect QubesOS to do a better job than me, as they use virtual machines, which are way more separated. If anything this is more lightweight, but I would think it's a weaker security[*].Or I might interpreted your words in reversed fashion.

I meant that I suspect Qubes has better security. There's a lot of
security minded people on the project that go to great lengths to secure
those workspaces. I don't know much about jails, but I remember MW
Lucas's fediverse toots while we was writing his jails book and it
seemed there were a lot of opportunities to do things wrong or to
overlook situations that could bring trouble later.

Some programs are very creative in their attempt to break free of
constraints and do naughty things. It's a nice goal you have. I hope you
can make it work!
--- Synchronet 3.18b-Linux NewsLink 1.113

On 2020-04-30, James Tomasino <tomasino@cosmic.voyage> wrote:

I meant that I suspect Qubes has better security. There's a lot of
security minded people on the project that go to great lengths to secure those workspaces.

Then yes, we are on the same page.

I don't know much about jails, but I remember MW Lucas's fediverse
toots while we was writing his jails book and it seemed there were a
lot of opportunities to do things wrong or to overlook situations that
could bring trouble later.

What, in jails or in general? I would be inclined to think in
general :P

Some programs are very creative in their attempt to break free of
constraints and do naughty things.

True. But in reality it depends on the thread model, how they say.
I would consider some cases, with increasing severity

1 - Regular website, possibly privacy invasive (e.g. sell ads), but runs into
a browser and does not actively try to hack it.

In this case I reach my goal. The browser will actually manage to reach the
website, and the site code (both client and server side) can't tell the
difference.

The browser would use the default gateway (so the VPN) in normal conditions,
and would never try to see if more interfaces can be used to route packets.

I could obtain the same by running a VPN "normally", but I would have to switch
off and on the VPN for each of my online personas.

In this scenario, my contraption gives me the possibility of having multiple
simultaneous browsers, each reaching the Internet from a different exit point.

2 - Naughty program that wants to "call home", but is otherwise harmless
(best example would be the old time Skype)

The goal of this program is to call home, and it will manage to.

If, for some reason, the program wants to explore more paths to reach the
Internet (e.g. to reduce phone call latency), it would not be able to do so:
only one interface is available.

If I run multiple copies of the same program, they will still be able to
communicate (e.g. I'm not using IPC namespaces, nor SELinux to prevent that),
and this could be a source of leaking.

3 - Malware installed, or malware in a web browser managing to escape the
browser sandboxing due to bug exploitation.

In this case we are simply compromised. I should have used a SELinux sandbox,
or maybe Qubes.

But here we are talking about security, no longer about privacy. :)

It's a nice goal you have. I hope you can make it work!

Thanks.

I will definitely keep this ng posted, if there's some interest. Then
if I reach some point, I might even publish something.

But I'm just experimenting, for the moment.
--- Synchronet 3.18b-Linux NewsLink 1.113