Debian Linux, Eddie: no connection to browser in firejail

[dw123 0]

Hi,
My operating system is Antix v.17, 32 bit (a lightweight Debian - Stretch based distro, with no systemd). For network managers, I have ceni and wicd.

Firefox and Thunderbird are my primary internet applications. The system works very nicely, and will connect directly, or via AirVPN (using Eddie v.2.16.3). It also works well with the Windscribe cli application for Debian Linux.

However, not long ago, I installed firejail (v.0.9.60) and apparmor. My practice is to run Firefox and Thunderbird in separate firejails. However, when either VPN (AirVPN or Windscribe) is active, there is no internet connection to either firejailed program. (Only one instance of Firefox runs at a time, either inside or outside of firejail.) I visited the firejail github support site. Apparently, there are ways to make firejail work with a vpn, but it's a bit confusing to me. I am relatively new to Linux... beginning to find my way around. But I have very limited understanding about network routing and configuration.

I have also experimented with a couple of other openvpn VPN providers (both with Eddie v.2.18.7 and with direct openvpn connection). One of those services appears to form a tunnel, but the browser (not in firejail) did not find and use the new ip. At this point, I'll stick with AirVPN (and Windscribe, if I really need a server in a country that Air doesn't cover).

Can you steer me in the right direction?
Your help will be much appreciated!

 

Edited ... by dw123
clarification of title

[dw123 0]

Well... It has been a month, and I am still going in circles, trying to follow networking info found online. (It's all over my head.)
Firefox (running outside of firejail) connects directly to AirVPN through Eddie, but not when Firefox is firejailed.
I have experimented with bridge and veth pairs, also with ipvlan from a designated netns, but with those, firejailed Firefox fails to connect through eth0, even without the vpn running. (These methods may not function properly on my system.)
I am able to connect through eth0, from firejailed Firefox, by using macvlan or macvtap (rather than the default firejail internet connection).
However, with macvlan or macvtap, firejailed Firefox does not connect through vpn, even though I am using the same ip address for eth0 and eth0 gateway, as for direct connection, and which Eddie says it is using when the vpn is up.

Should I direct macvlan / macvtap to tun0 or somewhere else? Or, perhaps macvlan / macvtap cannot be used for this?

 

[OpenSourcerer 1435]

It's unlikely you will find answers here, it's quite an advanced concept. You should try posting on more specialized forums, since it seems that this problem is not specific to Eddie or OpenVPN with AirVPN in general.
 

On 3/6/2020 at 5:40 AM, dw123 said:

I am relatively new to Linux... beginning to find my way around. But I have very limited understanding about network routing and configuration.

By the way, this one here begs the quesion about why you want to use this. What's the intention, how did you find it?

[dw123 0]

giganerd,
Thanks for your reply.
In answer to your question, I found out about firejail through the forum for my linux distro (https://www.antixforum.com  ).
I have been attempting to understand relevant networking issues through suggested reading offered at the firejail github site.

Let me rephrase my question... Using macvlan or macvtap, I can connect to the internet directly via eth0 (with macvlan set to ip addresses related to eth0). I presume that when Eddie-ui connects to vpn and sets up tun0, it redirects traffic from eth0 through the tunnel. A browser that is running, before the vpn tunnel is made, loses connection when the the vpn is up. A browser, that is started after Eddie is up and connected, is automatically directed through the vpn.

How does Eddie accomplish this redirection? How can I direct an internal lan (with designated ip address), so that Eddie will latch on to it and send it through the vpn?

[OpenSourcerer 1435]

8 hours ago, dw123 said:

I presume that when Eddie-ui connects to vpn and sets up tun0, it redirects traffic from eth0 through the tunnel. I presume that when Eddie-ui connects to vpn and sets up tun0, it redirects traffic from eth0 through the tunnel.

Nothing is done actively. When OpenVPN connects, the kernel routing table is being filled with routes of a lower metric than the already present interfaces, so that packets are preferably routed through the created tun interface, not because a program forces it but simply because of an entry in there.

It's important to know that nothing that is entered there is routinely checked if it really works. It could be that you have your firejail interfaces there, but a configuration option or even the concept itself doesn't allow connections between the newly created tunX and firejail interfaces.
 

8 hours ago, dw123 said:

A browser that is running, before the vpn tunnel is made, loses connection when the the vpn is up. A browser, that is started after Eddie is up and connected, is automatically directed through the vpn.

1. No to the first. HTTP is like "connect, download content, disconnect". If you browse to ipleak.net, you will see your out-of-tunnel IP. Then you connect to AirVPN. When you now browse to IPLeak, you will see the AirVPN server IP. Connect, download content, disconnect.
   You are right if you talk about established connections, the ones that are periodically kept alive by means of keepalive packets for example, or something like a WebRTC stream or an active download of a file. The moment you connect OpenVPN, most will break down because according to the routing table another route must be used. And since your outside IP changed, a reconnect will be required.
2. Mostly see 1. Be advised, though, that working with OpenVPN on PC does not mean working with applications but with networks, IPs and interfaces. You cannot route one specific app through OpenVPN, only networks and IP addresses.

8 hours ago, dw123 said:

How does Eddie accomplish this redirection? How can I direct an internal lan (with designated ip address), so that Eddie will latch on to it and send it through the vpn?

We can treat it as an excercise. Given all of the above, how do you direct an internal LAN (= internal network) through the VPN? (And don't use this concept of "latching on to it" anymore, it's factually wrong, as explained above )

$ ip r add (network) via (interface)

[dw123 0]

giganerd,
I appreciate your corrections to my misconceptions and misstatements.
I also appreciate the routing command, that you gave...
 

Quote

$ ip r add (network) via (interface)

But I don't know what should be inserted for network or interface addresses.
Below is the routing information, as reported by Eddie after a vpn tunnel was established, in a recent session. I have observed that the addresses related to tun0 are not the same from session to session.
After this block, I will show the addresses that I have inserted into the above command
 

Quote

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:18:8b:cb:80:d4 brd ff:ff:ff:ff:ff:ff
    inet 192.168.227.3/24 brd 192.168.227.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::218:8bff:fecb:80d4/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:1b:77:12:ed:b5 brd ff:ff:ff:ff:ff:ff
7: macvtap0@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 500
    link/ether 6e:c0:bc:bc:fb:b8 brd ff:ff:ff:ff:ff:ff
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
    link/none
    inet 10.35.106.125/24 brd 10.35.106.255 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fde6:7a:7d20:1f6a::107b/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::9c93:e08d:3a90:7b7b/64 scope link flags 800
       valid_lft forever preferred_lft forever
----------------------------
ip link show:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:18:8b:cb:80:d4 brd ff:ff:ff:ff:ff:ff
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:1b:77:12:ed:b5 brd ff:ff:ff:ff:ff:ff
7: macvtap0@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 500
    link/ether 6e:c0:bc:bc:fb:b8 brd ff:ff:ff:ff:ff:ff
8: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT group default qlen 100
    link/none
----------------------------
ip -4 route show:

0.0.0.0/1 via 10.35.106.1 dev tun0
default via 192.168.227.1 dev eth0
10.35.106.0/24 dev tun0 proto kernel scope link src 10.35.106.125
128.0.0.0/1 via 10.35.106.1 dev tun0
192.30.89.75 via 10.35.106.1 dev tun0
192.30.89.77 via 192.168.227.1 dev eth0
192.168.227.0/24 dev eth0 proto kernel scope link src 192.168.227.3
----------------------------
ip -6 route show:

::/3 dev tun0 metric 1024  pref medium
2606:9580:100:f:5792:2dec:a4b6:2419 via fde6:7a:7d20:1f6a::1 dev tun0 metric 1024  pref medium
2000::/4 dev tun0 metric 1024  pref medium
3000::/4 dev tun0 metric 1024  pref medium
fde6:7a:7d20:1f6a::/64 dev tun0 proto kernel metric 256  pref medium
fc00::/7 dev tun0 metric 1024  pref medium
fe80::/64 dev eth0 proto kernel metric 256  pref medium
fe80::/64 dev tun0 proto kernel metric 256  pref medium

I have linked my macvtap (or macvlan) to eth0, assigning an address within the range for eth0 (eg. 192.168.227.10 )
I have inserted that address as the "network" address. (But I also experimented with 192.168.227.1, 192.168.227.3, and some arbitrary like 10.20.30.1, after assigning that address for the macvtap.)
For the "interface" address, 10.35.106.1 (Shown for tun0 gateway above.) But the tun0 address changes from session to session. If it worked, I would want this to be a static address, to facilitate use of a script on startup.

After many attempts, firejailed firefox still cannot find the internet. On starting, it appears to be doing DNS lookup for my home page. But soon reports that it cannot connect. However, if a browser is brought up outside of firejail, it connects rapidly, and shows the ip of the vpn server.

Your patience is appreciated. Thanks for your help.


 

[OpenSourcerer 1435]

6 hours ago, dw123 said:

But I don't know what should be inserted for network or interface addresses.

Sorry, but me, too, I'm not particularly familiar with the concept of firejail. It would take time for me to read about it, test it myself, to be able to properly help you further. As I wrote, maybe a more specialized forum would help because it doesn't look like it's specific to AirVPN, maybe OpenVPN in general.

[dw123 0]

Okay. I understand. I will attempt to explore the problem elsewhere.
But first, two questions:
1. If firejail was not an issue, what addresses would you insert in the routing command for "network" and "interface" (given the routing data shown by Eddie, in my previous message)?

Quote

$ ip r add (network) via (interface)

2. Is there a way to designate a static address for tun0 in Eddie?

Thank you!

[OpenSourcerer 1435]

1 hour ago, dw123 said:

1. If firejail was not an issue, what addresses would you insert in the routing command for "network" and "interface" (given the routing data shown by Eddie, in my previous message)?

None – OpenVPN would take care of it by itself. But since you have the physical interface plus firejail interfaces plus tun0, you need to somehow make the connection between firejail and tun0, because I'm betting firejail is neither a route with a lower metric nor a default gateway.
Speaking of which, how does the routing table actually look like with firejail on? Can you post the output of "ip r"?
 

1 hour ago, dw123 said:

2. Is there a way to designate a static address for tun0 in Eddie?

Addresses are assigned by the OpenVPN server, and they're highly dynamic. They differ based on chosen server, port and protocol, and the lease is not kept for long. Don't know for sure for how long. Doesn't matter, anyway.

[dw123 0]

Quote

ip route show
0.0.0.0/1 via 10.19.10.1 dev tun0
default via 192.168.227.1 dev eth0
10.10.20.10 via 10.19.10.1 dev tun0
10.19.10.0/24 dev tun0 proto kernel scope link src 10.19.10.144
128.0.0.0/1 via 10.19.10.1 dev tun0
192.30.89.51 via 10.19.10.1 dev tun0
192.30.89.53 via 192.168.227.1 dev eth0
192.168.227.0/24 dev eth0 proto kernel scope link src 192.168.227.3

Shown above follows opening firefox in firejail. In the start command for firejail, I assigned address 10.10.20.10 to the macvtap. Using the ip route command, I directed it to the tun0 address.

Firefox seems to be working on DNS look up, but after several seconds times out with cannot connect to internet message.
 

[OpenSourcerer 1435]

No firejail interfaces. If they don't show up executing ip link, then I don't know. But I wrote it earlier that I don't know, anyway.

[dw123 0]

The firejail interface is via the macvtap (macvtap0@eth0), which is an internal LAN from the firejail "namespace" to the outside network. In the routing shown in my previous post, the address for the macvtap is 10.10.20.10.

[OpenSourcerer 1435]

I looked on GitHub where the project's source is at home and found out that what you want is not possible with firejail yet. It is simply not supported. I found a plethora of issues suggesting it.
https://github.com/netblue30/firejail/issues/59
https://github.com/netblue30/firejail/issues/1814
https://github.com/netblue30/firejail/issues/2032

Next time, I will simply search myself. I can definitely spare ten minutes for that.

[dw123 0]

Yes. I know about the github firejail site. It is possible to make firejail work with a vpn.

See this post: https://github.com/netblue30/firejail/issues/2046

Several methods are discussed. But I have been unable to make any of them work.
Thanks for discussing the matter with me. I guess I'll let it drop now.

[OpenSourcerer 1435]

7 hours ago, dw123 said:

It is possible to make firejail work with a vpn.

See this post: https://github.com/netblue30/firejail/issues/2046

Even your quoted post suggests it's not supported, why even try? Out of despair?
Have you tried OpenVPN inside firejail? One of the issues I linked to seems to suggest that it works this way.