cross-posted from: https://lemmings.world/post/8926396
In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.
https://codeberg.org/xabadak/wg-lockdown
If you use a fancy official VPN client from Mullvad, PIA, etc, you won’t need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).
A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I’m a noob and I couldn’t find any scripts or tools to do it that way.
I don’t route all my system’s traffic through Gluetun, my threat model doesn’t need it, I just route relevant apps, e.g. package management is in the clear but firefox, SearXNG, and nicotine go via gluetun. SSH can look after itself, or I’m in dire trouble. If my threat model did need it, I’d be considering a similar solution to yours, but it’d be heavily cribbed from the known good of gluetun, basically the docker (podman) put to bare metal.
Yeah, it does come down to threat model and preference. If you only need to route specific apps, Gluetun sounds like a great solution.