Wireproxy for Wireguard

[Neo_78]

I would like to proxy the traffic of a Wireguard VPN to a specific browser (Firefox or Chrome), ie isolate it from the network interface so that the rest of the systems network traffic and other applications remain outside the VPN:

https://support.mozilla.org/en-US/kb/co ... gs-firefox

I think Chrome does not have it's own, separate proxy option and you can only use the system's proxy configuration. I assume an extension would therefore be required, for instance:

https://chrome.google.com/webstore/deta ... pagjcdbjod

I found WireProxy on Github which appears to match exactly the mentioned use case:

https://github.com/pufferffish/wireproxy

"wireproxy is a completely userspace application that connects to a wireguard peer, and exposes a socks5/http proxy or tunnels on the machine. This can be useful if you need to connect to certain sites via a wireguard peer, but can't be bothered to setup a new network interface for whatever reasons."

Or do you see a better way or other tools to solve this in Fatdog?

In order to install WireProxy in Fatdog, would I simply have to install git via Gslapt and then clone the repository locally and build the package as described?

Code: Select all

git clone https://github.com/octeep/wireproxy
cd wireproxy
make

Appreciate your feedback!

[m1k3]

Is this mainly so that you can access devices on your network such as your printer?

[fatdoguser]

I use physical separation. termux/X/vnc/ssh/otter browser on phone as a server that I can vnc into from my laptop and browse using the phones internet connection/data/wifi, and/or in a similar manner a vm on another box that I can vnc into and use a hard wired ethernet connection, or use my laptops browser/wifi connection, or a ssh tunnel to a remote ssh server and use that as a proxy.

For chrome look up --proxy-server=socks5://..... switch options, I think you'll find that you can proxy chrome separately (I setup/use a ssh tunnel as part of that).

[Neo_78]

@m1k3 a proxy would be used in this context to control in detail which applications of your system and which websites use a specific VPN and which do not instead of sending your entire network traffic over the VPN. Another advantage is that you don't have to be root to manage and run Wireproxy. So you could use a normal user account in Fatdog.

@fatdoguser Are you referring to the following Chromium guide?

https://www.chromium.org/developers/des ... cks-proxy/

[fatdoguser]

@fatdoguser Are you referring to the following Chromium guide?

https://www.chromium.org/developers/des ... cks-proxy/

Nice link @Neo_78, thanks. I just referenced one of my chrome start choices that uses that socks5 form of proxy. I can't recall seeing that link before, IIRC I originally got the guidance from somewhere like stackexchange.

[m1k3]

@Neo_78 Do you have concerns about running wireguard as root? I could be wrong but it doesn't seem much different than any other network interface started as root. If you're not accepting any inbound connections (blocked by firewall) and internet applications are run as spot, it seems that the the likelihood of your system being compromised would be minuscule.

[Neo_78]

I only use the root account for system maintenance and create a normal user account that I use for daily work. @m1k3

[m1k3]

Is that so you don’t accidentally bork your system?

[Neo_78]

I think from a secutity perspective it's a bad idea to run your system as root all the time. An interesting discussion in this regard can be found here:

https://askubuntu.com/questions/16178/w ... in-as-root

The Fatdog documentation has their own viewpoint on that topic:

https://distro.ibiblio.org/fatdog/web/faqs/login.html

[m1k3]

Gotcha. I guess I'm in the Fatdog camp. Any program that connects to the internet I run as spot. That combined with blocking all incoming connections with iptables and running wireguard I think covers security to a sufficient degree (for me).

[Neo_78]

I downloaded git, make and golang from Gslapt, cloned the wireproxy repository and then tried to make the package.

I set the go path temporarily to export PATH=/opt/go/bin:$PATH as described in the golang package description in Gslapt. How do you permanently set a specific path for bash in Fatdog?

However, making the package I encounter the following error:

Code: Select all

package net/netip is not in GOROOT

It looks like Gslapt ships Go version 1.17.6, which does not seem to include net/netip. The netip package was introduced in Go 1.18.

Is there a way to install Go 1.18 or later in Fatdog?

Thanks for your feedback!

[fatdoguser]

I think from a secutity perspective it's a bad idea to run your system as root all the time. An interesting discussion in this regard can be found here:

https://askubuntu.com/questions/16178/w ... in-as-root

The Fatdog documentation has their own viewpoint on that topic:

https://distro.ibiblio.org/fatdog/web/faqs/login.html

Have a look at
capsh --print
.. your linux capabilities

then try
capsh --drop=cap_sys_admin --
and in that shell try mounting a drive
mount /dev/sda2 /mnt/sda2
... and it will (should) be denied.

You can run programs that way
capsh --drop=cap_sys_admin -- -c geany

When done you can exit out of that

Another choice is to run
chroot /
first, so you're chrooted into the same system, and then within that run the above, but also include dropping cap_sys_chroot as well
chroot /
capsh --drop=cap_sys_chroot,cap_sys_admin --
A common hacker escape from a chroot is to chroot out of it, with chroot capability dropped however that path is blocked.

A nice feature with running as root, albeit restricted root, is that new files etc. are created with 'root' ownership, avoids having to try something only to be informed you need to do that as root and having to su into root to repeat the action.

[m1k3]

@Neo_78 I make heavy use of SFS files. Most dev and build tools are in fd64-devx_901.sfs which you can load at boot. Another thing I tend to do is to download the binary package (such as Fedora's latest RPM) for what I'm looking for, extract it, and then right click the folder and turn it into an SFS file. This allows you to run it without it adding all of the files to your base installation.

[m1k3]

@fatdoguser rufwoof, is that you?

[fatdoguser]

@m1k3 1337?

[m1k3]

No, you just remind me a lot of another person we used to have on the forums who was very security conscious and knowledgeable.

[Neo_78]

Does anyone know how to get a newer version of Golang installed in FatDog?

[m1k3]

Does anyone know how to get a newer version of Golang installed in FatDog?

The cleanest option in my mind would be turn the binary release into an SFS as to not clutter your base FD install.

Download the latest .tar.gz archive and extract the files. Create a directory structure that will become the SFS. So create an empty /go-1.21.6/usr/local structure and then drop the extracted go directory into /go-1.21.6/usr/local directory so that you have /go-1.21.6/usr/local/go. Right-click on the go-1.21.6 directory and select Convert to SFS. Now put that SFS file wherever you want and load it. Finally, add the new go bin directory to your path and bob's your uncle: export PATH=$PATH:/usr/local/go/bin.

If you use the latest fd64-devx_901.sfs you could also extract that and put go in there using the same /usr/local/go location and convert it to an SFS again to keep all dev tools together.

[Neo_78]

Thanks @m1k3. Let me try that I think those are available here (Linux x86):

https://go.dev/dl/

Do you manage all the packages that you additionally install in separate SFS files or do you create everything in one SFS?

[m1k3]

Happy to help! Let me know if you run into any issues.

Do you manage all the packages that you additionally install in separate SFS files or do you create everything in one SFS?

I guess it depends on the package or how the program is distributed. Most of the time I can create an SFS for each package. I also have a libs.sfs with libraries that various programs need and add to that as needed. If I download a deb or rpm package and it can't run due to a missing library and it doesn't come with it, I go to https://pkgs.org to download it and then add it to my libs.sfs file in /usr/lib or /usr/lib64.

[Neo_78]

SFS seems to be a pretty cool format to manage your tools. Will have to resesarch that in more detail.

Which Linux flavour are you using on https://pkgs.org/ for Fatdog? What's the exact source of the packages listed on this website?

[m1k3]

Which Linux flavour are you using on https://pkgs.org/ for Fatdog? What's the exact source of the packages listed on this website?

You can use any of them, really. Sometimes it depends on which distro has the particular library in it's repos. But, for the most part I will pick the latest Fedora rpm first and extract its contents. I then move the extracted files to the SFS file I'm building or updating. The packages are downloaded directly from the distro repos - pkgs.org is basically a package search engine.

The nice thing about SFS files is that you never need to alter your savefile or fd64.sfs (in initrd) depending on how you manage your system. For me, I run FD off of a USB stick and use my laptop's SSD as storage only. My encrypted savefile is 2 GB in size (currently) and only contains config files and files installed via the FD repo with slapt-get. Occasionally I will move those to fd64.sfs (remaster) to free up space in the savefile.

Other than that all of my data is stored outside of the savefile on the USB stick or laptop drive. I add symlinks to all of those locations in my home directory which is root. I run as root and any programs that connect to the internet get run as spot. I'm not concerned about messing up my system because I only need to backup my savefile and initrd occasionally if making big changes and can restore those if something breaks.

[Neo_78]

Ok, great, so it's pointing to the original source repositories of each distribution. I always thought that Slackware packages have the highest compatility level with FatDog...

[m1k3]

Sorry, just expanded my reply to you above but you replied before I had a chance to save it.

Slackware packages would work too but I the versions can be a little old.