WireGuard namespacing/isolation on Windows

Development discussion of WireGuard
 help / color / mirror / Atom feed

From: Madars Virza <madars@gmail.com>
To: wireguard@lists.zx2c4.com
Subject: WireGuard namespacing/isolation on Windows
Date: Sun, 30 Oct 2022 23:26:57 -0400	[thread overview]
Message-ID: <CAPoS0C3LWh3asNLruJNWBASrKkkrekdHWTWx3+S38usiEo+S7A@mail.gmail.com> (raw)

Hi!

Consider the following use case: preventing accidental WebRTC-style
information leaks. These leaks used to happen because WebRTC JS API
exposes IP enumeration even if no packets get sent over the
corresponding interfaces (i.e., even though the default route is the
VPN endpoint, WebRTC API would "betray" information about other
interfaces visible to the browser.)

In Linux, an elegant way around such leakage is to run your
application in a separate network namespace a la
https://www.wireguard.com/netns/ . For example, you can launch your
browser/BitTorrent client/etc in a separate netns that only sees wgN
so that even if there were WebRTC-style leaks, the application would
not immediately see interfaces outside its network namespace.

What would one do to achieve a similar result for WireGuard clients on Windows?

I'd be happy to write a little bit of code / accept solutions that are
not production-grade (this is all meant for a developer workstation).

Madars

                 reply	other threads:[~2022-10-31 13:08 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAPoS0C3LWh3asNLruJNWBASrKkkrekdHWTWx3+S38usiEo+S7A@mail.gmail.com \
    --to=madars@gmail.com \
    --cc=wireguard@lists.zx2c4.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).