Comment by suyjuris
4 years ago
On linux you can create a network namespace exposing only the wireguard network device, so that applications in that namespace cannot leak traffic. Setting this up, however, is quite fiddly in my experience.
4 years ago
On linux you can create a network namespace exposing only the wireguard network device, so that applications in that namespace cannot leak traffic. Setting this up, however, is quite fiddly in my experience.
In addition it is probably not a bad idea to block all traffic on wlo1 / eth0, except that to the mullvad server ip's, through some ufw rules. If you forget to configure the namespace for some applications then, it is highly unlikely the app has internet access (ie, it would need its own mullvad/vpn implementation included).
I have this setup in my homelab, use it to isolate networks by role. The bash script to setup and tear down the namespace is here:
https://github.com/VTimofeenko/wireguard-namespace-service/b...
I would suggest vopono to do this automatically.
It’s easier and more secure to just create a VM that’s bridged to the VPN interface (regardless of protocol) if you don’t use the VPN for everything but the things you do use it for absolutely must go through it.
I think I like this idea the best - simple, effective, and unbreakable due to config changes or updates.
Plus it gives you a psychological separation between "VPN related activities" and not. Or you just do everything in the VM. Adds a layer security wise as well to protect your physical system.
If you wanted to get really fancy you could have a few different VM's and each one on a different companies VPN