Network isolation when using toolbx or distrobox

Hi,

If I decided to create a new container with either toolbx or distrobox and installed OpenVPN and the VPN profile/setup routes all the network traffic through the VPN: Would the network traffic created by the host machine be capture by the OpenVPN installed and executed from a toolbx/distrobox container?

1 Like

Added networking, podman, security

Added openvpn, vpn

i would like to do the same :slight_smile:

keep my main profile airtight tunneled through the main VPN, connect a single app over OpenVPN

You can not run privileged applications (such as OpenVPN) from an unprivileged toolbox/distrobox container as it needs to create network devices, etc. and that’s restricted to privileged processes. You need a privileged container.

OpenVPN is included in Atomic Desktops so you don’t even need a container for that.

I understood the original question to be about the network topology of containers. Maybe coming from a VM mindset, one could think of containers having their own virtual network device and wonder about routing of network traffic. The answer seems to be that thre’s no such thing and a (unpriviledged) container sees the same traffic as any unpriviledged app on the host, at least by default for toolbox+distrobox, and that any restrictions would have to be applied on the host side. Next question: Where and how :wink:

You can pass around network devices to containers. Examples with Wireguard: Routing & Network Namespaces - WireGuard

Great hint!

I guess you would distrobox create --unshare-netns ... so that the container does not pick-up the the devices from the init netns. Does the container pick up devices from the container netns automatically? The linked article is docker-focussed.

Yes

You need to manually move the Wireguard devices to the container you want to grant access.

Not really, it mentions Docker but it’s the same with podman.

So moving them to the network namespace (as in the article) named like the container moves them to the container? Nice.

Podman, yes. What I meant is that toolbox/distrobox use a special (podman) container setup which exposes quite a bit from the host to the container. For the use-case discussed here, this may or not interfer with the “docker/podman from scratch” in the article.

1 Like