diff options
| author | Emīls <emils@mullvad.net> | 2020-08-31 16:35:05 +0100 |
|---|---|---|
| committer | Emīls <emils@mullvad.net> | 2020-09-02 10:52:53 +0100 |
| commit | e387c43658b017a382e60bdd6841597ea8aea42f (patch) | |
| tree | e303940fae40c78f21b6adb4fbaa2cfcbf9223b5 /docs | |
| parent | 5d7179a3a5fce366a7ab8215de7e4133a7cb20fd (diff) | |
| download | mullvadvpn-e387c43658b017a382e60bdd6841597ea8aea42f.tar.xz mullvadvpn-e387c43658b017a382e60bdd6841597ea8aea42f.zip | |
Use a mark to whitelist tunnel traffic
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/security.md | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/docs/security.md b/docs/security.md index 7fc5369bd3..786cf99d8b 100644 --- a/docs/security.md +++ b/docs/security.md @@ -124,8 +124,11 @@ VPN tunnel is allowed on all interfaces, together with responses to this outgoin First hop means the bridge server if one is used, otherwise the VPN server directly. This IP+port+protocol combination should only be allowed for the process establishing the VPN tunnel, or only administrator level processes, depending on what the platform firewall -allows restricting. On Windows the rule only allows processes from binaries in certain paths. -On Linux and macOS the rule only allows packets from processes running as `root`. +allows restricting. On Windows the rule only allows processes from binaries in certain paths. macOS +the rule only allows packets from processes running as `root`. On Linux, the rule only allows +packets that have the mark `0x6d6f6c65` set: setting a firewall mark on traffic requires elevated +privileges when using tunnels that support marking traffic, otherwise the rule is the same as on +macOS: the packet needs to originate from a process running as `root`. This process/user check is important to not allow unprivileged programs to leak packets to this IP outside the tunnel, as those packets can be fingerprinted. |