Firejail: security sandbox

I’m trying to get back into editing Wikipedia. Wikipedia has a policy that editors are not allowed to use VPNs or anything that hides their IP address, but makes an exception for users behind the Great Firewall of China and other countries that censor Internet access.

I didn’t want to give up using my VPN – currently Mullvad VPN, whose service I’ve been quite pleased with – so I had to find a way to edit Wikipedia using the IP address from my ISP. On the Mullvad GUI app, there is a split tunneling feature that allows one to exclude certain apps from the VPN tunnel. Since I’m on Void Linux, which doesn’t have a GUI app for Mullvad, I’ve been using Mullvad’s Wireguard configuration files, so I’ve had to find another way to split the VPN tunnel per application.

Someone in the Wireguard IRC channel suggested I use Firejail, which turned out to be a great solution to this problem. I haven’t really dived into Firejail documentation yet, but from what I understand, Firejail utilizes the Linux kernel’s namespaces to create a new network stack within the sandbox that is isolated from the host’s main network stack, which allows me to have applications in the sandbox that do not use the Wireguard interface of the VPN. So I’ve created a sandbox for the LibreWolf browser that I will use to edit Wikipedia. I’ve changed the Exec directive in LibreWolf’s .desktop file to this command:

firejail --net=wlp3s0 --noprofile --dns=1.1.1.1 \
    /home/jas/Applications/LibreWolf.x86_64_817ca3fd38e2c1623d580bee3afe36cc.AppImage

It works awesomely!