The script is a wrapper around such firejail command:
firejail --net=.. defaultgw=.. --dns=.. [--iprange=..] cmd [args]
Custom firejail’s args should be separated with --
from the command:
nonvpn-fj --noprofile -- curl ..
The extra args are appended to the ones mention above.
In a common scenario there are two interfaces: a real one, e.g. eth0
, and a
vpn one, e.g. tun0
. By default tun0
’s metric in the routing table gives it
higher priority hence the vpn route is selected. The script runs a command
picking the first real interface in the routing table instead.
One can override the default choices with /etc/nonvpn-fj.conf
file. It should
contain such blocks:
[ip] key=val key=val ..
[ip]
matches the gateway the script picks as a direct one. Empty lines and
lines starting with #
are ignored.
In case there is only one interface and its gateway (x.x.x.2
) is a vpn
forwarder, but there is another direct gateway (x.x.x.1
) in the network,
match for x.x.x.2
and set gw=x.x.x.1
:
[x.x.x.2] gw=x.x.x.1
For the direct connection the script defaults to dns=1.1.1.1
. It can be
changed this way:
[x.x.x.x] dns=8.8.8.8
Firejail needs some ip to assign to the virtual interface it creates. By default
it picks a random unused (arp check) one from the whole network. This way it can
seize some reserved ip like a static lease for a temporarily offline host. Limit
the scope like this (the values are L
to R-1
):
[x.x.x.x] iprange=x.x.x.20,x.x.x.30
- have
network yes
andrestricted-network no
in/etc/firejail/firejail.config
- if
/etc/firejail/firejail.users
exists, only users listed there are allowed to use firejail