v1.1.1

A proxychains-like tool at kernel level: route all traffic from a process (and its children) through an arbitrary network interface, with kill-switch semantics that drop packets instead of leaking when the interface goes down.

📦 Installation

Choose the installation method that best fits your environment.

Native Packages

Distribution	Package
debian-12	netleak_1.1.1_amd64_debian-12-amd64.deb
debian-13	netleak_1.1.1_amd64_debian-13-amd64.deb
ubuntu-22.04	netleak_1.1.1_amd64_ubuntu-22.04-amd64.deb
ubuntu-24.04	netleak_1.1.1_amd64_ubuntu-24.04-amd64.deb
ubuntu-24.04	netleak_1.1.1_arm64_ubuntu-24.04-arm64.deb
fedora-40	netleak-1.1.1-1.fc40.aarch64_fedora-40-aarch64.rpm
fedora-40	netleak-1.1.1-1.fc40.x86_64_fedora-40-x86_64.rpm

Container Image

Pull the Docker image from GitHub Container Registry:

# Pull latest stable release
docker pull ghcr.io/murilochianfa/netleak:latest

# Pull specific version
docker pull ghcr.io/murilochianfa/netleak:1.1.1

# Run netleak in a container (requires privileged mode)
docker run --privileged \
  --cgroupns=host \
  -v /sys/fs/bpf:/sys/fs/bpf \
  -v /sys/fs/cgroup:/sys/fs/cgroup \
  ghcr.io/murilochianfa/netleak:1.1.1 --help

Available tags:

• latest - Latest stable release
• 1.1.1 - This specific version
• 1.1 - Minor version (e.g., 1.x)
• 1 - Major version (e.g., 1.x.x)

🔒 Verification

All artifacts include SHA256 and SHA512 checksums for integrity verification, and are cryptographically signed with GPG for authenticity.

Verify GPG Signatures

# Import the maintainer's public key
gpg --keyserver keys.openpgp.org --recv-keys 3E1A1F401A1C47BC77D1705612D0D82387FC53B0

# Download a package and its signature (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.1/netleak_1.1.1_amd64_ubuntu-24.04.deb
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.1/netleak_1.1.1_amd64_ubuntu-24.04.deb.asc

# Verify the signature
gpg --verify netleak_1.1.1_amd64_ubuntu-24.04.deb.asc netleak_1.1.1_amd64_ubuntu-24.04.deb

Verify Package Checksums

# Download the checksums file and its signature
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.1/SHA256SUMS
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.1/SHA256SUMS.asc

# Verify the signature on the checksums
gpg --verify SHA256SUMS.asc SHA256SUMS

# Download a package (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.1/netleak_1.1.1_amd64_ubuntu-24.04.deb

# Verify the checksum
sha256sum -c SHA256SUMS --ignore-missing

📚 Quick Start

After installation, use netleak to route process traffic through specific interfaces:

# Route curl through a VPN interface
sudo netleak wg0 curl ifconfig.me

# Run a shell with all traffic through ppp0
sudo netleak ppp0 bash

# Everything launched from that shell uses ppp0
curl ifconfig.me  # shows ppp0's IP

# Other system processes remain unaffected
exit  # leave the netleak shell
curl ifconfig.me  # shows your real IP

📖 Documentation

• Installation Guide
• Usage Examples
• Architecture
• Security

🐛 Known Issues

• Requires Linux kernel 5.8+ with eBPF and cgroup v2 support
• Requires root privileges (eBPF + cgroups + routing)
• Container mode requires --privileged and --cgroupns=host

⚠️ Use Cases

• VPN fail-safe: Prevent IP leaks when VPN disconnects
• Per-app routing: Route specific applications through different interfaces
• Testing: Verify application behavior with different network paths
• Privacy: Ensure critical apps never use the default route

What's Changed

• Bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in #20
• Bump docker/metadata-action from 5 to 6 by @dependabot[bot] in #19

New Contributors

• @dependabot[bot] made their first contribution in #20

Full Changelog: v1.1.0...v1.1.1

v1.1.0

IPv6, Multi-Interface, ARM build & Ingress Filtering

v1.1.0 is the first major feature release after v1.0.0's hardening cycle. It completes the dual-stack story with full IPv6 policy routing, extends the routing model to run multiple isolated sessions simultaneously on different interfaces, and adds bidirectional traffic enforcement through ingress filtering. ARM64 is now a first-class build target.

What's New

Full IPv6 support

netleak now installs policy rules and blackhole routes for both IPv4 and IPv6. By default it operates in dual-stack mode: if the target interface has a global IPv6 address the traffic is routed over it; if it doesn't, IPv6 is blackholed rather than leaking to the default route. Three new flags give you explicit control:

• --only-v4: route IPv4, block all IPv6
• --only-v6: route IPv6, block all IPv4
• --fallback-to-v4: dual-stack, but allow IPv6 via default route when the interface lacks global v6 (opt-in leak)

Multi-interface support

Multiple netleak sessions can now run concurrently on the same host without colliding. Each session gets its own deterministic fwmark and routing table derived from the interface index (NL-prefixed upper bits + interface index in the lower bits), so netleak wg0 bash and netleak ppp0 bash in separate terminals are fully isolated from each other.

Ingress filtering (--ingress-filter)

Previously only egress was enforced. With --ingress-filter, inbound packets that did not arrive on the target interface are dropped at the TC hook, preventing any unsolicited inbound traffic from reaching the process through a different path.

Interface auto-detection

You no longer have to know the interface name ahead of time.
Two new resolution modes let you identify the target by network topology:

# route through whichever interface has this gateway
sudo netleak --gateway 10.8.0.1 curl ifconfig.me

# route through whichever interface owns an address in this subnet
sudo netleak --subnet 10.10.0.0/24 curl ifconfig.me

ARM64 / cross-compilation Native

ARM64 packages are now published for Ubuntu 24.04 and Fedora 40, built via a cross-compilation pipeline.
The same multi-arch Docker image is also available.

Upgrade from v1.0.0

No configuration changes are required. Drop-in replacement, install the new package and existing netleak invocations continue to work as before. The only behavioral change is that IPv6 is now blackholed by default on IPv4-only interfaces (previously it could leak). If you rely on that fallback, pass --fallback-to-v4.

📦 Installation

Choose the installation method that best fits your environment.

Native Packages

Distribution	Package
debian-12	netleak_1.1.0_amd64_debian-12-amd64.deb
debian-13	netleak_1.1.0_amd64_debian-13-amd64.deb
ubuntu-22.04	netleak_1.1.0_amd64_ubuntu-22.04-amd64.deb
ubuntu-24.04	netleak_1.1.0_amd64_ubuntu-24.04-amd64.deb
ubuntu-24.04	netleak_1.1.0_arm64_ubuntu-24.04-arm64.deb
fedora-40	netleak-1.1.0-1.fc40.aarch64_fedora-40-aarch64.rpm
fedora-40	netleak-1.1.0-1.fc40.x86_64_fedora-40-x86_64.rpm

Container Image

Pull the Docker image from GitHub Container Registry:

# Pull latest stable release
docker pull ghcr.io/murilochianfa/netleak:latest

# Pull specific version
docker pull ghcr.io/murilochianfa/netleak:1.1.0

# Run netleak in a container (requires privileged mode)
docker run --privileged \
  --cgroupns=host \
  -v /sys/fs/bpf:/sys/fs/bpf \
  -v /sys/fs/cgroup:/sys/fs/cgroup \
  ghcr.io/murilochianfa/netleak:1.1.0 --help

Available tags:

• latest - Latest stable release
• 1.1.0 - This specific version
• 1.1 - Minor version (e.g., 1.x)
• 1 - Major version (e.g., 1.x.x)

🔒 Verification

All artifacts include SHA256 and SHA512 checksums for integrity verification, and are cryptographically signed with GPG for authenticity.

Verify GPG Signatures

# Import the maintainer's public key
gpg --keyserver keys.openpgp.org --recv-keys 3E1A1F401A1C47BC77D1705612D0D82387FC53B0

# Download a package and its signature (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.0/netleak_1.1.0_amd64_ubuntu-24.04.deb
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.0/netleak_1.1.0_amd64_ubuntu-24.04.deb.asc

# Verify the signature
gpg --verify netleak_1.1.0_amd64_ubuntu-24.04.deb.asc netleak_1.1.0_amd64_ubuntu-24.04.deb

Verify Package Checksums

# Download the checksums file and its signature
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.0/SHA256SUMS
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.0/SHA256SUMS.asc

# Verify the signature on the checksums
gpg --verify SHA256SUMS.asc SHA256SUMS

# Download a package (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.1.0/netleak_1.1.0_amd64_ubuntu-24.04.deb

# Verify the checksum
sha256sum -c SHA256SUMS --ignore-missing

📚 Quick Start

After installation, use netleak to route process traffic through specific interfaces:

# Route curl through a VPN interface
sudo netleak wg0 curl ifconfig.me

# Run a shell with all traffic through ppp0
sudo netleak ppp0 bash

# Everything launched from that shell uses ppp0
curl ifconfig.me  # shows ppp0's IP

# Other system processes remain unaffected
exit  # leave the netleak shell
curl ifconfig.me  # shows your real IP

📖 Documentation

• Installation Guide
• Usage Examples
• Architecture
• Security

🐛 Known Issues

• Requires Linux kernel 5.8+ with eBPF and cgroup v2 support
• Requires root privileges (eBPF + cgroups + routing)
• Container mode requires --privileged and --cgroupns=host

⚠️ Use Cases

• VPN fail-safe: Prevent IP leaks when VPN disconnects
• Per-app routing: Route specific applications through different interfaces
• Testing: Verify application behavior with different network paths
• Privacy: Ensure critical apps never use the default route

Full Changelog: v1.0.0...v1.1.0

v1.0.0

A proxychains-like tool at kernel level: route all traffic from a process (and its children) through an arbitrary network interface, with kill-switch semantics that drop packets instead of leaking when the interface goes down.

Key features:

• eBPF-based per-process traffic redirection using cgroup v2
• Kill-switch: drops packets if target interface goes down (no leaks)
• Policy routing with fwmark for clean traffic isolation
• Perfect for VPN fail-safe, per-app routing and testing

📦 Installation

Choose the installation method that best fits your environment.

Native Packages

Distribution	Package
debian-12	netleak_1.0.0_amd64_debian-12.deb
debian-13	netleak_1.0.0_amd64_debian-13.deb
ubuntu-22.04	netleak_1.0.0_amd64_ubuntu-22.04.deb
ubuntu-24.04	netleak_1.0.0_amd64_ubuntu-24.04.deb
fedora-40	netleak-1.0.0-1.fc40.x86_64_fedora-40.rpm

Container Image

Pull the Docker image from GitHub Container Registry:

# Pull latest stable release
docker pull ghcr.io/MuriloChianfa/netleak:latest

# Pull specific version
docker pull ghcr.io/MuriloChianfa/netleak:1.0.0

# Run netleak in a container (requires privileged mode)
docker run --privileged \
  --cgroupns=host \
  -v /sys/fs/bpf:/sys/fs/bpf \
  -v /sys/fs/cgroup:/sys/fs/cgroup \
  ghcr.io/MuriloChianfa/netleak:1.0.0 --help

Available tags:

• latest - Latest stable release
• 1.0.0 - This specific version
• 1.0 - Minor version (e.g., 1.2.x)
• 1 - Major version (e.g., 1.x.x)

🔒 Verification

All artifacts include SHA256 and SHA512 checksums for integrity verification, and are cryptographically signed with GPG for authenticity.

Verify GPG Signatures

# Import the maintainer's public key
gpg --keyserver keys.openpgp.org --recv-keys 3E1A1F401A1C47BC77D1705612D0D82387FC53B0

# Download a package and its signature (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.0.0/netleak_1.0.0_amd64_ubuntu-24.04.deb
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.0.0/netleak_1.0.0_amd64_ubuntu-24.04.deb.asc

# Verify the signature
gpg --verify netleak_1.0.0_amd64_ubuntu-24.04.deb.asc netleak_1.0.0_amd64_ubuntu-24.04.deb

Verify Package Checksums

# Download the checksums file and its signature
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.0.0/SHA256SUMS
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.0.0/SHA256SUMS.asc

# Verify the signature on the checksums
gpg --verify SHA256SUMS.asc SHA256SUMS

# Download a package (example: Ubuntu 24.04)
curl -LO https://github.com/MuriloChianfa/netleak/releases/download/v1.0.0/netleak_1.0.0_amd64_ubuntu-24.04.deb

# Verify the checksum
sha256sum -c SHA256SUMS --ignore-missing

Verify Container Image

# Get the image digest
docker pull ghcr.io/MuriloChianfa/netleak:1.0.0
docker inspect ghcr.io/MuriloChianfa/netleak:1.0.0 | grep -A 10 RepoDigests

📚 Quick Start

After installation, use netleak to route process traffic through specific interfaces:

# Route curl through a VPN interface
sudo netleak wg0 curl ifconfig.me

# Run a shell with all traffic through ppp0
sudo netleak ppp0 bash

# Everything launched from that shell uses ppp0
curl ifconfig.me  # shows ppp0's IP

# Other system processes remain unaffected
exit  # leave the netleak shell
curl ifconfig.me  # shows your real IP

Kill-switch in action:
When the target interface goes down, all packets from the process are dropped (no fallback to default route).

📖 Documentation

• Installation Guide
• Usage Examples
• Architecture
• Security

🐛 Known Issues

• Requires Linux kernel 5.8+ with eBPF and cgroup v2 support
• Requires root privileges (eBPF + cgroups + routing)
• Container mode requires --privileged and --cgroupns=host

⚠️ Use Cases

• VPN fail-safe: Prevent IP leaks when VPN disconnects
• Per-app routing: Route specific applications through different interfaces
• Testing: Verify application behavior with different network paths
• Privacy: Ensure critical apps never use the default route

Full Changelog: v0.1.0...v1.0.0

v0.1.0

Full Changelog: https://github.com/MuriloChianfa/tc-leakage/commits/v0.1.0