--interface option does not work for tun interfaces

[Boyardism]

expected behavior
firejail --interface=tun4 --noprofile --dns=85.214.20.141 /bin/bash

would create a sandbox with network traffic going through the tun interface until tun is torn down or something

Actual behavior: the tun does get brought into sandbox, but no traffic can go through the tun interface (nothing can be pinged, curled or wget from inside
I am aware of #59 but thought that it only applies to --net= option.

P.S.:
I suspect that the result I want (traffic to/from the sandbox goes only through a particularly named tun (tun4) interface, applications out of sandbox remain un-affected and don't go through that particular tun4 interface) can probably be achieved via a combination of static routes, iptables rules and bridged interface (analogously to "routed bridge interfaces" from firejail tutorial) but I am not sure how to achieve that.

I am not very good with routing and environment with >1 tun interface (each set up automatically) is a bit above my linux-knowledge (in fact, I wanted to use firejail as an "easy" substitute for actually setting up the correct routes)

[netblue30]

It is not supported in this moment. I guess we also need to bring in the sandbox the programs handling the tun (or tap) interface, just a guess. We'll try to fix it.

[Boyardism]

@netblue30 yes, it seems it needs whole VPN program in the sandbox as well.

BTW, running the tun interface setup script from inside the jail worked perfectly (thanks for pointer!)

Now I guess I need some help understanding routing (both in general and in context of firejail :) ) but that's another issue