Can I allow an application to bypass the network lock? (Linux)

[msbntt 0]

I have tried to search but have not found a clear answer to the question in the title.

 

What I would ideally like to do is have a second firefox profile that can browse outside of the vpn (for netflix and the occasional other site) while leaving the vpn connection and network lock active for every other application on the computer.

I currently use QubesOS to achieve this (and other things), but I am looking to move to another distribution while still having the feature above.

 

I do not care if Eddie is used for the network lock or if I need to use iptables directly (or some other way), I just do not have the knowledge to work it out myself from scratch.

I would be happy with a method to let certain sites bypass the network lock, but I understand that netflix makes this very difficult or impossible to do.

 

I have seen information regarding forcing certain applications to use the vpn while the rest of the system does not, but I do not believe those methods can be used the other way around (I do not understand enough to be sure though).

 

Link to the only post I can find again on the subject - https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398

 

Thank you to anyone who can help (even if it is to say it can not be done any easier than using Qubes after all)

[corrado 100]

If you are ok with not using the official client: I have written an OpenVPN/WireGuard frontend that has among its features the possibility to route applications outside the VPN tunnel. It's called Qomui. See my post on Airvpn forums and my github repository for details.

[msbntt 0]

Oh, that is brilliant, thank you.

 

I had actually seen your thread not long after you posted it, but had completely forgotten and it did not show up with my search terms. I will almost definitely use Qomui for this, at least at first, but your reference for how you achieve the bypass may also be very useful.

 

In the time since posting this thread I discovered that there is a possibility of making this work using firejail as well, but I do not know if I could have managed it (if I am right about it being possible).

 

Thank you again, corrado

[corrado 100]

My solution is based on cgroups which allows marking packets from applications within a cgroup in order to route them differently, i.e. bypass the vpn. The readme on my GitHub Page contains additional information and links that explain the concept and implementation in more detail.

[NaDre 154]

Yes. cgroups are a good mechanism. But I have never said anything about them for a couple of reasons:

1) When I first posted my suggestions, the stable version of Debian did not have support for cgroups. I did not think most folks here would want to follow instructions to upgrade their kernel. I did not want to do it myself even though I knew how,
 

2) Even when the kernel supports cgroups, I think for many folks here getting something with cgroups working would be a stretch. I think many folks here are not really technical and don't want to be.

 

I have tried to stick to explaining how to do things for yourself. Even when I post sample scripts, I generally emphasize that they are just meant as examples and that I don't promise to support them. I might disappear one day. I notice that pfSense_fan seems to be gone. All they did was write a guide, and yet their departure seems to have left some people hanging.

 

I don't mean this as a criticism of corrado. I just thought this might be a good point at which to make a pitch for learning how to do things for yourself just using the basic facilities of the OS.

 

EDIT:

 

Firefox is a bit of a problem when you want to split off browser track. You cannot tell it to bind to an IP address.

 

I start up SQUID bound to the non-default interface I want to use, and then have a Firefox profile point to SQUID as an HTTP proxy. But a description of how to set that up might be as difficult to follow as a description of how to run a browser instance in a cgroup that routes to the non-default interface.

 

You can also tell SQUID to use a DNS resolver that is not in /etc/resolv.conf though. While using a cgroup (http://man7.org/linux/man-pages/man7/cgroups.7.html ) with iptables (http://man7.org/linux/man-pages/man8/iptables-extensions.8.html ) can let you route traffic out a specific interface, I think you would need to also use the "unshare" command (http://man7.org/linux/man-pages/man1/unshare.1.html ) to redirect to an alternate resolv.conf. Or am I wrong? With DNS thrown in, maybe my SQUID approach is less complicated.

[corrado 100]

 

Yes. cgroups are a good mechanism. But I have never said anything about them for a couple of reasons:

 

1) When I first posted my suggestions, the stable version of Debian did not have support for cgroups. I did not think most folks here would want to follow instructions to upgrade their kernel. I did not want to do it myself even though I knew how,

 

2) Even when the kernel supports cgroups, I think for many folks here getting something with cgroups working would be a stretch. I think many folks here are not really technical and don't want to be.

 

I have tried to stick to explaining how to do things for yourself. Even when I post sample scripts, I generally emphasize that they are just meant as examples and that I don't promise to support them. I might disappear one day. I notice that pfSense_fan seems to be gone. All they did was write a guide, and yet their departure seems to have left some people hanging.

 

I don't mean this as a criticism of corrado. I just thought this might be a good point at which to make a pitch for learning how to do things for yourself just using the basic facilities of the OS.

 

Yes, it's always good to learn how do things yourself. That was actually my starting point for writing Qomui, to bring a number of little scripts I had gathered and written together. The other one being the frustration that not many VPN providers out there properly support GNU/Linux - most offer a bunch of config files and let you figure out the other stuff yourself. This is a problem for anyone that is "not really technical". Airvpn's Eddie is a welcome exception but when I first subscribed i had some issues with it. To anyone interested in creating a cgroup solution for bypassing the VPN, you will find most of the relevant code in Qomui's bypass.py.

 

You can also tell SQUID to use a DNS resolver that is not in /etc/resolv.conf though. While using a cgroup (http://man7.org/linux/man-pages/man7/cgroups.7.html ) with iptables (http://man7.org/linux/man-pages/man8/iptables-extensions.8.html ) can let you route traffic out a specific interface, I think you would need to also use the "unshare" command (http://man7.org/linux/man-pages/man1/unshare.1.html ) to redirect to an alternate resolv.conf. Or am I wrong? With DNS thrown in, maybe my SQUID approach is less complicated.

 

You are right. Another way to approach this is to redirect DNS traffic to another port and use dnsmasq.