How to exclude programs from AirVPN (Eddie + Network lock + firejail) in Linux

[rootinthemood 0]

It seems i can't post in How To so I'll post here.
 

In this tutorial I will explain how to exclude individual programs while connected via the Eddie client and have the network lock active. I wanted to run steam without VPN so my latency was low for some competitive gaming, while my whole system was still connected and locked. For this to work we need firejail. Firejail can sandbox individual programs on it’s own with a lot of parameters.
 

Install firejail first.

 

We want a clean firewall state so disable network lock and flush the firewall.
To check it's clean run:

sudo iptables -nvL

 

If not clean run:

sudo iptables --flush

 

Now we want to save this state to a file.

sudo iptables-save -f /etc/firejail/iptables-save

 

You can now network lock again.

 

Make a bash script.

#!/bin/bash

firejail --noprofile \
--net=your_main_ethernet_interface \ 
--ip=ip_address_in_your_routers_subnet \
--defaultgw=router_ip \
--dns=dns_server_of_your_choice \
--dns=dns_server_of_your_choice \
--netfilter=/etc/firejail/iptables-save \
program_you_want_to_run

Save in /usr/bin/ and make executable.

chmod +x program

 

You can now run the bash script and your program will be excluded from the VPN and network lock.

Check with firejail --top to see if it is “jailed”.

You could also replace program_you_want_to_run  with $1 and name the script novpn or so. This would make it a lot more versatile. As you can now pas an argument with the script like so:

novpn firefox
novpn thunderbird
novpn steam-runtime

 

If you want to avoid a bash script and you want to directly run your program with firejail follow along.
This means if you run (in my case) steam-runtime directly, it will be firejailed.
If you do this you can delete the above bash script you made.

 

cp /usr/share/doc/fireail/profile.template  ~/.config/firejail/ 

Rename it to your_program.template

your_program should match the executable name you want to run. In my case steam-runtime.

 

Edit the file and comment out every include you see, so everything is commented out. And paste the text below as you see fit. Somewhere around “net” stuff would be my choice.
 

net your_main_ethernet_interface  
ip ip_address_in_your_routers_subnet 
defaultgw router_ip
dns dns_server_of_your_choice 
dns dns_server_of_your_choice 
netfilter /etc/firejail/iptables-save 

 

Make a symbolic link

 

sudo ln -s /usr/bin/firejail /usr/local/bin/your_program

 

And that’s It. Every time you run your_program it will be firejailed and outside of the vpn.

Check with firejail --top.

Edited ... by rootinthemood

[OpenSourcerer 1359]

That's actually something I wanted to test myself for some time now. Never got to experiment with that, so I'm glad there's a guide now. Thank you very much for the effort.
 

1 hour ago, rootinthemood said:

It seems i can't post in How To so I'll post here.

No one can post there. It's a section for tried and tested guides. Yours will be put there once people and AirVPN Staff successfully test it.

[Tristan66 0]

Thanks but, unfortunately, I'm using Windows 10. Regards, T66