Jump to content
Not connected, Your IP: 3.135.205.181
lpav

Split tunneling for applications

Recommended Posts

Eddie seems to support only per-route split tunneling, which is only useful for corporate/private networks imo.
Is there a practical way to achieve per-app tunneling in Linux? If not, is this on the roadmap?

The solution proposed in this forum before (https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway) is not very practical, since most applications don't provide an interface binding option.

Thanks
 

Share this post


Link to post
4 hours ago, lpav said:

... since most applications don't provide an interface binding option.

Thanks
 


Many, many do. It is not always obvious. All of the torrent clients listed there certainly do. You may have go into a configuration file though.

Browsers generally don't. For browsers, you can run the SQUID HTTP proxy bound to the VPN interface, and then have the browser use SQUID. Other programs can also be told to use an HTTP proxy. I have added a sample script to run SQUID bound to the VPN interface at the end if that wiki page at github.

I have forced an application to bind to an IP address  using NFT (the Linux Firewall). But it is complicated because you have to make the application run in a cgroup so that the firewall rules can identify the traffic. I don't have anything handy as an example. I generally just use the method in the next paragraph.

There are also programs floating around that use the LD_PRELOAD environment variable to intercept calls to connect, send, bind, listen, etc.. I have some source for my own LD_PRELOAD intercept program which I could share. It has code for tracing because sometimes I have needed to modify it for specific applications.

Either way, some programs have such complex behavior (e.g. Plex) that it is really hopeless to modify their behavior.

You could also look into setting up a "network name space" to run the application in. I have done this from scratch using "unshare" a few times. Some people (not me) use Docker or such to do this.
 

Share this post


Link to post

Thank you for your input. These are interesting approaches, but I expect to have leaks on the long run. Good for educational purposes however.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...