How do I make a specific process NOT going through a OpenVPN connection?

Discussion in 'Linux Compatibility and Software' started by Mr.Koala, Mar 17, 2015.

Thread Status:
Not open for further replies.
  1. Mr.Koala

    Mr.Koala Notebook Virtuoso

    Reputations:
    568
    Messages:
    2,306
    Likes Received:
    566
    Trophy Points:
    131
    How do I config a Linux system so all other processes send traffic to OpenVPN's tunnel, but a specific app bypass it? The OpenVPN client and the specific process must share only one physical interface.

    My Googling has lead me to using Linux network namespaces and using cgroups, iptables and policy routing. The first option should work if I have two physical interfaces, but I have only one, and if I bridge it to the virtual ethernet for the special namespace everything else dies. The second option requires iptables cgroup support which is not available on my Red Hat and I prefer a method that works on a vanilla system. Any other plans?
     
  2. ALLurGroceries

    ALLurGroceries   Super Moderator

    Reputations:
    15,676
    Messages:
    7,121
    Likes Received:
    2,227
    Trophy Points:
    331
  3. Jarhead

    Jarhead 恋の♡アカサタナ

    Reputations:
    4,970
    Messages:
    12,140
    Likes Received:
    2,910
    Trophy Points:
    581
    On a vanilla system, I don't think it's possible to have a specific process use a different connection unless you're using more than one "real" connection (WiFi cards, Ethernet cables, etc.). Your only connection to the Internet is through that OpenVPN connection when you connect to it (assuming only a single interface as per OP), which would mean that you have no unencrypted connection at that moment.

    The only way I think it would be possible with a vanilla kernel would be if you had a script that broke the VPN connection and reconnected on an unencrypted network whenever the specified process makes a network-related call. Obviously, this would have a major impact on your computer's networking performance.
     
  4. uberbook

    uberbook Notebook Enthusiast

    Reputations:
    0
    Messages:
    19
    Likes Received:
    4
    Trophy Points:
    6
    Not quite. VPN traffic is routed through through a virtual tunnel interface (eg tun0). You can still route traffic through your standard device directly:

    This traffic can be marked by iptables in order to have it handled by another routing table. For the traffic to be matched by iptables you can run the process within a special group.
    Code:
    # add group (to be used for iptables matching)
    groupadd novpn
    
    # add user to group
    adduser yourusername novpn
    
    # set iptables rules (marking packets of novpn group)
    iptables -t mangle -A OUTPUT -m owner --gid-owner novpn -j MARK --set-mark 1
    iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    
    # add new routing table
    echo "1       novpn.out" >> /etc/iproute2/rt_tables
    
    # set new table (with standard interface wlan0 as default)
    ip route add default dev wlan0 table novpn.out
    
    # set new rule (matching the packets marked by iptables)
    ip rule add fwmark 1 table novpn.out
    
    # unset rp_filter (mandatory!?) 
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
    
    # start process within the group
    sg novpn -c processname
    
    I haven't tested this, so it might need a little tweaking but you get the idea.


    In case that process only connects to exclusive networks (not used by others) you could alternatively just add a simple route for those.
    Code:
    ip route add 1.2.3.4/32 dev wlan0
    
     
    Last edited: Mar 28, 2015
  5. uberbook

    uberbook Notebook Enthusiast

    Reputations:
    0
    Messages:
    19
    Likes Received:
    4
    Trophy Points:
    6
    mods, please delete double post
     
    Last edited: Mar 28, 2015
  6. uberbook

    uberbook Notebook Enthusiast

    Reputations:
    0
    Messages:
    19
    Likes Received:
    4
    Trophy Points:
    6
    mods, please delete double post
     
    Last edited: Mar 28, 2015
Loading...
Thread Status:
Not open for further replies.

Share This Page