How do I make a specific process NOT going through a OpenVPN connection?

How do I config a Linux system so all other processes send traffic to OpenVPN's tunnel, but a specific app bypass it? The OpenVPN client and the specific process must share only one physical interface.

My Googling has lead me to using Linux network namespaces and using cgroups, iptables and policy routing. The first option should work if I have two physical interfaces, but I have only one, and if I bridge it to the virtual ethernet for the special namespace everything else dies. The second option requires iptables cgroup support which is not available on my Red Hat and I prefer a method that works on a vanilla system. Any other plans?

 

If you want to keep a vanilla kernel then give one of these hacks a try:
http://superuser.com/a/241200

 

On a vanilla system, I don't think it's possible to have a specific process use a different connection unless you're using more than one "real" connection (WiFi cards, Ethernet cables, etc.). Your only connection to the Internet is through that OpenVPN connection when you connect to it (assuming only a single interface as per OP), which would mean that you have no unencrypted connection at that moment.

The only way I think it would be possible with a vanilla kernel would be if you had a script that broke the VPN connection and reconnected on an unencrypted network whenever the specified process makes a network-related call. Obviously, this would have a major impact on your computer's networking performance.

 

Not quite. VPN traffic is routed through through a virtual tunnel interface (eg tun0). You can still route traffic through your standard device directly:

This traffic can be marked by iptables in order to have it handled by another routing table. For the traffic to be matched by iptables you can run the process within a special group.

Code:

# add group (to be used for iptables matching)
groupadd novpn

# add user to group
adduser yourusername novpn

# set iptables rules (marking packets of novpn group)
iptables -t mangle -A OUTPUT -m owner --gid-owner novpn -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE

# add new routing table
echo "1       novpn.out" >> /etc/iproute2/rt_tables

# set new table (with standard interface wlan0 as default)
ip route add default dev wlan0 table novpn.out

# set new rule (matching the packets marked by iptables)
ip rule add fwmark 1 table novpn.out

# unset rp_filter (mandatory!?)
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# start process within the group
sg novpn -c processname

I haven't tested this, so it might need a little tweaking but you get the idea.


In case that process only connects to exclusive networks (not used by others) you could alternatively just add a simple route for those.

Code:

ip route add 1.2.3.4/32 dev wlan0

 

mods, please delete double post

 

mods, please delete double post