How do I config a Linux system so all other processes send traffic to OpenVPN's tunnel, but a specific app bypass it? The OpenVPN client and the specific process must share only one physical interface.
My Googling has lead me to using Linux network namespaces and using cgroups, iptables and policy routing. The first option should work if I have two physical interfaces, but I have only one, and if I bridge it to the virtual ethernet for the special namespace everything else dies. The second option requires iptables cgroup support which is not available on my Red Hat and I prefer a method that works on a vanilla system. Any other plans?
-
ALLurGroceries Vegan Vermin Super Moderator
If you want to keep a vanilla kernel then give one of these hacks a try:
http://superuser.com/a/241200 -
On a vanilla system, I don't think it's possible to have a specific process use a different connection unless you're using more than one "real" connection (WiFi cards, Ethernet cables, etc.). Your only connection to the Internet is through that OpenVPN connection when you connect to it (assuming only a single interface as per OP), which would mean that you have no unencrypted connection at that moment.
The only way I think it would be possible with a vanilla kernel would be if you had a script that broke the VPN connection and reconnected on an unencrypted network whenever the specified process makes a network-related call. Obviously, this would have a major impact on your computer's networking performance. -
This traffic can be marked by iptables in order to have it handled by another routing table. For the traffic to be matched by iptables you can run the process within a special group.
Code:# add group (to be used for iptables matching) groupadd novpn # add user to group adduser yourusername novpn # set iptables rules (marking packets of novpn group) iptables -t mangle -A OUTPUT -m owner --gid-owner novpn -j MARK --set-mark 1 iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE # add new routing table echo "1 novpn.out" >> /etc/iproute2/rt_tables # set new table (with standard interface wlan0 as default) ip route add default dev wlan0 table novpn.out # set new rule (matching the packets marked by iptables) ip rule add fwmark 1 table novpn.out # unset rp_filter (mandatory!?) for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done # start process within the group sg novpn -c processname
In case that process only connects to exclusive networks (not used by others) you could alternatively just add a simple route for those.
Code:ip route add 1.2.3.4/32 dev wlan0
Last edited: Mar 28, 2015
How do I make a specific process NOT going through a OpenVPN connection?
Discussion in 'Linux Compatibility and Software' started by Mr.Koala, Mar 17, 2015.