View previous topic :: View next topic |
Author |
Message |
Aitikin Apprentice
Joined: 14 May 2005 Posts: 227
|
Posted: Sun Apr 22, 2018 12:38 am Post subject: VPN only for specific processes? |
|
|
I'm trying to configure my subscription VPN to handle traffic from one or two processes, but I'm having a hard time coming up with a solution. Has anyone here done this and/or have any tips for it? I've looked into a few guides, but my routing skills aren't as good as they used to be (never were great to begin with!). This seemed the most promising, but I get lost with IPTables:
http://www.evolware.org/?p=369
Any help would be greatly appreciated!
Cheers! _________________ "it's like sex, except over ssh" ~Valkura
"I should go to bitch, I get up at 6:20" ~Valkura |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3135
|
Posted: Sun Apr 22, 2018 3:28 pm Post subject: |
|
|
Can you make that process bind to a particular IP*?
If you can, there is that handy things called "multiple routing tables". You can create another table by adding a line in /etc/iproute2/rt_tables, add a default route to that new table (iproute add default via <internal IP of VPN server> table <your custom table name>), and add a selector for that table (something like ip rule add src <bound IP> table <your custom table name> )
And just make sure your VPN doesn't hijack the default route from main routing table.
This way things talking over IP attached to VPN will use custom routing table (directing all traffic over VPN), and all the rest would default to main routing table directing traffic outside of VPN.
* Perhaps you could also create another user for that process, mark packets with iptables (based on matching user) and use this mark as a rule for iproute. Should work, but never tried this one myself. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21630
|
Posted: Sun Apr 22, 2018 4:59 pm Post subject: |
|
|
I prefer using network namespaces for this purpose. Create a virtual Ethernet pair device. Create a new network namespace. Move one half of the veth pair into the namespace. Configure the namespace to treat its veth device as a gateway, so all traffic not otherwise routed goes back to the host. Configure the main system to treat the veth device as if it were a LAN client (so, bridge or NAT, as you prefer). Run the VPN client program in the namespace. Run VPN-using programs in the namespace. Run non-VPN-using programs outside the namespace.
This should be enough to get you started researching how to do this. Post back if you need more details. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|