Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
VPN only for specific processes?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Aitikin
Apprentice
Apprentice


Joined: 14 May 2005
Posts: 214

PostPosted: Sun Apr 22, 2018 12:38 am    Post subject: VPN only for specific processes? Reply with quote

I'm trying to configure my subscription VPN to handle traffic from one or two processes, but I'm having a hard time coming up with a solution. Has anyone here done this and/or have any tips for it? I've looked into a few guides, but my routing skills aren't as good as they used to be (never were great to begin with!). This seemed the most promising, but I get lost with IPTables:

http://www.evolware.org/?p=369

Any help would be greatly appreciated!

Cheers!
_________________
"it's like sex, except over ssh" ~Valkura

"I should go to bitch, I get up at 6:20" ~Valkura
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Sun Apr 22, 2018 3:28 pm    Post subject: Reply with quote

Can you make that process bind to a particular IP*?
If you can, there is that handy things called "multiple routing tables". You can create another table by adding a line in /etc/iproute2/rt_tables, add a default route to that new table (iproute add default via <internal IP of VPN server> table <your custom table name>), and add a selector for that table (something like ip rule add src <bound IP> table <your custom table name> )
And just make sure your VPN doesn't hijack the default route from main routing table.
This way things talking over IP attached to VPN will use custom routing table (directing all traffic over VPN), and all the rest would default to main routing table directing traffic outside of VPN.

* Perhaps you could also create another user for that process, mark packets with iptables (based on matching user) and use this mark as a rule for iproute. Should work, but never tried this one myself.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Sun Apr 22, 2018 4:59 pm    Post subject: Reply with quote

I prefer using network namespaces for this purpose. Create a virtual Ethernet pair device. Create a new network namespace. Move one half of the veth pair into the namespace. Configure the namespace to treat its veth device as a gateway, so all traffic not otherwise routed goes back to the host. Configure the main system to treat the veth device as if it were a LAN client (so, bridge or NAT, as you prefer). Run the VPN client program in the namespace. Run VPN-using programs in the namespace. Run non-VPN-using programs outside the namespace.

This should be enough to get you started researching how to do this. Post back if you need more details.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum