Bypass VPN for one specific application?

Manjaro KDE user here.

I generally use a VPN (with NetworkManager), but I would like to bypass the VPN for certain applications, like online games. Is there some simple way to configure this?

Thanks :slight_smile:

Not really.
If you are using the VPN system or network wide then nothing should be able to connect using anything other than the VPN. If it is possible ā€¦ then thats a problem with the VPN setup in general and would likely indicate a scenario in which using it is just a false sense of security.

:frowning: The reason I thought this might be possible is that Virtualbox achieves this effect with a bridged adapter. You can have the VPN running on the host OS, and a direct connection to the ISP on the guest. They use the same physical network card but each appears to have its own network card, and has its own IP address.

Is there perhaps a sandboxing software that can achieve a similar effect but without the overhead of a virtual machine? I tried to do this with Firejail, but no luck.

1 Like

Hi @Cappy,

I am currently looking into this as well. Although the reasons and the spplications difffer, I believe the wish is the same.

As far as I can tell, it is possible. Itā€™s called ā€œSplit tunnelingā€, and it might be included in the software they provide.

Either that, or it can be achived wwith the fireewall, iptables or UFW or some such.

I apologize for not being ablr to give more information at the moment, but I am still researching and havenā€™t set it up yet.

Thank you for sharing what you find :slight_smile:

I also like the idea of having a private browser that uses the VPN, and another that has maximum download speed instead, where the use case calls for it. When I download a Linux ISO, I donā€™t care whether my ISP knows.

Video conferencing is something else Iā€™d like to be able to bypass a VPN for.

I imagine lots of people would like the ability to make a privacy/convenience trade-off on a per application basis.

The other way around is to use a proxy with certain apps :wink:

I never said it was impossible ā€¦ I said ā€˜not reallyā€™ because the operative ā€˜simpleā€™ was included:

Yes, I see now, it is indeed not simple. In fact, I personally think itā€™s rather advancedā€¦

Someone that knows more than me can confirm/deny this, but, at least to me, one of the biggest challenges is that you can only do Policy based routing on IP addresses and not on host names/domain names. If there is a way, I have yet to come across it and someone that knows more than me is very welcome to enlighten me. Please and thank you.

If youā€™re only looking to use the VPN on 1 PC look into fwmark. Or thatā€™s what Iā€™ve found out. It allowes you to mark certain packets with a label (I donā€™t yet know how the packets are distinguished.) You can set up routing rules and tables according to those packets then.

Me? Iā€™m looking to set up my Policy based routing on my server, so that itā€™s applicable to every- and anyone that uses my network.

If anyone knows how to set a packets fwmark based on the domain name, Iā€™d be ever so glad if you could enlighten me.

If youā€™re willing to maybe switch providers, Mullvad VPN offer split tunneling in their app at a click

I havenā€™'t signed up for it yet, but have decided who I want to use and, sadly, itā€™s not Mullvad.

Maybe itā€™s an option for @Cappy.

TBH - Iā€™d like to do it with iptables/netfilter. For these plain and simple reasons:

  1. I want to be able to say I did it. I donā€™t know anyone whoā€™s managed as of yet;
  2. trust. If I did it myself and something goes wrng, I cam blame only myself;
  3. trust. I donā€™t neccesarily trust even the providers. Yeah, Iā€™m that paranoid;
  4. my sever is 100% headless. And the new one Iā€™m sacing for will be as well. So I want it on startup, no clicks required.

There was a similar question in the old forum. My take on this was to use cgroups. Which still works quite good. There is a script available which works for me.

After much research and a LOT of reading, I have come to the conclusion that I donā€™t really need Split tunneling. Or maybe I do, not sure yet, will have to test since it depends on whether my bank and the wifeā€™s bank will have a problem with the VPN.

I know itā€™s stupid, but the reason I was thinking I needed to setup Split tunneling was so that I would still be able to access local network resources. And, I just realized that is very stupid, since my network is peer-to-peer, and the server doesnā€™t route traffic for my local network. As long as the Pihole is before the internet for the DNS the server isnā€™t doing the routing.

I might revisit this, depending on how the internet banking reacts to the VPN, but as for now, I think Iā€™m good.

@Cappy, as far as I could tell, and this is after about a weeks worth of solid research and reeading, the best and easiest would be if you could use an app provided by a VPN provider, like @deesnook mentioned. I usually donā€™t like those kinds of apps, prferring the more manual way, but for ease of use and convenience I do recommend them in certain scenarios. Like this one, for example.

I think split tunneling and accessing local network resources are two different pair of shoes. The Mullvad app has both options. If you want to try it, itā€™s fairly easy, they have monthly payment plans (and no, Iā€™m not affiliated in any way :wink: - after comparing a couple of VPN providers, I just found their linux app to be a lot better than those of other providers when it comes to ease of use)

I realised my mistake in thinking it necessary to set up split tunneling for this. I figured itā€™s not necessary.

I have figured out that iptables can do string matching in its filters. So you can search or a string and apply a mark/fwmark (whichever you want to call it) and then use iproute2 to filter according to the fwmark/mark value.

Iā€™m remember that for when I get mine, so that I can possibly set it up accordingly, if necessary for internet banking and so forth.

Iā€™ve also seen netplan from canonical. Which seems awesome. Especially since I love Ubuntu, so Iā€™ll give that a go as well.