Manjaro KDE user here.
I generally use a VPN (with NetworkManager), but I would like to bypass the VPN for certain applications, like online games. Is there some simple way to configure this?
Thanks 
Not really.
If you are using the VPN system or network wide then nothing should be able to connect using anything other than the VPN. If it is possible ā¦ then thats a problem with the VPN setup in general and would likely indicate a scenario in which using it is just a false sense of security.
The reason I thought this might be possible is that Virtualbox achieves this effect with a bridged adapter. You can have the VPN running on the host OS, and a direct connection to the ISP on the guest. They use the same physical network card but each appears to have its own network card, and has its own IP address.
Is there perhaps a sandboxing software that can achieve a similar effect but without the overhead of a virtual machine? I tried to do this with Firejail, but no luck.
1 Like
Hi @Cappy,
I am currently looking into this as well. Although the reasons and the spplications difffer, I believe the wish is the same.
As far as I can tell, it is possible. Itās called āSplit tunnelingā, and it might be included in the software they provide.
Either that, or it can be achived wwith the fireewall, iptables or UFW or some such.
I apologize for not being ablr to give more information at the moment, but I am still researching and havenāt set it up yet.
Thank you for sharing what you find
I also like the idea of having a private browser that uses the VPN, and another that has maximum download speed instead, where the use case calls for it. When I download a Linux ISO, I donāt care whether my ISP knows.
Video conferencing is something else Iād like to be able to bypass a VPN for.
I imagine lots of people would like the ability to make a privacy/convenience trade-off on a per application basis.
The other way around is to use a proxy with certain apps 
I never said it was impossible ā¦ I said ānot reallyā because the operative āsimpleā was included:
Yes, I see now, it is indeed not simple. In fact, I personally think itās rather advancedā¦
Someone that knows more than me can confirm/deny this, but, at least to me, one of the biggest challenges is that you can only do Policy based routing on IP addresses and not on host names/domain names. If there is a way, I have yet to come across it and someone that knows more than me is very welcome to enlighten me. Please and thank you.
If youāre only looking to use the VPN on 1 PC look into fwmark. Or thatās what Iāve found out. It allowes you to mark certain packets with a label (I donāt yet know how the packets are distinguished.) You can set up routing rules and tables according to those packets then.
Me? Iām looking to set up my Policy based routing on my server, so that itās applicable to every- and anyone that uses my network.
If anyone knows how to set a packets fwmark based on the domain name, Iād be ever so glad if you could enlighten me.
If youāre willing to maybe switch providers, Mullvad VPN offer split tunneling in their app at a click
I havenā't signed up for it yet, but have decided who I want to use and, sadly, itās not Mullvad.
Maybe itās an option for @Cappy.
TBH - Iād like to do it with iptables/netfilter. For these plain and simple reasons:
- I want to be able to say I did it. I donāt know anyone whoās managed as of yet;
- trust. If I did it myself and something goes wrng, I cam blame only myself;
- trust. I donāt neccesarily trust even the providers. Yeah, Iām that paranoid;
- my sever is 100% headless. And the new one Iām sacing for will be as well. So I want it on startup, no clicks required.
There was a similar question in the old forum. My take on this was to use cgroups. Which still works quite good. There is a script available which works for me.
After much research and a LOT of reading, I have come to the conclusion that I donāt really need Split tunneling. Or maybe I do, not sure yet, will have to test since it depends on whether my bank and the wifeās bank will have a problem with the VPN.
I know itās stupid, but the reason I was thinking I needed to setup Split tunneling was so that I would still be able to access local network resources. And, I just realized that is very stupid, since my network is peer-to-peer, and the server doesnāt route traffic for my local network. As long as the Pihole is before the internet for the DNS the server isnāt doing the routing.
I might revisit this, depending on how the internet banking reacts to the VPN, but as for now, I think Iām good.
@Cappy, as far as I could tell, and this is after about a weeks worth of solid research and reeading, the best and easiest would be if you could use an app provided by a VPN provider, like @deesnook mentioned. I usually donāt like those kinds of apps, prferring the more manual way, but for ease of use and convenience I do recommend them in certain scenarios. Like this one, for example.
I think split tunneling and accessing local network resources are two different pair of shoes. The Mullvad app has both options. If you want to try it, itās fairly easy, they have monthly payment plans (and no, Iām not affiliated in any way - after comparing a couple of VPN providers, I just found their linux app to be a lot better than those of other providers when it comes to ease of use)
I realised my mistake in thinking it necessary to set up split tunneling for this. I figured itās not necessary.
I have figured out that iptables can do string matching in its filters. So you can search or a string and apply a mark/fwmark (whichever you want to call it) and then use iproute2 to filter according to the fwmark/mark value.
Iām remember that for when I get mine, so that I can possibly set it up accordingly, if necessary for internet banking and so forth.
Iāve also seen netplan from canonical. Which seems awesome. Especially since I love Ubuntu, so Iāll give that a go as well.