44
33
I have access to a VPN and want to use it only for some applications, not all.
For example:
If I connect to a VPN I want only the applications Opera and Newsbin to use that VPN connection. All other applications, like f.e. Outlook, should use the normal internet connection (while the VPN is connected/open).
Afaik this isn't possible, but I'm not totally sure. So therefore my question: is it doable?
-1
No it isn't. Well not using normal means. Routing is routing. Routing operates lower down the OSI model. What you need to happen is for it to be aware at the applicaion level (higher up) so it can detect what program you are using etc. NORMAL routers do not allow you to configure routes based on applications or port numbers.
I think it is possible though. Routers can see ports so you can filter them by port number and send the traffic out different routes. i am sure i read something a while ago with Cisco routers that can do this. They don't come cheap though and they are business routers which require a lot of config and I'm guessing you want something simple for home use.
In summary it is the router that would need this feature and your bog standard ones for home use, even business don't support these features. Only the advanced line of Cisco and Sonicwalls offer these capabilities.
Mucker
Posted 2011-06-07T12:51:27.323
Reputation: 787
37
It is possible to accomplish this, at least on Linux (and I'm thinking on BSD and OS X as well). You can do so by:
There are scripts for accomplishing the above steps here or there is another guide here.
Here is a detailed guide for routing Transmission via a VPN (using a VPN server that you own.
Freeaqingme
Posted 2011-06-07T12:51:27.323
Reputation: 479
1Much easier on Linux: Create a network namespace, connect VPN to that namespace, run applications that should use the namespace in the VPN. You can even run two copies of the same application, one using the VPN and one using the direct connection. – dirkt – 2019-09-12T14:53:26.940
@dirkt I don't know if it is the best solution but it works great as a SOCKS proxy by using an SSH tunnel to an LXC container connected to an OpenVPN server: https://askubuntu.com/questions/703905/unable-to-open-sites-with-https-when-connected-through-openvpn/1206914#1206914 Related: https://superuser.com/questions/263360/openvpn-client-as-socks-5-server
– baptx – 2020-01-30T21:48:33.38314
You could use the Windows Firewall to accomplish this (provided you are using Win 7 or Vista) - I wrote a guide on this
Connect to your VPN as you normally would.
Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)
You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).
Go to the Control Panel and click System and Security (see below).
In the resulting window, click Windows Firewall (see below).
In the Windows Firewall window, click Advanced Settings on the left pane (see below). Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.
You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).
On the right pane, you will see an option for a New Rule. Click it (see below).
In the New Inbound Rule Wizard (which should appear), do the following:
Choose Program and click Next.
Choose the program you wish to block all traffic to except on the VPN connection, and click next.
Choose Block the Connection.
Tick Domain and Private. Make sure Public is left unticked.
Repeat Step 9 for Outbound Rules.
pramble
Posted 2011-06-07T12:51:27.323
Reputation: 157
12Does this actually answer the question? Yes, this stops the app from working if it isn't on the VPN, but all traffic still goes over the VPN does it not? – Jason Coyne – 2015-04-20T20:33:33.563
3@pramble So does all traffic still go through the vpn? – nsij22 – 2015-05-08T21:47:05.507
Appears to work. Just tested it.. – Faiz – 2017-12-11T07:08:09.917
This doesn't fix it. This is a very simple scenario. I want all my work-related stuff to go over the VPN (SQL Server connections, Slack, etc.), but I want my web browser (Facebook, Soundcloud, etc., basically all port 80 traffic) to NOT go over the VPN. Windows sucks if this isn't possible. – Triynko – 2018-01-08T19:09:03.417
@Triynko Your scenario is way different from the scenario OP asked for. After connecting to the VPN you can just set the corresponding routes to your work-related stuff, i.e., use the VPN gateway for all work-related subnets or IPs.
Routing traffic originating from specific applications is more difficult to achieve. – speakr – 2019-07-25T08:17:10.817
Yeah this answer is opposite to what was asked by OP. I need to allow only a specific application to use a VPN network. – Nakilon – 2020-02-09T10:34:58.697
5
I've done this on Windows. The idea is to bind the outgoing network packages to VPN's interface. People suggest ForceBindIP for this, but thanks to this answer I've got an idea to use proxy. The downside of this method is that either your apps have to have proxy support or you'll have to use a proxifier (see here and here). The upside is that this way you'll be able to limit the use of VPN in the browser to specific domains using FoxyProxy or similar add-ons.
I use 3proxy in SOCKS mode and bind its external interface to VPN's IP. OpenVPN is used for the VPN connection.
In my .ovpn file (client, dev tun) I've added these lines:
route-nopull
route 0.0.0.0 0.0.0.0 vpn_gateway
pull-filter ignore "dhcp-option DNS "
script-security 2
up 'c:\path\to\up.cmd'
down 'c:\path\to\down.cmd'
route-nopull to ignore routes pushed from the server. In your case you might need to comment out redirect-gateway instead.
route to add a route for this interface, without this line it won't be used even if the app is bound to it.
pull-filter to preserve pushed DNS that otherwise will be dropped by route-nopull together with the pushed routes. This option is supported starting with OpenVPN 2.4, if you have to stick with OpenVPN 2.3 (latest release for Windows XP), you'll have to add two dhcp-option DNS x.x.x.x lines with hardcoded IPs instead.
script-security 2 to allow scripting.
up script:
cd %~dp0
echo auth none> 3proxy-openvpn.conf
echo internal 127.0.0.1>> 3proxy-openvpn.conf
echo external %4>> 3proxy-openvpn.conf
echo socks>> 3proxy-openvpn.conf
start /b 3proxy.exe 3proxy-openvpn.conf
down script:
taskkill /f /im 3proxy.exe
Thus, after you connect to VPN using this config, 3proxy.exe process will be started and a localhost-limited SOCKS5 proxy with DNS resolution capability will run on the 1080 port, now just configure your app to use localhost:1080 SOCKS proxy.
user
Posted 2011-06-07T12:51:27.323
Reputation: 853
I am getting Options error: option 'route' cannot be used in this context ([PUSH-OPTIONS]) and Options error: option 'redirect-gateway' cannot be used in this context ([PUSH-OPTIONS]). None the less, this solution works. If you skip the apostrophes for down and up script, use double backslashes: c:\\path\\to\\script – chx – 2018-01-16T14:42:32.687
1Ingenious, thanks for sharing. – W.M. – 2019-12-27T18:27:47.540
4
You can do it with network namespaces on GNU/Linux.
Here's how to run OpenVPN and a single application in a separate namespace:
Create the net network namespace:
ip netns add myvpn
Start the loopback interface in the namespace (otherwise many things don't work as expected…)
ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec myvpn ip link set lo up
Create virtual network interfaces that will let OpenVPN (in the namespace) access the real network, and configure the interface in the namespace (vpn1) to use the interface out of the namespace (vpn0) as its default gateway
ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns myvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
Enable IPv4 routing and NAT for the interface in the namespace. As my default interface is a wireless one, I use wl+ (which may match wlan0, wlp3s0, etc.) in iptables for the outgoing interface; if you use a wired interface you should probably use en+ (or br+ for a bridged interface)
iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o wl+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
Configure the nameserver to use inside the namespace
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
Almost done, now we should have full network access in the namespace
ip netns exec myvpn ping www.google.com
Finally start OpenVPN in the namespace
ip netns exec myvpn openvpn --config /etc/openvpn/myvpn.conf
Once tun0 is up in the namespace, you're ready to start the program you wanted!
while ! ip netns exec myvpn ip a show dev tun0 up; do sleep .5; done
ip netns exec myvpn sudo -u $MYSELF popcorntime
Also there is a wrapper script in the source article you can adapt for your needs.
PocketSam
Posted 2011-06-07T12:51:27.323
Reputation: 269
1
If you're on linux, and you use openVPN, VPNShift works beautifully.
thouliha
Posted 2011-06-07T12:51:27.323
Reputation: 193
Please do not post the same answer to multiple questions. If the same information really answers both questions, then one question (usually the newer one) should be closed as a duplicate of the other. You can indicate this by voting to close it as a duplicate or, if you don't have enough reputation for that, raise a flag to indicate that it's a duplicate. Otherwise tailor your answer to this question and don't just paste the same answer in multiple places.
– DavidPostill – 2018-07-12T17:20:40.1934Is the fact that it's "the same answer to multiple questions" so important? The question exists, it's not (yet) flagged as duplicate, and it's a good answer, so it deserves to exist. Thanks @thouliha . – Ronan Jouchet – 2018-10-19T12:34:39.957
0
Just access the VPN through a virtual machine.
Use the 'selected' applications from the VM instead of using them from the host machine.
P.S. You need to give network access to the VM through the host machine, of course.
drowa
Posted 2011-06-07T12:51:27.323
Reputation: 111
This just mentions an approach already described in detail in other answers. – fixer1234 – 2018-01-16T03:46:49.033
1@fixer1234: Nobody mentioned virtual machines. – drowa – 2018-01-16T03:49:53.757
Can you expand your answer into something more actionable (explain the how)? See the other answers on the thread for an idea of the level of detail. Just providing a hint for a direction to pursue would go in a comment, which requires a little more rep. – fixer1234 – 2018-01-16T04:05:21.000
I've tried a comment first but the system didn't allow me because I have less than 50 points. I will try to expand the answer then. – drowa – 2018-01-16T04:08:39.863
This is the idea I came up with, and it works fine, without any complicated routing configuration on the sysadmin side. – pwned – 2019-08-26T08:03:48.310
0
I know this is a way late reply that I just ran across, but in case it's ever relevant to someone, I had the same circumstance where I wanted to run my work traffic through the VPN but didn't want my personal traffic routed through their proxy servers and such. So I was running Win7 back then but they were still running WinXP on a lot of their systems. Eventually they just gave me a 2nd PC to run for work which resolved the issue (a switchbox hooked to both PCs, could just jump back and forth) but prior to this I ran a Virtual XP that I set up as my work OS... I would VPN in from said VM to connect to work, which would leave my personal OS traffic free of the work restrictions and spying.
Warren Colvett
Posted 2011-06-07T12:51:27.323
Reputation: 1
3
related: Disable VPN for a given process/application
– slhck – 2011-06-07T12:54:09.247