Wednesday, May 15, 2024
Homepage · networking
 Popular · Latest · Hot · Upcoming
0
rated 0 times [  0] [ 0]  / answers: 1 / hits: 2964  / 3 Years ago, sun, june 20, 2021, 3:18:08

I want to do the following (if it's possible):


Have 1 browser (say Firefox) as normal - all traffic uses my VPN.
Have another browser (say Chrome) where all traffic bypasses the VPN.


I have already setup a PC with a VPN using OpenVPN and I understand how to add static routes so that access to specific IP addresses will bypass the VPN.


I thought what I want to do may be possible by setting up a (Squid) proxy server which routes all traffic outside of the VPN, and then configure the Chrome browser to use that proxy server. Unless there is a better/easier way?


But I do not know how to accomplish this and configure Squid/routes despite doing a lot of reading and experimenting (I am not a network expert), nor have I been able to find any resource to tell me how (or if it's possible).


Any help or links to information appreciated.


More From » networking
 Answers
5

Thanks for all the ideas and comments so far. I have not (yet) got firejail to work with the VPN active (@Anonymous suggestion). But I followed up on the suggestion linked by @ofirule specifically this answer to use control groups.


That answer has a link to a complete shell script to do everything automatically but I wanted to do things manually at least to start with so I could follow along and make sure I knew exactly what I was changing. So, following the Manual HowTo there I will post below exactly what I did for anyone else.


Note that my network interface is named enp0s31f6 and my gateway IP is 192.168.0.1 I think those are the only two specific things that may need changing for others following this:


# Install required tools

sudo apt-get install cgroup-lite cgroup-tools



sudo su



# Define a control group named novpn with a classid of 11:11

cd /sys/fs/cgroup/net_cls

mkdir novpn

cd novpn

echo 0x00110011 > net_cls.classid



# Add mark 11 on packets of classid 0x00110011

iptables -t mangle -A OUTPUT -m cgroup --cgroup 0x00110011 -j MARK --set-mark 11



# Force the packets to exit through my interface (enp0s31f6) with NAT

iptables -t nat -A POSTROUTING -m cgroup --cgroup 0x00110011 -o enp0s31f6 -j MASQUERADE



# Define a new "novpn" routing table

echo 11 novpn >> /etc/iproute2/rt_tables



# Packets with mark 11 will use novpn

ip rule add fwmark 11 table novpn



# Add a route for default gateway for novpn

ip route add default via 192.168.0.1 table novpn



# Unset reverse path filtering for all interfaces

# My PREVIOUS VALUES: lo was 0, others (all, default, enp0s31f6) were 2 in case I need to revert back.

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done



exit



# Create control group    

sudo cgcreate -t $USER:$USER -a $USER:$USER -g net_cls:novpn



# Run app on specific novpn interface (close all browser windows first)

killall firefox

cgexec -g net_cls:novpn firefox

I don't (yet) fully understand all the above but it works! :-) Running firefox via the cgexec command I can check my IP in firefox with the VPN active and can see it reports my actual public IP not the VPN IP. I also proved this method works by running a radio streaming service which was having issues working with the VPN - it now works absolutely fine bypassing the VPN.


[#2917] Sunday, June 20, 2021, 3 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
raacket
Add To Favorites
Follow
Total Points: 198
Total Questions: 114
Total Answers: 111
Location: Czech Republic
Member since Mon, May 15, 2023
1 Year ago
raacket questions
Sun, Feb 20, 22, 03:39, 2 Years ago
Fri, Mar 17, 23, 19:52, 1 Year ago
Mon, Apr 4, 22, 00:26, 2 Years ago
Sat, Oct 2, 21, 12:49, 3 Years ago
Sun, Jan 8, 23, 00:01, 1 Year ago
View All
;