I want one application to use a VPN connection while others do not.
I'm using Xubuntu (thus XFCE) but I'd like a command line / static configuration solution if it's possible.
Is it possible to accomplish it, and if so how?
I want one application to use a VPN connection while others do not.
I'm using Xubuntu (thus XFCE) but I'd like a command line / static configuration solution if it's possible.
Is it possible to accomplish it, and if so how?
Once I wanted to do this and I ran the application in a virtual machine (I like VirtualBox) and configured the guest OS instance so all its traffic was entirely VPN-routed. Arguably rather overkill, but it means you worry a lot less about whether all the app's (and anything it's spawned) packets are actually being routed as you wanted. Modern VM's seamless windows and shared folder capabilities mean using the app in a VM can be fairly painless too.
The easiest way would be to use a VPN that can expose itself as a SOCKS server, then any of the socks wrapping tools (eg, tsocks) could do that.
Otherwise iptables could be made to do it by using packet marking then using that for path selection.
If it's just to one specific destination that's easily accomplished by having the VPN only add the relevent route for that and no other.
Of course if its just one app I'd be trying to make it use SSL so no VPN is needed at all.
If the application you need to use is only connecting to a specific address (ie: an RDP session to a work machine), you could use the routing table to force the destination of that traffic to go over the VPN link, or use iptables as suggested.
You can try playing with iptables
owner
module if you can make the application in question run as a particular user (man iptables
, search forowner
and think of what you can do starting from that, I do not have ready solution, neither I remember syntax beyond that it uses--uid-owner
command line option).The solution proposed by timday (have the application running in the guest instance with openvz, xen or virtualbox) should also work, but if you can go for it, you probably can restrict the process in question to a particular user.
Are all the resources needed by the custom app on the same network (subnet)? If you could put the resources needed by your custom app on a nework by themself then use a trunking VPN it would be easy. As the only resource over the VPN link would be the custom app. So only traffic to for that application would go through the VPN, and all other traffic would go out in the clear.
If you're using IPSEC you should be able to add a security policy that matches a specific TCP or UDP port. For Xubuntu you'd have to install ipsec-tools and put something like
in /etc/ipsec-tools.conf. The (totally made-up, untested) example above forces traffic to TCP port 4000 through the VPN.