Currently i am using VPN (done by bitmask) to go only the internet. But i would like to set it up so that two applications access the internet directly. Is there a way to do that?
$ sudo ip6tables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N bitmask
-A OUTPUT -j bitmask
-A bitmask -d fe80::/64 -o wlp3s0 -j ACCEPT
-A bitmask -d ff05::c/128 -o wlp3s0 -p udp -m udp --dport 1900 -j RETURN
-A bitmask -d ff02::fb/128 -o wlp3s0 -p udp -m udp --dport 5353 -j RETURN
-A bitmask -p tcp -j REJECT --reject-with icmp6-port-unreachable
-A bitmask -p udp -j REJECT --reject-with icmp6-port-unreachable
$ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 303190 bytes 23045786 (23.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 303190 bytes 23045786 (23.0 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.41.0.18 netmask 255.255.248.0 destination 10.41.0.18
inet6 fe80::7b5f:9d91:701e:c55 prefixlen 64 scopeid 0x20<link>
inet6 2001:db8:123::1010 prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 2419226 bytes 2916699759 (2.9 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1562458 bytes 208828031 (208.8 MB)
TX errors 0 dropped 107 overruns 0 carrier 0 collisions 0
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.147 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 fe80::b43f:cba:ab11:d9a8 prefixlen 64 scopeid 0x20<link>
ether 24:0a:64:da:d6:eb txqueuelen 1000 (Ethernet)
RX packets 6908650 bytes 3525833381 (3.5 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7751152 bytes 7915813822 (7.9 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
$ iwconfig
tun0 no wireless extensions.
lo no wireless extensions.
enp4s0 no wireless extensions.
wlp3s0 IEEE 802.11 ESSID:"ZTE_C5959A"
Mode:Managed Frequency:2.462 GHz Access Point: FC:2D:5E:C5:95:9A
Bit Rate=52 Mb/s Tx-Power=15 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off
Link Quality=47/70 Signal level=-63 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:6 Invalid misc:62 Missed beacon:0
This is possible using network namespaces.
network namespaces allows separate ip,routing table, socket listing, connection tracking table firewall and other network-related resources.
At least for VPN solutions like Layer3 SSH, OpenVPN and Wireguard since they are using a virtual interface to route VPN traffic.
In this simplified example the computer has two interfaces eth0 & eth1 both with DHCP internet access.
Connect to VPN.
in a terminal:
sudo ip netns add not-vpn# create new network namespacesudo ip link set eth1 netns not-vpn# put eth1 in new namespacesudo ip netns exec not-vpn bash# enter new namespace with a shelldhclient eth1# get an DHCP IP for the moved interfacecurl icanhazip.com# curl application will return your non-vpn public IPIn a another terminal:
curl icanhazip.comcurl application will return your VPN public IPassuming that your VPN is configured to route all traffic through it by default.
You can add a route for those two applications so they directly connect to the IP address you want (with wireless card as an interface and your router as a Gateway) and all other traffics go through VPN (add a default route the interface is set to your vpn interface that is shown in
ifconfigand set your Gateway to your router and remove the previous oneYou can simply add a new route with this instruction
PS: After you turn off your VPN because of your new default route you can't access to the internet so your VPN should always be on or you have to write the previous default route that you removed before