openvpn-gui icon indicating copy to clipboard operation
openvpn-gui copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Split tunneling per program

Open azumukupoe opened this issue 5 years ago • 9 comments

I'd like to bypass VPN connection for certain programs.

azumukupoe avatar Nov 27 '19 16:11 azumukupoe

Hi,

On Wed, Nov 27, 2019 at 08:29:33AM -0800, azumukupoe wrote:

I'd like to bypass VPN connection for certain programs.

Not possible on Windows, and not a question for the GUI part anyway.

gert

"If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany [email protected]

cron2 avatar Nov 27 '19 16:11 cron2

it is possible for some extent in Windows.

for example, Remote Desktop IP Virtualization http://www.virtualizationblog.com/why-we-need-remote-desktop-services-ip-virtualization/

every RDP user can use his own IP. However, such mode requires some investigation how it will interoperate with TAP (or, nowdays, WinTun) adapters. And how routing table will be constructed

chipitsine avatar Nov 27 '19 17:11 chipitsine

Hi,

On Wed, Nov 27, 2019 at 09:27:09AM -0800, Ilya Shipitsin wrote:

it is possible for some extent in Windows.

for example, Remote Desktop IP Virtualization http://www.virtualizationblog.com/why-we-need-remote-desktop-services-ip-virtualization/

every RDP user can use his own IP. However, such mode requires some investigation how it will interoperate with TAP (or, nowdays, WinTun) adapters. And how routing table will be constructed

Distinct IP addresses do not make per-application VPN rules, unless you force the application to use specific IP addresses (only) and construct proper source-dependent IP addresses.

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany [email protected]

cron2 avatar Nov 27 '19 18:11 cron2

Not possible on Windows

However hide.me and AmanVPN have working applications split tunneling feature on Windows.

Kyogre avatar Dec 03 '22 15:12 Kyogre

Hi,

On Sat, Dec 03, 2022 at 07:01:10AM -0800, Roman ???????????????? wrote:

Not possible on Windows

However hide.me and AmanVPN have working applications split tunneling feature on Windows.

Well, in that case the original statement needs to be rephrased to "we don't know how they do that, and nobody has written code for OpenVPN yet to do that".

gert

-- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany @.***

cron2 avatar Dec 03 '22 22:12 cron2

I found out that Windscribe can do "per application split tunneling" with user's openvpn configs. I feed him some random ovpn config from vpngate and Windscribe (current is 2.5.17) connected successfully and splitting works.

Also there is Wireguard realization of split tunneling in project https://github.com/TunnlTo/desktop-app

Kyogre avatar Dec 10 '22 09:12 Kyogre

They are probably using a custom callout driver for the Windows Filtering Platform to do bind redirection as described here: https://learn.microsoft.com/en-us/windows-hardware/drivers/network/using-bind-or-connect-redirection If anyone is ready to devote the time to implement and maintain the code, we'll welcome patches for such a "per app split-tunneling".

As filtering using WFP would require privileged access, this may have to go in to a service running as SYSTEM (preferably a new service) that the GUI can interact with. Direct hooking to or from OpenVPN core would not be required.

selvanair avatar Dec 10 '22 19:12 selvanair

Proton VPN desktop client for Windows has this feature and it works like a charm. Here is the link to their repo: https://github.com/ProtonVPN/win-app. I hope someday someone could bring this feature to OpenVPN client.

ahmadfebrianto avatar Aug 06 '23 00:08 ahmadfebrianto

In the proton VPN repository, there's

Callout driver
The kernel-mode driver "ProtonVPN Callout Driver" is used for redirecting socket bindings when Split Tunnel is enabled and preventing DNS leak by sending SERVFAIL response packet for DNS requests which were made from other interfaces than Proton VPN uses.

The driver is installed as a system service. It is started when connecting to VPN and stopped when disconnecting by Proton VPN Service.

and the whole thing is GPL-3 - so if someone has time and energy, this would certainly be an interesting read.

cron2 avatar Aug 06 '23 09:08 cron2