openfortivpn icon indicating copy to clipboard operation
openfortivpn copied to clipboard

Published 20 hours ago verified publisher icon adrienverge

Per application VPN

Open AntonioFasano opened this issue 3 years ago • 6 comments

Is it possible to have just a process tunnelling data through the VPN, e.g. a browser process, and the rest accessing the ordinary public network route?

AntonioFasano avatar Mar 26 '21 08:03 AntonioFasano

I don't think so. The operating system handles network routing globally, not on a process by process basis.

Why would you want to do that? There are probably other ways to achieve what you want.

DimitriPapadopoulos avatar Mar 26 '21 08:03 DimitriPapadopoulos

My wrong. See Using Linux Network Namespaces for per processes routing for example.

DimitriPapadopoulos avatar Mar 26 '21 08:03 DimitriPapadopoulos

But then you need to handle routing yourself. Have a look at the How to add specific routes using pppd section of the wiki.

DimitriPapadopoulos avatar Mar 26 '21 08:03 DimitriPapadopoulos

Why would you want to do that? There are probably other ways to achieve what you want.

If there is a remote service that has to be accessed through a VPN, I would like to route to the gateway of the service provider only the internet traffic querying the service, the rest should follow the ordinary route. The idea is that one might not trust the service provider or the Forti gateway itself.

Your links seem to be what I was looking for. I will try the procedures and report back here.

AntonioFasano avatar Mar 26 '21 09:03 AntonioFasano

I see, the requirements make perfect sense indeed: in some cases you might not trust the VPN provider, typically when an organization gives you access to part of their own network through their own VPN.

As for the solution, you could route everything outside the VPN tunnel, except traffic to the specific IP address of the server providing the service, but not per application. That seems much easier than handling traffic per application. I can see how routing only a single process is even more secure, but then do you really expect traffic to that server from a different process? Is the additional security worth the additional complexity and additional probability of errors inherent to complexity? I have no definitive opinion myself, just food for thought.

DimitriPapadopoulos avatar Mar 26 '21 09:03 DimitriPapadopoulos

Actually the remote gateway acts as proxy, for IP based third party services. It should not be difficult to identify the involved IP for each service, while using a dedicated browser and set its traffic to be routed to the VPN, despite an initial overhead, can be more convenient in the long term.

AntonioFasano avatar Mar 28 '21 12:03 AntonioFasano