qomui
qomui copied to clipboard
Allow secondary connection to go through VPN tunnel
Thanks for your great client! As far as I understand the secondary connection feature, the secondary connection bypasses the VPN. Would it also be possible to enable the other way around: Make the secondary connection go through the VPN? I would like to achieve the following:
- Start a secondary connection (through the tunnel) to be used by a specific application.
- Let all other traffic bypass the VPN.
Hi, it is possible to start a second OpenVPN session for bypass apps (Go to the bypass tab -> select a server from your list of starred servers -> connect). However, this doesn't reliably work yet if you only choose to open a tunnel for bypass. Also, you'd have to deactivate the firewall obviously. I'll be working on making the bypass feature more robust but it's gotten quite complicated (to the point where I was about to ditch it entirely). So this will take some time to be implemented properly most likely.
Not sure whether I understand you correctly. I know, that you can start a secondary connection (bypass) together with or without starting a primary one. Even if the bypass feature is not so robust yet, I am quite happy with it. Right now I mainly use the app-with-bypass launcher.
My use case is the following:
I want the VPN only for a single application. This application allows setting a network interface. I would set this interface to tun1
. tun1
would in this case not be a bypass connection, but a proper VPN connection. There would be no tun0
. Now tun1
would be different from a standard tun0
connection, because it does not alter the routing table in a way that all traffic goes through the tunnel by default. ONLY if you specifically select this interface in an application, the VPN would be used.
I know this might be very complicated, but maybe it is possible.
But until then I am happy with the bypass laucher. There is only one caveat: It uses control groups which makes it hard to combine with systemd services (e.g. Plex Media Server). That is why I would value this enhancement a lot.
Actually, both are standard OpenVPN connections. They are only using a different routing table. What you want to do, is much easier to achieve, though. If the single application can be tied to a specific network interface you don't need the bypass at all. You'll just have to customize your OpenVPN configurations to not set the OpenVPN route as the main route. Have a look at the OpenVPN manpage and specifically the "route-nopull" and "route-noexec" option. The downside is that you'll have the deactivate the firewall.
Well, I tried your suggestion with the route-nopull
connection. The connection itself behaves like intended, but binding an application to it does not work properly: the traffic leaks outside the tunnel. I guess this happens, because of the weak host model used in Linux.
The only thing that worked for me, was creating a separate user whose traffic is forced through the VPN via iptables (I followed this guide more or less). This works reliably for all applications started as this user.
However, having a cgroup-based approach like your's would still be preferable to me, because it is more convenient than running applications as a different user.
I did some testing with the new release and on my machines at least only having a secondary VPN connection now works reliably. You'd have to deactivate the firewall, though, if you want non-cgroup applications to access the internet. No route-nopull option needed. The only downside is that you won't have a "killswitch".
Not sure if thats really an issue with the cool VPN here but if you just want a single connection though VPN: just use a Container for that. For example if you want a browser with the VPN IP , use something like https://github.com/dmouse/browser and add a startscript to the Container that establishes the VPN before starting the browser. I did that with the openconnect VPN of my university account (for accessing books from the university library) and it works great.