1

I have a Linux VPS, and want to route only a single application through a commercial VPN (Mullvad). I do not want to connect to the VPN as a network interface and route all traffic through it. The application supports local SOCKS5 proxies. How can this be done without costly and cumbersome solutions such as virtual machines or separate servers?

user234683
  • 161
  • 8

2 Answers2

1

You can't use SOCKS as it works at a different OSI level to a VPN (ie at the TCP level). Per their help page, Mullvad VPN "only" offer VPN service over Wireguard and OpenVPN (nothing wrong with that, but stating it helps define the limits we are dealing with).

The easiest way to handle this - if allowed by your application - is to set up the VPN so it does not honor a default gateway, and you only push the IP addresses associated with the application through it.

If you can't route based on IP address the alternatives are a lot more complex and depend on the specifics/implementation of the application in question - and the Virtual machine you don't want will likely be the easiest way of doing it, and leave the least chance for future breakage. To do this without a VM or the like you will need to get into policy based routing, and work out how you would identify the packets to be routed through the VPN gateway, for example you could use policy based routing and NAT and the "owner" module in iptables - which can apparently allow you to select rules based on UID, GID, PID, SID command. This is fairly advanced routing. (I'm a seasoned Linux sysadmin by trade, and I believe I could do it, but I expect it would take me a while to get it "just so") https://stackoverflow.com/questions/4314163/create-iptables-rule-per-process-service#4314473 provides some useful hints, but does not get into the policy routing side of the problem. https://serverfault.com/questions/699481/route-ip-traffic-based-on-process-to-different-default-routes-interfaces also hints at possible solutions to the routing side of the problem by using namespaces or policy routing.

davidgo
  • 73,366
1

For Cisco AnyConnect, Juniper SSL VPN and some other proprietary protocols there is OpenConnect with ocproxy / tunsocks support, which expose VPN as a SOCKS/HTTP proxy.

For WireGuard, there's wghttp, wg-http-proxy, wireproxy, onetun

For OpenVPN, there's a patch for ocproxy support, but it's outdated (for 2.3.x branch). I've ported it to the recent 2.5, but this is PoC (Windows not supported, yet).

On Linux, you can use network namespaces, bring up VPN and setup a proxy server in each. This is a generic universal method but it's a bit messy to maintain.

ValdikSS
  • 371
  • 2
  • 6