You are not logged in.
- Topics: Active | Unanswered
#1 2017-05-24 03:49:50
- archtan
- Member
- Registered: 2017-05-22
- Posts: 1
[SOLVED] let application bypass vpn - how to make this fix permanent?
Hello dear community!
I'm using a VPN via OpenVPN and I tried for quite some time now to let exclusively a certain browser use my real ip instead of my VPN's.
To my relief, I finally came across this solution, where the application is forced via cgroups and iptables to use the interface enp0s31f6 instead of tun0 (used by openVPN):
sudo su
mkdir /sys/fs/cgroup/net_cls/novpn
cd /sys/fs/cgroup/net_cls/novpn
echo 0x00110011 > net_cls.classid
# Add mark 11 on packets of classid 0x00110011
iptables -t mangle -A OUTPUT -m cgroup --cgroup 0x00110011 -j MARK --set-mark 11
# Force the packets to exit through eth0 with NAT
iptables -t nat -A POSTROUTING -m cgroup --cgroup 0x00110011 -o enp0s31f6 -j MASQUERADE
# Define a new "novpn" routing table
# DO THIS JUST ONCE !
echo 11 novpn >> /etc/iproute2/rt_tables
# Packets with mark 11 will use novpn
ip rule add fwmark 11 table novpn
# Novpn has a default gateway to the interface you want to use
ip route add default via 192.168.0.1 table novpn
# Unset reverse path filtering for all interfaces, or at least for "eth0" and "all"
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done
exit
sudo cgcreate -t $USER:users -a $USER:users -g net_cls:novpn
cgexec -g net_cls:novpn /usr/bin/vivaldi-stable %Uexecuting these commands led to the desired result: Vivaldi showed my real IP.
However after reboot
cgexec -g net_cls:novpn /usr/bin/vivaldi-stable %Uyields an error something like "change of cgroup failed". I guess it is because ip rule, ip route, iptables, cgcreate are not permanent. But also I couldn't reproduce the desired result by executing the non-permanent commands again.
Does someone have an idea how to make this fix work permanently?
I would be very grateful! 
greets archtan
EDIT/SOLUTION:
By reexecuting the non permanent commands the desired result was finally reproducable. So setting up a shell script (called by a systemd service after login (and after openvpn has started)) that executes the non-permanent commands solved the problem.
Last edited by archtan (2017-05-25 01:25:26)
Offline