Use VPN only for one service

DJViking · July 22, 2019, 6:08pm

Is the following possible to achieve?
I want to use VPN for my torrent activity, but my server also serves my media with Plex which I do not want on VPN.

Is it possible to set up VPN for torrent, but keep traffic from/to Plex on a regular connection?
If possible can I configure such with NetworkManager?

In the case it is not possible: I have 4 ethernet connections available on my server. Perhaps eth1 could be used for the VPN+Torrent, and eth0 for the rest.
In case of the latter how do I set that up so VPN+Torrent traffic goes through a specific ethernet connection?

tsu2 · July 22, 2019, 6:34pm

It’s possible to configure a split-VPN (you can look up documentation how to configure),
But if you’re using a commercial VPN, I’d recommend you first look at its features, some VPNs like the one I use (available if you PM me, I generally don’t advertise commercial products openly in these Forums) support what you’re asking about.

TSU

bosso73 · July 23, 2019, 9:17am

Hi there,
you could split services by using “rules” for routing tables and mark TCP/IP-packets by source- and destination ports.

First, look at your routing table without the vpn configuration:

ip route

When you start your VPN the standard routing table is modified.
You may check the magic with

ip route

Now, only one service should be routed through the VPN while the rest should be routed through the original routing table.

(Re-)create the old (original, pre-VPN) routing table under a new number (the particular settings apply to my network, you would have to replace them with applicable values of your own):

# flush table 101 if it exists
ip route flush table 101
ip route flush cache

#--- DEL IF EXISTS AND ADD RULE
# mark 2 for all services except bittorrent
ip rule del fwmark 2 table 101
ip rule add fwmark 2 table 101

#--- CREATE TABLE 101 (recreated pre-VPN routing table, adjust to your needs)
ip route add table 101 default via $GW dev $DEV  proto static  metric 100
ip route add table 101 $GW/24 dev $DEV  proto kernel  scope link  src $MYIP  metric 100

Now, you mark all packets incoming and outgoing except the ones supposed to be routed through your VPN:

BT=6881:6889
iptables -t mangle -A PREROUTING -p tcp ! --dport $BT -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -p udp ! --dport $BT -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p tcp ! --sport $BT -j MARK --set-mark 2
iptables -t mangle -A OUTPUT -p udp ! --sport $BT -j MARK --set-mark 2

You might be marking other protocols as well, it might be easier to go the other way around, mark only BT packets for routing through VPN, depending on your setup.

DJViking · July 23, 2019, 5:46pm

I reached out to my VPN provider, CyberGhost. They said they do not support split tunneling.

Michaeljohnny · November 26, 2019, 8:18am

For this you will require a VPN with split tunneling feature. What split tunneling does is just separate traffic of applications. So you can easily achieve that purpose. Check this out also https://www.purevpn.com/blog/vpn-for-plex/