On Sat, Jul 16, 2022 at 6:57 AM Dale <[email protected]> wrote: > > I also want to use a VPN but only for some programs. Example, I want > Ktorrent and a couple Firefox profiles to use VPNs but at least one > Firefox profile I want to remain outside of VPN.
I can't keep up with which VPNs are more or less scummy at any moment in time, but I will comment on this bit and on the concept in general. Controlling which HOSTS use a VPN is pretty straightforward via the routing tables. If you have a decent DHCP server and can issue routers to individual hosts you can do it that way (most consumer routers probably won't support this with their built-in DHCP). Controlling it at the software level is a real PITA. On an OS like Windows I don't think it is even possible unless via SOCKS or whatever. On Linux you can do it with iproute2 and often netfilter is needed as well. Look up policy-based routing, and be prepared to do some studying. I'll tell you right now you probably don't want to do it this way. I think for outbound-only connections it isn't as hard to do it at a uid level, so if you run software under different uids that would make it easier. If you want to handle inbound connections on servers and have the replies not go out over the normal destination-based route then you need to mark the connections using netfilter and then set a policy routing for the replies, otherwise your reply traffic will go out over the wrong router and have the wrong IP and the other end won't associate it with the connection. I imagine you run into the same problems with any kind of use of NAT for inbound forwarded traffic in a multi-homed situation. Controlling routes by container is also a potential issue. If you're using a container technology that uses virtual interfaces that get their own IPs/routing/etc then it is easy - same as host-level routing. If you're using something like Docker/k8s where it wants all the outbound traffic to just go out from the host then it can be a pain. I think they can do macvlan but I think that has its own issues. That is actually something I'm trying to figure out for myself. Ok, topic change: the threat model. As others have pointed out, the VPN changes WHO can see your traffic, and that's mainly it. I think this is still a useful consideration, because in many places your ISP is chosen by where you live, but with a VPN provider you can choose anyone you want. The ISP has no reason to earn your trust because you're a captive audience, while a VPN provider who gets outed for leaking private info basically is out of business. So I think there is a benefit. However, you're going to be reducing your risk of being traced by private companies here, like advertisers, intellectual property enforcement companies, and so on. If you're worried about the NSA or some other state-level actor then you need to do a LOT more to evade them. I just assume the NSA has root on all my hosts already, and I wish that they'd at least offer to sell backups of my systems back to me so that I didn't need to keep my own... :) -- Rich
