Exempt programs or domain from VPN connection

Question

When I connect to a VPN, all my network traffic is automatically routed through it. Is there a way to add exemptions to that? I don't know if adding exceptions has anything to do with the VPN protocol, but the VPN I'm using is of the OpenVPN protocol.

Speaking of OpenVPN, why is it not installed by default on Ubuntu installs, unlike PPTP?

I could not get the list of IRCHighWay's servers, and this is the result I get trying to connect on XChat with running the bash script running:

* Looking up irc.irchighway.net
* Connecting to irc.irchighway.net (65.23.153.98) port 6667...
* Connected. Now logging in...
* You have been K-Lined.
* *** You are not welcome on this network.
* *** K-Lined for Open proxies are not allowed. (2011/02/26 01.21)
* *** Your IP is 173.0.14.9
* *** For assistance, please email banned@irchighway.net and include everything shown here.
* Closing Link: 0.0.0.0 (Open proxies are not allowed. (2011/02/26 01.21))
* Disconnected (Remote host closed socket).

The IP 173.0.14.9 is the one due to my VPN. I had forgotten to check ip route list before running the script, and this is the one after running it:

~$ ip route list
99.192.193.241 dev ppp0  proto kernel  scope link  src 173.0.14.9 
173.0.14.2 via 192.168.1.1 dev eth1  proto static 
173.0.14.2 via 192.168.1.1 dev eth1  src 192.168.1.3 
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.3  metric 2 
169.254.0.0/16 dev eth1  scope link  metric 1000 
default dev ppp0  proto static

Oh and running the script returned this output:

~$ sudo bash irc_route.sh
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
                              [netmask N] [mss Mss] [window W] [irtt I]
                              [mod] [dyn] [reinstate] [[dev] If]
       inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
       inet_route [-FC] flush      NOT supported

I ran the script after connecting to the VPN.

The command that should be run is: route add -host irc.irchighway.net gw 192.168.1.1 — Erik Johansson, Feb 28 '11 at 01:00
The problem is that you your routing table didn't look as expected. — Erik Johansson, Feb 28 '11 at 01:01
@Erik, IT WORKED! I didn't run the script or anything just running that route command was enough! Do I have to run this every time I boot or is this permanent? the address after gw is not the same for each computer, is it? Can it be replaced by something that that refers to this address? And update your answer, so they may know that running this command, not the script answers the problem. — Oxwivi, Feb 28 '11 at 07:19
The script was ment to find the GW for each computer.. but you found a bug in it, so it only worked on mine :-) I think the script should work now... — Erik Johansson, Mar 01 '11 at 00:33
You will have to run this command before starting the IRC client, or when your computer starts up after the internet connection is setup. You could place that route command in /etc/rc.local and it would be run at each start up.. I'm not sure this is the best idea. :-) — Erik Johansson, Mar 01 '11 at 00:56
@Erik, is there a way to associate command with internet connection? i.e. When my computer connects to the internet, it will run the command. — Oxwivi, Mar 01 '11 at 05:27
I don't know if you can run it when you connect to internet, you will have to ask that somewhere else. The command/script in /etc/rc.local will be run every boot up. — Erik Johansson, Mar 02 '11 at 08:27
See Route the traffic over specific interface for a process in linux — KrisWebDev, Feb 20 '21 at 06:18

score 8 · Accepted Answer · edited Mar 13 '11 at 18:24

Create a file, irc_route.sh, that contains:

#!/bin/bash
# script to make connections to irc.irchighway.net go via DEV.
DEV=eth0 
GW=$(ip route list | sed "s/.* via \([0-9.]*\) dev $DEV.*/\1/;t;d"|head -1)
route add -host irc.irchighway.net gw $GW $DEV

Change DEV to be the interface that you get your internet connection from (might be any of wlan0, eth1, eth0, ppp0). Then run the script with sudo bash irc_route.sh, you can check the results by running ip route list before and after.

The IP of the default gateway for internet traffic on the DEV device is stored in the variable GW, which is then use to route all traffic going to the irc.irchighway.net server through your default GW instead of the OpenVPN connection you have.

To make this work for all IRCHighWay servers you would have to get a list of all the servers.

server_list.txt:

 irc.irchighway.net
 caliburn.pa.us.irchighway.net

Script:

#!/bin/bash
# script to make connections to irchighway go via DEV.
DEV=eth0 
GW=$(ip route list | sed "s/.* via \([0-9.]*\) dev $DEV.*/\1/;t;d"|head -1)
cat server_list.txt| xargs -iSERVER route add -host SERVER gw $GW $DEV

There is an "easier" solution, you can mark ports and route based on that, see iproute2 tutorial but I haven't used that. And there are some problems with that kind of routing if you don't know what you are doing.

Isn't it possible to let IRC client deal with the servers? I mean when I connect normally it takes care of which server to connect to. — Oxwivi, Feb 25 '11 at 10:35
When do I run the script? Before activating VPN or after? And same goes to ip route list. — Oxwivi, Feb 25 '11 at 11:15
I updated my question with the result of trying out your script. — Oxwivi, Feb 26 '11 at 08:32

Erik Johansson · Answer 2 · 2011-02-23T13:49:48.830

2

You can not hinder specific programs to make connections through the VPN, but if they want to reach a specific host or port number then it's possible. I'm going to assume worst case, that you want certain apps to bypass the firewall.

This should be possible to do by using SELinux, by banning network connections from one program. I do not know of any good tools to do this configuration, nor how to change it on the fly.

I think there was once a module in iptables that could match on sending program, but I haven't seen it in a while.

edited Feb 23 '11 at 13:49

answered Feb 21 '11 at 14:54

Erik Johansson

598

I simply want my IRC client to use direct connection since the IRCHighWay network does not allow open proxies. – Oxwivi Feb 21 '11 at 15:03

Exempt programs or domain from VPN connection

2 Answers2