Comment by oneplane

4 years ago

Yes, that is possible but generally not natively in most applications and end-user operating systems.

Without native support, traffic control like that requires something like pf or iptables to managed the traffic you want to treat differently. This means something like an outbound firewall that does a different NAT or different route or different redirect (generally packet rewriting). If you want to scope it to more than just a port or IP (or a range of them) and be specific to an application, you'd be needing some type of socket filter which works at the socket level in the OS. Applications generally use sockets to interface with the network, and those sockets are provided by the OS and thus it can control the aspects of those.

Without those, you can also have a dedicated interface for the 'special' traffic. Some applications allow you to specify an outgoing interface, for those you can have them use a specific interface and have a firewall rule that redirects that port. Others don't, and you'd have to encapsulate them in a namespace (i.e. a docker container) or VM which then 'creates' that dedicated interface your application would have to use. Then you can pipe that interface through your packet filter of choice and achieve the same thing.

Alternatively you can pipe all of the traffic of such a 'packaged' setup through your VPN. Since you'll only be running your application inside that configuration only it would be affected.

Today, when I find myself in a scenario where I need some of this, I either have created a situation that is problematic to begin with (i.e. trying something silly that shouldn't be done in the first place) or I'm trying to simulate something like a L2 protocol over an L3 VPN for remote debugging. I've found that everything in the first category generally is a waste of time to work with anyway.

2 comments

oneplane

symlinkk 4 years ago

For your first suggestion, the outbound firewall, is there an easy way of doing this on a Raspberry Pi?

oneplane 4 years ago
Yes, you can install OpenWRT or OpnSense on a Raspberry Pi. If you don't want to replace your current OS on the Pi, you'll have to manually work with iptables (if you use linux) or pf (if you use BSD).
Schematically, your old/current situation:
┌─────────────┐ ┌──────────┐ │ │ │ │ │ LAN / Modem ├─────────┤ Computer │ │ │ │ │ └─────────────┘ └──────────┘
New situation:
┌─────────────┐ ┌──────────┐ │ │ │ │ │ LAN / Modem ├─────────┤ Firewall │ │ │ │ │ └─────────────┘ └─────┬────┘ │ │ │ ┌─────┴────┐ │ │ │ Computer │ │ │ └──────────┘
The lines between the boxes would represent network connections, i.e. ethernet connections. WiFi would work the same way.
(slight repetition:) the reason you'd use a firewall external to your PC is that it makes it impossible for any application to 'bypass' it since it doesn't actually know it is there. There are of course no guarantees as no software is perfect and firewalls are software too. But it's a whole lot closer to actually doing what you want it to than some random desktop application.
Technically you could also add a second interface on your computer and give it the option to completely bypass the firewall but that only helps if you can restrict your application of choice to only go out the firewalled interface.
In the new example, the Firewall has two network interfaces, but technically it can be done with only 1 interface if you have a network switch with VLAN support. For a Raspberry Pi you'd need a USB-Ethernet adapter for that second interface.
For OpnSense there are many examples; i.e. last year's release on a Pi 3: https://forum.opnsense.org/index.php?topic=14875.60
You can also run the latest release and a different Pi, i.e. a 4B. NanoPi works too.
OpenWRT has manuals too: https://openwrt.org/toh/raspberry_pi_foundation/raspberry_pi