Running a single app through a different VPN?

Ask Fedora
, , , , , , , ,
1

Hi, there are many reasons why this could be wanted

  • run an app through home Wifi (and all the others through some VPN provider), to not get blocked on certain websites but still be safe in public wifis
  • run a specific firefox profile through a different VPN, to access certain things
  • run certain apps like the filemanager or code editor through a different VPN to access stuff

Is this possible, and what would be the lowest footprint possible? From worst to best:

  1. Separate machine
  2. Virtual machine
  3. Container
  4. Isolated namespace on host

A proxy may not be possible (which can be configured inside Firefox), and it may only work with a specific VPN protocol.

Is there the possibility inside Firefox to use a VPN? Would this work?

  • running a VPN from inside another VPN is not ideal but kinda okay
  • having a firefox-specific solution may also be okay
2

  1. Firefox with Built-in Proxy

  2. Isolated Namespace on Host

  3. Container

:thinking:

3

I actually have a question. Why is Fedora forgoing using namespace isolation at all in the default installation?

Another question - how does namespace isolation jive with SELinux?

4

I guess a simple way to explain it is, relabling everything in the namespace with a different context so that SELinux can enforce that. For example like : sandbox_web_t or container_web_t

I’ll link some videos and articles here going through that. I have extensive notes on the topic. . .

3 Likes
5

My nftables knowledge is a bit rusty, but I recall it being possible to match traffic based on user and group IDs (UID/GID). So using this you could probably run the application under a different user or group and route the traffic based on that.

No idea what the exact config for that would be though, and it is probably not easy. I remember using that option to block all outgoing traffic for my podman user on alpine linux.

2 Likes
6

I would be interested in the notes :smiley:

Poorly it has to be an OpenConnect VPN, nothing else. Just using a proxy would be too easy :frowning:

1 Like
7

Added container, namespace, virtualization

8

i appreciate the interest. I do have to reorganize my notes and have a project I need to revisit in conjunction so I will be doing this as I think it would contribute positively to the Fedora User base.

I do need to revisit some of the SELinux labels as Dan Walsh’s blog was down the last time I visited them.

1 Like
9

Oh man, you wont belive how much time I can spend on re-sorting my stuff XD

1 Like