Network wide VPN for specific services over a Proxy


I'm looking for a way to route specific services of different network devices through a VPN.
I've already thought of some solutions, and I'd like your expert insights on these.

A first solution would be configuring an OpenVPN on my OpenWrt Router, but this would tunnel all traffic through the VPN by default, which is unpreferred.

A second solution builds on-top of the first one.
As most of the services I'd like to put through a VPN already support the possibility to connect them via a Proxy, the combination of Proxy and VPN came to mind. Would it be possible to create a second LAN network on my OpenWrt Router, acting as a Proxy gateway which in turn tunnels all the outgoing data through an OpenVPN.

Kind regards,

That is not correct. You can select what will be routed via VPN.

1 Like

How would you distinguish communication coming from 1 device (half of it sent by the service I'd like to tunnel through VPN, and half of it not to be tunneled)? Also the DNS request on DNS level need to be tunneled if they were coming from the to-be-tunneled-service.

As I see it, the OpenWrt router can't know which data to tunnel and which not in that case. Unless I use 2 separate LAN networks on my router with 2 different IP addresses and force the service to use the second IP address set as the gateway proxy.

Hope I'm overseeing something as solution 1 would still be the easiest to implement.

A proxy has it's uses in particular if you want to use information from the application layer when making the decision on where to forward the request, for example the URL in case of HTTP.
An HTTP proxy works with both HTTP and HTTPS connections, but it needs to be configured in the devices.
A transparent HTTP proxy which on the contrary doesn't need to be configured in the devices can't handle HTTPS unless you use something that uses man-in-the-middle attacks or Server Name Indication (SNI). (BTW SNI will probably be replace with Encrypted SNI or similar in the future.)

The client software/service already allows the use of a proxy, and as far as I see it's the only way to differentiate the communication of the services from all other communication coming from that device.

Not sure what kind of proxy is required for the service to get it working, but as I'd be only using the proxy between my local devices and the local side of my router, encryption isn't really necessary.

I'll create an image for clarification.

If you can distinguish traffic based on the remote IP address then you can use a VPN. If on the other hand you need information like ports or protocols or URL/Domain name, then you'll want a proxy like squid or like dante (SOCKS).

So, what is this traffic? Is it web resources on HTTP/HTTPS? Then a proxy is probably a good idea. If it's something like SIP then you need a totally different proxy. If it's game traffic, then who knows... etc.

This image will hopefully clarify what I'm trying to achieve:

The service allows for a connection with a Proxy Server via SOCKS4, SOCKS5 and HTTP.
Would my idea work in this case? Or is there a more suitable solution for my purpose?

Is your concern lack of encryption or anonymity or what? If you use a VPN you will only get encryption between you and the VPN server. For example if you need to connect to the service that uses HTTP only, then the traffic between the VPN server and the HTTP server will be in the clear. So people "near" to the OpenWrt will not be able to see it, but people near the VPN server will.

Does the server offering this "private service" not offer HTTPS? If not, why not? That's really the only way to get end-to-end encryption.

Now if you just want to make sure your ISP doesn't see you connecting to this service from your home, then the VPN is fine, and the proxy setup you're talking about would work fine.


There are ways to classify traffic.
However I cannot reply based on assumptions and hypothetical services.
If you can share the conditions for the selection we can discuss it further.

and this is getting very difficult for web-services these days, as most web pages do pull external scripts (literally) from dozens external sites, which makes it hard to filter them as for-VPN traffic on a routing basis.


An example of a service would be µTP aka Torrenting.
I only what the torrenting service to run through a VPN (everything, dns, peer to peer comm, ..), but not all my other communication coming from that device (for example Netflix)

@moderators: if torrenting isn't allowed to be discussed on this forum, this reply can be removed as there are other services that I'd also like to tunnel as well.

For Torrent if you cannot force the use of one port, or a range of ports, or some other classification, you could classify based on UID or username in iptables and mark the DSCP/TOS field of the packet, thus letting the router send it to VPN.
For DNS since the resolve request will source from the application, the above method should catch it. Or you can use the server option and send the requests for names matching the list you provided to the VPN. It's going to be a long list though.
I think it will be much easier to setup a dedicated seedbox, either real or virtual, and classify based on IP.

1 Like

My torrent client allows for a Proxy Server to be selected. Wouldn't that make it possible to go via the Proxy to a Virtual Lan on my OpenWrt router that's connected through the VPN? As drawn in my earlier comment?

From what I see it supports Socks5, so you are lucky.
I am doing the same thing more or less to direct http traffic to a vpn.
With -a option dropbear on Openwrt allows connections to forwarded ports.
You can setup your ssh client accordingly to start a socks server and listen to a port on localhost. Then use this proxy in torrent. From there the Openwrt will treat the connection as its own, so with policy based routing you send to VPN traffic originating from the router.

1 Like

I have exactly the same scenario as puydt, except that I need a http proxy (since not all the needed apps support socks5).
I.e. a proxy server on OpenWRT that routes all the received traffic through OpenVPN on the same OpenWRT.

I've read all the answers above, but still can't understand how to actually achieve that.

Can anyone provide a bit more detailed description, please?

Here is a list of the supported proxies.
Pick one that matches your needs and install it.
However don't expect a lot with https.

Sorry, I guess, I should've been a little more specific:

  • I do know about proxy servers and I can setup one to use some fixed address (e.g. http or socks proxy).
  • I can setup OpenVPN so it encrypts all the outgoing traffic.
  • What I am missing is the magic that would bind proxy to OpenVPN and make OpenVPN work only on the proxied traffic.

It might be easy, but I had zero luck googling it (well, aside from this thread)...

1 Like

You can do DSCP tagging for the µ-traffic and force it to the desired gateway with vpn-policy-routing or you can force all traffic from the specific machine except known non-µ ports (like 22/80/443) to the desired gateway.


Can you elaborate a little bit, please?