VPN split tunneling

I am struggling to setup VPN split tunneling on a macOS system.

Configuration:

  • client is a macOS computer
  • router is running openWrt 22.03.2
  • I have access to a Wireguard VPN server (running on a remote server)

I need to have a specific browser on the macOS client to use the Wireguard VPN. All other applications on the mac should use the normal network interface (not VPN).

I was not able to find a way to do this on macOS directly. So I was wondering if anyone has a trick to do this by using a clever configuration of the OpenWrt router?

I saw that the browser can specify proxy settings. So I thought maybe I should set up a proxy on the OpenWrt router, and that proxy uses the Wireguard VPN. Does that sound like a reasonable approach, or over-engineered?

Thanks!

You can use the ssh server as a socks proxy for the browser. Then use policy based routing to route all locally generated traffic via wireguard. The rest of the traffic goes over the ISP.

2 Likes

If you can figure out how to mark said browser traffic with a specific dscp packet, you can use pbr package and set it to match the dscp tag to a wg tunnel.

Otherwise, you may still want to consider pbr if you're flexible on your use case (ie: instead of the "vpn-only" browser, you have the "vpn-only" domains/IPs).

3 Likes

In the conventional sense, a split tunnel is based on the destination IP*. Without that restriction, there has to be some other distinguishing feature that allows the router to determine if a packet came from the browser or not.

  • Traffic to a corporate internal network from a remote worker goes by VPN and all other goes by regular Internet. This is not a recommended practice since the corporate firewall is not in the path to protect the endpoint PC from Internet attacks, and if compromised the PC has access to the corporate network.
2 Likes

Thanks guys for the suggestions.

  • dscp packets
    -> I have searched for a while, and I think it is not possible to make the browser, nor the OS, mark the packets with dscp.

  • use ssh server as socks proxy for the web browser, and then route local traffic via vpn
    -> I am a little uneasy about that, as I wonder if there might be currently existing local traffic. If that's the case, that traffic will go via the vpn, which I want to avoid (I need to have only the browser traffic go through the vpn)

  • the original idea of having a proxy running on the router, and having that proxy connect to the VPN
    -> I was not able to find how to select a specific network interface in the configuration of the proxy. However, maybe I can put the proxy at a specific IP, and then inside /etc/config/firewall maybe I can redirect all the traffic coming from that specific IP to the vpn interface?
    If that is not possible to do this with a specific IP, then maybe I use a specific port, or specific zone instead?

It's certainly possible on Windows and as far as I recollect Ubuntu, but I wasn't sure about macOS.

1 Like

Yep, I found some ways to do it on windows, but not on macOS.

What do you think of the solution to use a proxy, and then route this outgoing proxy traffic to the VPN?

I don't have any experience with socks proxies, but both @trendy and @mk24 had forgotten more about routing than I'll ever know, so I'd recommend you try what they suggest.

1 Like

It all goes down again to the same question. Can you identify, classify, and route in policy routing the traffic that the proxy will originate to get the content a client asked?
For example, a socks will listen to say tcp/1080. But it won't use the same port to get the http for a client. So you'd have to classify on the uid or something like that, if you cannot find some better way.

1 Like

I see, that makes sense. I do not have a clear idea at the moment of how I can achieve the identification of the proxy output traffic. I was hoping there would be an easy way to do this.

I tried to see if there were proxy that allowed marking the outboud traffic with dscp, but didn't find one yet.

I also tried to think on whether I could somehow put the proxy inside the router in its own specific zone or subnetwork, but I guess this does not even make sense given that the proxy process is on the hardware of the router, so it would have to share any zone or subnetwork with the router.

"So you'd have to classify on the uid" -> sorry, I don't know to what uid you are referring to. Do you mean the process ID of the proxy?

Yes, that's right.

1 Like

Ok, thanks for your thoughts. I'll research that.

If you have access to the remote server then run a socks proxy between your mac and the remote server and configure your browser to use said proxy, no need to involve openwrt. something like this.

1 Like

Thanks for your thoughts. I will indeed explore that, as other solutions have been fruitless so far.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.