Exempt programs or domain from VPN connection

Solution 1:

Create a file, irc_route.sh, that contains:

#!/bin/bash
# script to make connections to irc.irchighway.net go via DEV.
DEV=eth0 
GW=$(ip route list | sed "s/.* via \([0-9.]*\) dev $DEV.*/\1/;t;d"|head -1)
route add -host irc.irchighway.net gw $GW $DEV

Change DEV to be the interface that you get your internet connection from (might be any of wlan0, eth1, eth0, ppp0). Then run the script with sudo bash irc_route.sh, you can check the results by running ip route list before and after.

The IP of the default gateway for internet traffic on the DEV device is stored in the variable GW, which is then use to route all traffic going to the irc.irchighway.net server through your default GW instead of the OpenVPN connection you have.

To make this work for all IRCHighWay servers you would have to get a list of all the servers.

server_list.txt:

 irc.irchighway.net
 caliburn.pa.us.irchighway.net

Script:

#!/bin/bash
# script to make connections to irchighway go via DEV.
DEV=eth0 
GW=$(ip route list | sed "s/.* via \([0-9.]*\) dev $DEV.*/\1/;t;d"|head -1)
cat server_list.txt| xargs -iSERVER route add -host SERVER gw $GW $DEV

There is an "easier" solution, you can mark ports and route based on that, see iproute2 tutorial but I haven't used that. And there are some problems with that kind of routing if you don't know what you are doing.

Solution 2:

You can not hinder specific programs to make connections through the VPN, but if they want to reach a specific host or port number then it's possible. I'm going to assume worst case, that you want certain apps to bypass the firewall.

This should be possible to do by using SELinux, by banning network connections from one program. I do not know of any good tools to do this configuration, nor how to change it on the fly.

I think there was once a module in iptables that could match on sending program, but I haven't seen it in a while.