Running some processes and not others over VPN
I'm looking to secure some apps on macOS using an OpenVPN connection. I want the apps not to work when the VPN isn't active. I can't necessarily track which servers the apps are trying to access, so manually specifying routes either from the server or client end is prohibitive. I also don't want all traffic going over the VPN.
So here's what I have so far:
- Something needs to work at the application layer to 'capture' all traffic from an application.
- Something else needs to work at the network layer to take all of that traffic and push it over the VPN.
And then I need a way to specify which apps and which interface, and be sure that if that interface is down or disconnected, no traffic flows.
So far I think this might be doable with pf (I found Murus, a GUI front-end), except that it doesn't seem to deal with applications per-se, but rather networks and ports, which as stated above is problematic.
Then there's Little Snitch, which deals with applications but is a binary go/no-go decision maker, rather than directing some traffic here and some traffic there.
That said, I did find a not-well-documented feature where it seems like you can create a rule for a process in Little Snitch, and give it access to pf. So perhaps there's a way to write a pf rule that then directs that traffic over the VPN.
Open to suggestions.
Solution 1:
This feature is available from Private Internet Access. They call it their Desktop Application Split Tunneling Feature. It is a complex enough feature that I would not expect it to be supported by free software.