Running some processes and not others over VPN

I'm looking to secure some apps on macOS using an OpenVPN connection. I want the apps not to work when the VPN isn't active. I can't necessarily track which servers the apps are trying to access, so manually specifying routes either from the server or client end is prohibitive. I also don't want all traffic going over the VPN.

So here's what I have so far:

  1. Something needs to work at the application layer to 'capture' all traffic from an application.
  2. Something else needs to work at the network layer to take all of that traffic and push it over the VPN.

And then I need a way to specify which apps and which interface, and be sure that if that interface is down or disconnected, no traffic flows.

So far I think this might be doable with pf (I found Murus, a GUI front-end), except that it doesn't seem to deal with applications per-se, but rather networks and ports, which as stated above is problematic.

Then there's Little Snitch, which deals with applications but is a binary go/no-go decision maker, rather than directing some traffic here and some traffic there.

That said, I did find a not-well-documented feature where it seems like you can create a rule for a process in Little Snitch, and give it access to pf. So perhaps there's a way to write a pf rule that then directs that traffic over the VPN.

Open to suggestions.


Solution 1:

This feature is available from Private Internet Access. They call it their Desktop Application Split Tunneling Feature. It is a complex enough feature that I would not expect it to be supported by free software.