PDA

View Full Version : Linux: Best way to use VPN as a proxy for a single app/like a web browser?



Fli
07-13-2023, 08:09 PM
Hello,

on Linux Debian, i am using VPN for all apps, it is done by Wireguard (https://internetlifeforum.com/showthread.php?15410-Setting-up-own-VPN-server-using-WireGuard-on-Linux&highlight=killswitch). It is set under wg0 network interface.
Then I have set second VPN server (given by free ProtonVPN (https://protonvpn.com/)) client .conf file under wg1 interface: /etc/wireguard/wg1.conf

$ sudo cat /etc/wireguard/wg1.conf

[Interface]
# Bouncing = 1
PrivateKey = ***=
Address = 10.2.0.2/32
DNS = 9.9.9.9
#PostUp = ip ru del from 10.2.0.2 lookup 2000
PostUp = ip r ad default dev wg1 scope link tab 2000
PostUp = ip ru add from 10.2.0.2 tab 2000
PostDown = ip ru del from 10.2.0.2 lookup 2000
PostDown = ip r del default dev wg1 scope link tab 2000
PostDown = ip ru del from 10.2.0.2 tab 2000
#Table = 2000
Table = off

[Peer]
# NL-FREE#101116
PublicKey = ***=
#AllowedIPs = 10.2.0.0/24
AllowedIPs = 0.0.0.0/0
Endpoint = remoteVPNServer:51820

It works to start connection to secondary server, wg1:
wg-quick down wg1;wg-quick up wg1

It works to ping through the wg1 interface:
ping -c 3 -I 10.2.0.2 1.1.1.1;ping -c 3 -I 10.2.0.2 8.8.8.8;ping -c 3 -I 10.2.0.2 quad9.net;ping -c 3 -I 10.2.0.2 seznam.cz
(note that 1.1.1.1 not ping/pong in first seconds after bringing wg1 interface up, waiting 1-2 minutes may help)

Now i want to set it so it can be used by selected apps like one of my web browsers.

There are several options. First is Firejail, but it does not work by default and apparently requires iptables configuration. Possibly not optimal solution:


sudo apt install -t bullseye-backports firejail firejail-profiles
sudo nano /etc/firejail/firejail.config # search "network" and set it to yes + another network setting set strict no.
sudo ln -s /usr/bin/firejail /usr/local/bin/midori # permanent setup jailing of Midori
firejail --list
firejail --net=wg1 midori
-> "Error: the software is not supported for /31 networks"
Some people solve it by making bridge and adjusting iptables, difficult:
https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/
https://firejail.wordpress.com/documentation-2/basic-usage/#routed



Another option beside Firejail is tinyproxy. Its configuration does not seem that easy: https://nxnjz.net/2019/10/how-to-setup-a-simple-proxy-server-with-tinyproxy-debian-10-buster/

Another options are:
https://github.com/xjasonlyu/tun2socks - Handle all network traffic of any internet programs sent by the device through a proxy. (an example config is here (https://github.com/xjasonlyu/tun2socks/wiki/Examples)) Allows installing simply using Go: https://github.com/xjasonlyu/tun2socks/wiki/Install-from-Source
https://github.com/pufferffish/wireproxy - A wireguard client that exposes itself as a socks5/http proxy or tunnels. "Sample config file" section seems to me difficult to understand what one is supposed to do.
https://github.com/kizzx2/docker-wireguard-socks-proxy - Expose WireGuard as a SOCKS5 proxy in a Docker container. Seems simple, yet Docker is big i expect. (link to OpenVPN variety)