Linux: Best way to use VPN as a proxy for a single app/like a web browser?

[Fli]

Hello,

on Linux Debian, i am using VPN for all apps, it is done by Wireguard. It is set under wg0 network interface.
Then I have set second VPN server (given by free ProtonVPN) client .conf file under wg1 interface: /etc/wireguard/wg1.conf

$ sudo cat /etc/wireguard/wg1.conf

Code:

[Interface] 
# Bouncing = 1 
PrivateKey = ***= 
Address = 10.2.0.2/32 
DNS = 9.9.9.9 
#PostUp = ip ru del from 10.2.0.2 lookup 2000 
PostUp = ip r ad default dev wg1 scope link tab 2000 
PostUp = ip ru add from 10.2.0.2 tab 2000 
PostDown = ip ru del from 10.2.0.2 lookup 2000 
PostDown = ip r del default dev wg1 scope link tab 2000 
PostDown = ip ru del from 10.2.0.2 tab 2000 
#Table = 2000 
Table = off 

[Peer] 
# NL-FREE#101116 
PublicKey = ***= 
#AllowedIPs = 10.2.0.0/24 
AllowedIPs = 0.0.0.0/0 
Endpoint = remoteVPNServer:51820

It works to start connection to secondary server, wg1:
wg-quick down wg1;wg-quick up wg1

It works to ping through the wg1 interface:
ping -c 3 -I 10.2.0.2 1.1.1.1;ping -c 3 -I 10.2.0.2 8.8.8.8;ping -c 3 -I 10.2.0.2 quad9.net;ping -c 3 -I 10.2.0.2 seznam.cz
(note that 1.1.1.1 not ping/pong in first seconds after bringing wg1 interface up, waiting 1-2 minutes may help)

Now i want to set it so it can be used by selected apps like one of my web browsers.

There are several options. First is Firejail, but it does not work by default and apparently requires iptables configuration. Possibly not optimal solution:

sudo apt install -t bullseye-backports firejail firejail-profiles
sudo nano /etc/firejail/firejail.config # search "network" and set it to yes + another network setting set strict no.
sudo ln -s /usr/bin/firejail /usr/local/bin/midori # permanent setup jailing of Midori
firejail --list
firejail --net=wg1 midori
-> "Error: the software is not supported for /31 networks"
Some people solve it by making bridge and adjusting iptables, difficult:
https://www.void.gr/kargig/blog/2016/12/12/firejail-with-tor-howto/
https://firejail.wordpress.com/documentation-2/basic-usage/#routed

Another option beside Firejail is tinyproxy. Its configuration does not seem that easy: https://nxnjz.net/2019/10/how-to-setup-a-simple-proxy-server-with-tinyproxy-debian-10-buster/

Another options are:
https://github.com/xjasonlyu/tun2socks - Handle all network traffic of any internet programs sent by the device through a proxy. (an example config is here) Allows installing simply using Go: https://github.com/xjasonlyu/tun2socks/wiki/Install-from-Source
https://github.com/pufferffish/wireproxy - A wireguard client that exposes itself as a socks5/http proxy or tunnels. "Sample config file" section seems to me difficult to understand what one is supposed to do.
https://github.com/kizzx2/docker-wireguard-socks-proxy - Expose WireGuard as a SOCKS5 proxy in a Docker container. Seems simple, yet Docker is big i expect. (link to OpenVPN variety)

[Dominorobo]

If you want a less complex route, just running the app inside a container or VM with a separate network interface might help isolate it without too much hassle.

[krimdad]

I’ve had a similar setup before, where I was juggling multiple VPNs on a Linux system with Wireguard. It worked fine for the most part, but I needed to isolate certain apps through different VPNs, like my browser. I tried Firejail too, and honestly, it was a bit of a hassle getting it right, especially with iptables involved.