User-friendly per-application routing on Linux

[planetoryd]

I would not set a VPN to be the default gatway, as my needs are nuanced.

• SOCKS proxy for regular browsing traffic.
• Direct connection for software package updates
  • SOCKS proxy for package sources that are blocked
• TOR for more anonymity
• Lokinet, which provides an interface, for accessing its sites.
• I2P
• Another socks proxy, with a quality IP.

Android VPNs tend to have per-application settings for routing, but getting it on Linux seems to involve a lot of hassle.

Possible solutions

1. System/Physical-level routing. Tails, whonix. It may be an overkill and is not convenient to set up.
2. Firejail. Currently doesn't support TUN though.
3. Iptables marking traffic from programs run by different users, which is sent through different gateways.
4. Network namespace
5. Force-binding applications to interfaces

I don't know how this may be solved elegantly, securely without UX compromise. For now I use socks proxies through application configuration, which carries more risk.

[ValdikSS]

So, what's your question? It's not clear what are you trying to achieve and what is the problem statement. All software mentioned in the first list already provides proxy port which you can configure in the application, except Lokinet (I guess it uses TUN?), so it's already could be configured per-application.

Are you trying to make it vice versa, all automatic configuration, to not to configure each application individually?

[planetoryd]

@ValdikSS Maximize the sum of security and convenience. Setting proxies in application themselves requires active support from the developers. (An application has to be programmed to support proxies.) It's not uncommon that applications leak traffic, which is disastrous. Firefox has weird behavior about DNS. I didn't know that it leaked DNS untill I did extensive research. The behavior is unintuitive and it is not informing what it is actually doing. The settings is vague. Users are not going to become experts before using it, securely. Proxy settings is often disrespected, or it doesn't work in the expected way. (like, who would know socks5h)

Enforcing proxy in kernel or anything sandbox-like is way better. And, some applications don't work with proxychains. The traffic leaked without warning, for me.

I have posted this problem elsewhere too

https://github.com/oxen-io/lokinet/issues/2140

https://www.reddit.com/r/PrivacyGuides/comments/115eky5/optimal_solution_to_selective_proxying/

[hiddify-com]

Try https://github.com/hiddify/HiddifyDesktop/releases/tag/v1.203.1

[planetoryd]

@hiddify I doubt you have considered my concerns listed above

My point is container-based (if I am to phrase it), rather than rule-based.