Clarification on VPNONLY_ROUTE_TABLE

triffid / pia-wg

Linux shell scripts for connecting to Private Internet Access VPN's Wireguard service

121 stars 14 forks source link

Clarification on VPNONLY_ROUTE_TABLE #4

Closed DroidFreak32 closed 2 years ago

DroidFreak32 commented 2 years ago

I'd like to understand this flag, possibly with a real example on how this would work.

From the looks of it, this is to force using the VPN as the default route on a custom routing table.

I do have a use case where I need to force use the VPN without affecting the default routing table used by everything else. Do you have an example of a custom routing table where we can use this?

triffid commented 2 years ago

This forces any process running as uid=105 to use VPN only for non-local connections:

# ip rule show
…
50:     from all uidrange 105-105 lookup vpnonly
51:     from all uidrange 105-105 prohibit
…

Presumably there's something fancier that could be done with cgroup network shenanigans so you don't have to use a separate uid or something else that a basic ip rule can filter against, but I haven't played with that myself.