How to implement wireguard VPN split tunnel?

C

cadaeib

Hi,

I would like to route all traffic for a particular service on my server through a wireguard VPN, without changing the routing for other traffic. (How) can I achieve this?

I have tried looking into parameters for wg-quick and route more generally, but from what I understand their purpose is to route based on the destination of the traffic, which seems to be a different task.

It sounds like what I want can be achieved using jails, but I have been avoiding them because they seem quite resource intensive and I do not have much storage space on my VPS. I only tried those new service jails and played around with _svcj_ipaddrs= to assign an ip address to the service or somehow force the service to communicate only via the wireguard interface, possibly using pf, but I haven't understood those tools well enough to know if this even is the right approach.

This seems related to this question, which has had no answer for 3 years.

Alternatively, what may also work for my case is to route all traffic through the VPN that has a particular domain as its destination, but from what I understand routing takes place on lower network layers so for that I'd have to constantly query the IP the domain resolves to and update the routing based on that. This sounds a bit complicated to implement, and in general I'd prefer to route only the traffic of that particular service.
 
cadaeib said:
Hi,

I would like to route all traffic for a particular service on my server through a wireguard VPN, without changing the routing for other traffic. (How) can I achieve this?
Click to expand...
Should this particular service be accessible only via wireguard VPN? Is the server using standard public accessible IP? Where are your wireguard VPNs connecting to?
cadaeib said:
It sounds like what I want can be achieved using jails, but I have been avoiding them because they seem quite resource intensive and I do not have much storage space on my VPS. I only tried those new service jails and played around with _svcj_ipaddrs= to assign an ip address to the service or somehow force the service to communicate only via the wireguard interface, possibly using pf, but I haven't understood those tools well enough to know if this even is the right approach.
Click to expand...
Jails are in general lightweight form of virtualisation, much lighter than hypervisors.

If you could implement your service in a vnet jail, then you could think of it as standalone computer, with its own routing table.
 
The service does not need to be accessible from the outside, its purpose is to download files from a website, and I don't want the website to identify me which is why I want the requests to go through a proxy server of a VPN provider.

I will try to do it from a vnet jail then, thank you for your help.
 
You must log in or register to reply here.
Back
Top