OpenVPN Split Tunneling (specify apps that go through VPN tunnel)

Hey Guys i managed to get OpenVPN Split Tunneling working and wanted to share it with you!
It uses Linux Namespaces to create a Isolated Container. I use Transmission as my Torrent client and socat to access the Transmissions WebUI from my homenetwork.

Based on the Wiki from rakshasa and slingamn. Links Below.

Tested on Raspbian Buster and Ubuntu Server 18.04 should also work under OSMC.

For non-root user, you should prefix sudo with all commands.

  1. Installing Dependencies
  apt update
  apt install openvpn iproute2 python dnsutils dnsmasq curl transmission-daemon socat

  1. Download namespaced-openvpn Script:
    cd /usr/local/sbin
    curl -sLSO https://raw.githubusercontent.com/slingamn/namespaced-openvpn/master/namespaced-openvpn
    chmod +x namespaced-openvpn
  1. Setting UP provided OpenVPN config files and create a auth.txt wich will contain your VPN Login Data:
 mkdir -p ~/.config/openvpn
 cp *.ovpn ~/.config/openvpn/
 sudoedit ~/.config/openvpn/auth.txt
 chmod 400 ~/.config/openvpn/*.ovpn
 chmod 400 ~/.config/openvpn/auth.txt
  1. Test your Connection:
sudo /usr/local/sbin/namespaced-openvpn --config /home/"$USER"/.config/openvpn/foo.ovpn --writepid /var/run/openvpn-protected-foo-"$USER".pid --log /var/log/openvpn-protected-foo-"$USER".log --daemon

Now you should successful created a Namespace with OpenVPN running in it.

Important: change foo to to match your ovpn file.
If you want to name your Namespace different that the default "protected" name add "--namespace <nameOfNamespace>" as parameter above.

Check with sudo ip netns exec protected sudo -u "$USER" --curl ifconfig.me if your freshly created Namespace successfully connected itself to your VPN.
You should see now a different Public IP Adress from the one you see if you just enter curl ifconfig.me

If thats the case continue

  1. Create socat script:
    This script will later allow you to access Transmissionā€™s WebUI from your local Network. Without this it wouldnā€™t be possible, cause the Namespace is kind of a isolated Container.
 mkdir /etc/socat
 sudoedit /etc/socat/9091_socat

Insert following Lines:

#!/bin/bash
# /etc/socat/9091_socat
# Socat-Script Port 9091
#Don't forget to make this Script executable!!! Use chmod 755

# TCP Port 9091
sudo /usr/bin/socat tcp-listen:9091,fork,reuseaddr exec:'ip netns exec protected socat STDIO tcp-connect\:127.0.0.1\:9091',nofork

Now we make this script executable
chmod 755 /etc/socat/9091_socat

  1. Create Systemd Service to start all Services at boot.

Socat Systemd:

sudoedit /etc/systemd/system/socat-tcp9091.service

#Socat Systemd:
#/etc/systemd/system/socat-tcp9091.service


[Unit]
Description=socat Service 9091
After=transmission-daemon.service
BindsTo=transmission-daemon.service

[Service]
Type=simple
User=root
ExecStart=/etc/socat/9091_socat
Restart=on-abort

[Install]
WantedBy=multi-user.target

Transmission Systemd:

sudoedit /lib/systemd/system/transmission-daemon.service

#Transmission Systemd:
#/lib/systemd/system/transmission-daemon.service

[Unit]
Description=Transmission BitTorrent Daemon
After=navpn.service
Requires=navpn.service


[Service]
User=root
Type=simple
ExecStart=/bin/sh -c 'exec /sbin/ip netns exec protected /usr/bin/sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error --config-dir /var/lib/transmission-daemon/info'
ExecReload=/bin/kill -s HUP $MAINPID

[Install]
WantedBy=multi-user.target

OpenVPN Namespaced Systemd

Important: Change in the Line ExecStart "ch2-udp.ovpn to your ovpn file Name and location. Same goes for the auth.txt file wich we crated above and will contain your login and password for OpenVPN.

sudoedit /etc/systemd/system/navpn.service

#OpenVPN Namespaced Systemd
#/etc/systemd/system/navpn.service

[Unit]
Description=Namespaced OpenVPN connection to protected
Before=systemd-user-sessions.service
After=network-online.target
Wants=network-online.target
Documentation=https://github.com/slingamn/namespaced-openvpn

[Service]
Type=notify
WorkingDirectory=/etc/openvpn
ExecStart=/usr/local/sbin/namespaced-openvpn --daemon --cd /etc/openvpn --config /home/pi/.config/openvpn/ch2-udp.ovpn --auth-user-pass /home/pi/.config/openvpn/auth.txt --writepid /run/namespaced-openvpn/protected.pid --log /var/log/openvpn-protected-pi.log
PIDFile=/run/namespaced-openvpn/protected.pid
KillMode=process
ExecReload=/bin/kill -HUP $MAINPID
RestartSec=5s
Restart=on-failure
RuntimeDirectory=namespaced-openvpn

[Install]
WantedBy=multi-user.target
  1. Enable all Systemd Services
systemctl enable socat-tcp9091.service
systemctl enable transmission-daemon.service
systemctl enable navpn.service
  1. Reboot your Device

    reboot now

  2. Test for DNS Leak

apt install qt
cd ~/
wget https://raw.githubusercontent.com/macvk/dnsleaktest/master/dnsleaktest.sh
chmod +x dnsleaktest.sh
cd ~/
sudo ip netns exec protected sudo -u "$USER" ./dnsleaktest.sh
  1. Optional: Change WebUI Interface for a Modern one
wget https://github.com/ronggang/transmission-web-control/raw/master/release/install-tr-control.sh --no-check-certificate
bash install-tr-control.sh

Choose Number 1.
After installation finished go to http://server_domain_name_or_IP:9091
If the UI is still the same , reload the Page.

Useful Links:

1 Like

Thought I mark your post as solution :slight_smile:
But personally I decided to build my own highly energy efficient server (a Synology uses 10W and is slow as f*ck), doing <3W when idle (which it is most of the time). It runs Ubuntu and uses Docker Compose. All my apps that do something with obtaining media go through a docker image (Nordvpnproxy).

It solved the issue for me and gave me a NAS that protects my photo albums etc. I also run JellyFin on it, which is an absolute delight! Since I have JellyFin, my Vero4K became a ā€œdumbā€ player which eventually got replaced by an Nvidia ShieldTV.

Best decision ever since OSMC/Vero4K never became a mediaplayer supporting different types of legal media sourcesā€¦ something I expected after learning about the big investments they did. I was too unstable for me (remote that stops working 2 weeks after clean install of OSMC, happening all the time).

Now I donā€™t even need Kodi anymore as the ShieldTV runs JellyFin client smoothly, and easily switches between Prime Video, Netflix etc!