As title states, I’m looking for solutions to split-tunnel on a Linux machine. I’ll likely be using RaspiOS (Debian) or Ubuntu Server for the distro.
I’m setting up a simple media server, and I need my torrent client (Qbittorrent or Transmission) to run through VPN, while the rest of the RPi needs to stay on the LAN. I want to have Jellyfin running on the same machine, and it needs to be directly accessible through the LAN by other computers (I won’t be making the Jellyfin server internet-accessible, I only need it on my local network.) Thus, I don’t want the Jellyfin server going through the VPN. I also want to have a Qbittorrent WebUI available, that is also accessible through LAN only.
Is there any good way to do this? I think that some people use containers like Docker, but is there other ways of going about this? I know a lot of Windows VPN clients do support split-tunneling, so I’m not sure why this is so hard on Linux.
I think the main points of confusion are that what you describe a) isn’t really split tunneling and b) should work out of the box (as long as you point the lan-only stuff to the right interface)
wireguard with the allowed IPs being just your media center work perfect for this if you can forward a port for it.
AllowedIPs being 192.168.1.0/24 for instance would get your whole house if that’s your subnet.
Can get fun with different cloud providers with having wireguard routing the private networks for them as well.
Hey OP, I’m setting up exactly what you described. Thanks for expressing the same question I have! Can you please let me know what you ended up doing? I tried NordVpn today and found out unfortunately it doesn’t have split tunneling in its Linux cli app. But I get the impression that’s not needed, just not clear on the answer! Thanks!
I see. However, I am confused about what you mean in point b. From my understanding, if I run the OpenVPN client and connect to my VPN, all of the system’s traffic will be going into that VPN. Is there a way to open the Jellyfin server to just the LAN while not doing anything special with the OpenVPN config?
Mullvad also has resources on their website regarding split-tunneling if you want to read more about it.
I will definitely take a look, thanks. For the record, I use Windscribe, but it also has a cli client available. I have Pro, so I can also create OpenVPN and Wireguard configs if needed.
I ended up using a transmission-openvpn docker container set up for this. All you need is an OpenVPN config file from your VPN provider. I don’t know if it’s the best option, but it does work.
VPNs at their core are tools that create new connections. Some commercial variants try to additionally restrict the existing connections but free software ones generally don’t. People would just take the software and remove the restriction.
What OpenVPN gives you is simply an additional (virtual) network card. You can then direct traffic to it as you would with an normal network card. For your proposes that’s the routing table. You can look at it with ip route. There you will see one route for each network card that sends traffic destined to its network* via the respective card and one or more default routes that are used for everything not destined to those directly connected networks.
Normally there is only one default route. One that points to your router. Openvpn usually adds another one with higher priority that goes to the virtual interface. But traffic to your local network isn’t directed by whatever default route instead using the more specific rules that remain in place. Thus traffic to it remains unchanged and everything can communicate just fine.
So far that all happens by default. One thing you might want to change is to tell your webfrontends, etc to only listen to traffic coming from the normal network card instead of using the default (all cards including the vpn). But that got nothing to do with the vpn itself, just that program.
*:determined by its subnet mask (e.g. 255.255.255.0) or prefix length (e.g. /24). Both are just two ways to say the same thing.
Interesting. A particular image you can share?
Ok, I see.
So basically, the LAN should still be accessible, even if the VPN network interface is the main one?
Also, how would I direct traffic from the webUI (of Qbit for example) to my normal network interface instead of the VPN?
Alright, thanks for the help