# configuring openvpn for specific traffic

## curmudgeon

The default openvpn configuration that I received includes a "redirect-gateway" line, which sends ALL of the traffic through the vpn including many types that I don't want to send through it (ntp, for example, but many others, as well).

Is there some way (without building a routing table with hundreds of lines) to send specific traffic through the vpn - I am most interested in http and related (things such as rtmp)., but would like to be able to choose by application (which I don't think is possible).

The man page shows an http-proxy option (which actually isn't an option for me, since the tunnel uses the udp protocol, instead of tcp required for an http proxy), but also a socks-proxy option (which might work).

So, let's suppose that my machine has an ip address of 192.168.0.1, and a tunnel endpoint of 10.0.0.1 (with the remote vpn server at 10.0.0.2). How do I configure openvpn (and what other software do I need to run?) so that I can send only the traffic through the vpn that I want to send through the vpn (with the rest going out through the current gateway)?

Thank you in advance.

----------

## Hu

You could use a network namespace to isolate the effects of the VPN.  Place the openvpn client in a private network namespace that is routed back out through the host.  Run VPN-using applications in that namespace.  Run non-VPN applications in the main namespace.  Anything in the VPN-using namespace will respect its routes, including the default route.  Anything in the main namespace will use your non-VPN routes.

----------

## curmudgeon

 *Hu wrote:*   

> You could use a network namespace to isolate the effects of the VPN.

 

I have spent most of the day researching this, and it seems like a reasonable idea. Setting up the networking does not seem difficult, but what is the best (simplest) way to run applications in another namespace (on a desktop system)? I didn't find much helpful documentation in that regard.

----------

## Hu

The simplest way is to use ip netns to manage the network namespaces.  That is very low level though, so you might prefer to find or write some wrapper scripts.

----------

## steveL

IDK if it's relevant, but schorsch_76 wrote a nice tip on bridging VM networks. (Remember: only the bridge interface has an IP address.)

Didn't know about ip netns, thanks Hu.

----------

