Possible to configure (Squid) proxy so a browser can bypass a VPN?

I want to do the following (if it’s possible):

Have 1 browser (say Firefox) as normal – all traffic uses my VPN.
Have another browser (say Chrome) where all traffic bypasses the VPN.

I have already setup a PC with a VPN using OpenVPN and I understand how to add static routes so that access to specific IP addresses will bypass the VPN.

I thought what I want to do may be possible by setting up a (Squid) proxy server which routes all traffic outside of the VPN, and then configure the Chrome browser to use that proxy server. Unless there is a better/easier way?

But I do not know how to accomplish this and configure Squid/routes despite doing a lot of reading and experimenting (I am not a network expert), nor have I been able to find any resource to tell me how (or if it’s possible).

Any help or links to information appreciated.

Answer

I think that the best would be to change nothing to your current setup but to take advantage of Linux namespaces instead. You can use tools like nsjail or Firejail for convenience.

The idea would be to set up a dedicated namespace for that other browser that should bypass the VPN, with its own routing rules. That’s all you need, change the routing rules so that it uses your regular Ethernet interface rather than the tun interface created by OpenVPN.

The other benefit is isolation of your applications. By limiting their scope and the resources they are able to see, you effectively isolate them from each other.

Using Firejail here is how I would do it roughly – I encourage you to read the doc to fine-tune the configuration to the desired result. Firejail comes with ready to use profiles for common applications so it can immediately start sandboxing your browsers and other applications.

There is a also GUI configuration tool (firetools) but my suggestion would be to try Firejail with just one application instead of reconfiguring your whole environment.

Here is a PoC using Python (assuming you have the netifaces package installed).

firejail --net=enp4s0 --noprofile python3

>>> import netifaces
>>> netifaces.interfaces()
['lo', 'eth0-11182']

As you can see, Python sees only one interface (in addition to the loopback interface). eth0-11182 is of course a virtual interface that exists only within the current namespace.

Suggested reading: Firefox Sandboxing Guide

Attribution
Source : Link , Question Author : codlord , Answer Author : Anonymous

Leave a Comment