Use VPN connection only for selected applications

It is possible to accomplish this, at least on Linux (and I'm thinking on BSD and OS X as well). You can do so by:

  • Create an exra user for all VPN traffic.
  • Create an extra routing table with 1 default route via the VPN.
  • Configure Netfilter through Iptables to use the other routing table for all traffic originating from a specific User ID.
  • Run the applications that should use the VPN under their own user. For example with 'sudo'.

There are scripts for accomplishing the above steps here or there is another guide here.

Here is a detailed guide for routing Transmission via a VPN (using a VPN server that you own.


You could use the Windows Firewall to accomplish this (provided you are using Win 7 or Vista) - I wrote a guide on this

  1. Connect to your VPN as you normally would.

  2. Open the Network and Sharing Center - right-click on the Internet connection icon in the taskbar and choose "Open Network and Sharing Center" (see below)

  3. You should see (at least) two networks listed under "View Your Active Networks" - your VPN connection and one called "Network" - a.k.a. your ISP Connection. Ensure that your VPN is a "Public Network", and your ISP connection is "Home Network". If you need to change either connection, click it and an option window will appear (see below).

  4. Go to the Control Panel and click System and Security (see below).

  5. In the resulting window, click Windows Firewall (see below).

  6. In the Windows Firewall window, click Advanced Settings on the left pane (see below). Note: You must be logged in as an Adminstrator to make changes to the Firewall Settings.

  7. You should see a window titled Windows Firewall with Advanced Security. In this window, click Inbound Rules (see below).

  8. On the right pane, you will see an option for a New Rule. Click it (see below).

  9. In the New Inbound Rule Wizard (which should appear), do the following:

    • Choose Program and click Next.

    • Choose the program you wish to block all traffic to except on the VPN connection, and click next.

    • Choose Block the Connection.

    • Tick Domain and Private. Make sure Public is left unticked.

  10. Repeat Step 9 for Outbound Rules.


I've done this on Windows. The idea is to bind the outgoing network packages to VPN's interface. People suggest ForceBindIP for this, but thanks to this answer I've got an idea to use proxy. The downside of this method is that either your apps have to have proxy support or you'll have to use a proxifier (see here and here). The upside is that this way you'll be able to limit the use of VPN in the browser to specific domains using FoxyProxy or similar add-ons.

I use 3proxy in SOCKS mode and bind its external interface to VPN's IP. OpenVPN is used for the VPN connection.

In my .ovpn file (client, dev tun) I've added these lines:

route-nopull
route 0.0.0.0 0.0.0.0 vpn_gateway
pull-filter ignore "dhcp-option DNS "
script-security 2
up 'c:\path\to\up.cmd'
down 'c:\path\to\down.cmd'

route-nopull to ignore routes pushed from the server. In your case you might need to comment out redirect-gateway instead.

route to add a route for this interface, without this line it won't be used even if the app is bound to it.

pull-filter to preserve pushed DNS that otherwise will be dropped by route-nopull together with the pushed routes. This option is supported starting with OpenVPN 2.4, if you have to stick with OpenVPN 2.3 (latest release for Windows XP), you'll have to add two dhcp-option DNS x.x.x.x lines with hardcoded IPs instead.

script-security 2 to allow scripting.

up script:

cd %~dp0
echo auth none> 3proxy-openvpn.conf
echo internal 127.0.0.1>> 3proxy-openvpn.conf
echo external %4>> 3proxy-openvpn.conf
echo socks>> 3proxy-openvpn.conf
start /b 3proxy.exe 3proxy-openvpn.conf

down script:

taskkill /f /im 3proxy.exe

Thus, after you connect to VPN using this config, 3proxy.exe process will be started and a localhost-limited SOCKS5 proxy with DNS resolution capability will run on the 1080 port, now just configure your app to use localhost:1080 SOCKS proxy.