How can I set up split tunneling on my VPN (NordVPN) so ONLY qbittorrent will utilize the VPN?
I have a Raspberry Pi on my network that I want this done on. The Pi does a bunch of things, like hosting a Plex server, hosting a Twitch bot, and DNS adblocking via Adguard, so I can’t have the whole device running through a VPN (also that would make remoting into it a bit more of a hassle).
Ideally, only qbittorrent uses the VPN, and everything else accesses my network as normal, and this whole process (VPN and qbittorrent) would auto-start on system startup. My Pi gets power directly from my router and it would be nice to not have to remote in to start the programs if I lose power or have to restart my router.
I have a NordVPN subscription, so I have OpenVPN at my disposal. I’ve already tried NordVPN’s official Linux application, but sadly that doesn’t seem to support split tunneling out of the box like it does on Windows.
Any help would be appreciated! I’m a Linux novice, but I’ve learned enough to do get my Pi to do the other things I listed above, so I’m confident I can follow the steps to get this running.
Thanks for your time!
EDIT: Sorry, I forgot to put what my Pi is running. Raspbian 10.
EDIT EDIT: I’ve been looking into docker and this image, but the Raspberry Pi isn’t the correct architecture to run it. Darn!
Multiple solutions. But none of them “clicky easy”.
Multiple direct tunnels
If you use a different host on the network as router to decide which route to use, it’s more complicated than deciding on the same host directly.
Doesn’t VPN providers offer multiple connections for your devices anyway? Would make it a lot easier.
Pi as default router
As your wish, your Pi would basically do routing, so let’s call it router here. And you should make it as your default route for all your hosts by offering by DHCP (or by static IP config).
The Pi could then decide which connections to use. This solution would probably have speed implications and more latency on your internet activities.
A router basically can’t detect the network packet’s source application. It can detect used ports at most.
You could stick on a fix outgoing port in your application. Then the Pi would simply use firewall rules and NAT forwarding that basically only affects your torrent client. But incoming connections (if possible on the other endpoint of your VPN provider) should be considered too.
VLAN
Another method would make the use of VLAN tagging in your network. Your Pi could have the VPN interface bridged to a specific VLAN. On your host you create a “virtual” interface too, bound to the same VLAN tag. This basically creates two isolated networks over the same single cables and switches. Imagine you now have a seperate CAT cable between you host and the Pi. The Pi wouldn’t need to be the default router and speed limitation is gone.
Imagine “bridge” as being a virtual switch within your host and you can plugin virtual cables from other network interfaces.
3.1. VLAN on the Pi
If the VPN provider supports multiple IP address assignment, you can simply bridge the VLAN interface to the VPN interface. Each host requesting an IP address in your network (on the specific VLAN) would get an IP address directly from your VPN provider.
If no multiple IP support available, your Pi would need to do simple routing by NAT between VLAN and the VPN. So each device will talk over the same IP.
3.2 VLAN on any host
Easiest method would be creating a bridge again on your host, connect the VLAN tagged interface to it, and then run your torrent client within a Docker container. The container would be attached to the bridge.
Other methods
There are probably other methods I didn’t thought about.
There’s no simple guide or tutorial for these steps. Networking is hard on custom wishes like yours. I can’t even provide iptable rules for you since it will probably not work on the first try.
During typing I realized, the 5 steps have some commons. It’s always “simple” network logic. Linux offers a lot network magic out of the box. But it also offers different network managers to make your configuration persistent. That also includes firewall rules (for the routing). When building a solution, you will probably experience a lot of "doesn’t work"s. Tools like Wireshark and/or tcpdump would be you tools for debugging.
And all requires a minimum of you understand networking basics. So try to solve your problem with Solution 1 if possible.