Is there a guide somewhere on how to partition applications on Linux so different apps use different VPNs?
Obviously the easier way is SSH SOCKS tunnels if the app supports it, but I'd like a more general method.
I believe it is possible by namespacing the apps (or I guess going all the way and containerizing them) and then setting the routing on a per-namespace basis.
Is there anywhere this is written down so I don't have to spent 6 hours trying to work out how to do it?
Set a tag based on the uid with iptables (set-mark), then set up a separate routing table (ip rule .. fwmark ..) for those packets. It's always a good idea to run application with a unique id to set ulimit anyway, even if you can identify traffic by other means (such as source ports). These things are well covered in the Advanced Routing Howto available at lartc.org.
Namespacing would work, but it might be simpler to use multiple routing tables and "ip rule" to match each app and direct it to the right routing table. You can use iptables to match on the process and set a mark on the packet that "ip rule" will match on.
For example, to limit a browser process from connecting to anything except the TOR proxy.
So, in case someone tries to de-anonymize you, unless the attacker has a kernel-level exploit, no packet will ever reach the attacker without going through TOR.
This could also be linked with a VM - so even if the attacker has a kernel-level exploit, there still won't be any outgoing packets.
Is there a guide somewhere on how to partition applications on Linux so different apps use different VPNs?
Obviously the easier way is SSH SOCKS tunnels if the app supports it, but I'd like a more general method.
I believe it is possible by namespacing the apps (or I guess going all the way and containerizing them) and then setting the routing on a per-namespace basis.
Is there anywhere this is written down so I don't have to spent 6 hours trying to work out how to do it?