Only tunnel one application through WireGuard VPN? Not everything
You could also try wireproxy. Very simple to setup if you have a Wireguard profile. You can add a socks5 proxy easily and all traffic using that socks5 proxy goes through Wireguard.
Linux Network Namespace
I’m crossposting here as well, because I assume it’s relevant and I used to run WireGuard on my VPS which would still be the same scenario with wg-quick.
The service provider (my own VPS or Mullvad) shouldn’t matter in this case, I feel. So I’m asking here as well.
I only want one application, and it’s one profile instance, to go through the VPN.
What about WireSock VPN client?
Update: not a Linux client so no good for OP.
Its possible only on UNIX system.
You need to put app and vpn tunnel in one network namespace / routing domain.
FreeBSD UNIX: vnet jail
BSD UNIX: ifconfig rdomain + route rtable
Linux unix-like: ip netns
In FF you can configure a (SOCKS) proxy to use.
I quickly asked the AI, not sure if this is 100% how it works but the approach is what I had in mind as well
I'll help you set up Firefox to exclusively use your Mullvad VPN while leaving other applications to use your regular connection. Here's how to do it:
First download and install the SOCKS5 proxy add-on for Firefox. The official Mozilla add-on is called "FoxyProxy Standard"
In Firefox, go to Settings/Preferences > Network Settings > Settings
Select "Manual proxy configuration" and enter these details:
SOCKS Host: 10.64.0.1 (Mullvad's SOCKS5 proxy address)
Port: 1080
Select "SOCKS v5"
Check "Proxy DNS when using SOCKS v5"
Click "OK" to save the settings
To verify it's working, you can visit a site like mullvad.net/check to confirm your connection is going through Mullvad
Alternatively if the IP of the website is static and does not change you can configure wireguard with AllowedIP to only route this IP through the tunnel
This seems like what I want but I can’t get it to work with Mullvad’s config profiles. I do ./wireproxy -c mullvad.conf but it doesn’t really do anything. Says its working but doesn’t give me any addresses or anything. Do I need to add stuff to the config profile file?
This wouldn’t work. Because first of all Mullvad isn’t a proxy, it’s a VPN, that does support proxies. But you’d have to first connect to the VPN with the VPN app, essentially doing what I want to prevent.
It’s the same reason Mullvad Browser doesn’t work without the Mullvad VPN app. Even if you set up proxy, you first have to connect to the VPN.
Also, how would the Proxy know to connect to Mullvad without any config file or my account number, or the mullvad VPN app or a running VPN connection? Again, requiring what I want to prevent.
AI still sucks I see.
Yes, something like this as a mullvad.conf gives you a socks5 proxy listening on 127.0.0.1:25344 and when you connect it ‘goes through’ the Multivad VPN:
[Interface]
PrivateKey = // like wireguard conf
Address = // like wireguard conf
[Peer]
PublicKey = // like wireguard conf
Endpoint = multivad-endpoint:port // like wireguard conf
[Socks5]
BindAddress = 127.0.0.1:25344
idk man… just googled and at least the mullvad docs mention the same ip for the SOCKS proxy as the AI.
I have not tried this… but maybe the vpn app does automatically create this local proxy for you especially for things like this. But Im just guessing here
Mullvad offers socks proxies to be accessed via the tunnel. Their proxies have a certain address range. So, you could use that address range for AllowediPs to only route mullvad socks services through the tunnel.
Perfection!
The reason it wasn’t working was because my VPN time had expired. Such a rookie mistake lol. It’s now working perfectly, exactly what I wanted. Did not have to become a Linux TCP firewall iptables IP port master guru like some other people suggested as solutions.
I still don’t get it. If I’m using the tunnel, doesn’t that mean everything is using the VPN? What’s the point of using sock proxies then? This is what I want to avoid. I don’t want to do normal split tunneling, I want one profile of one application to use the VPN, not everything.
The SOCKS5 proxy is only accessible when you are connected to Mullvad.
From Mullvad’s site. I want to avoid this, meaning I don’t want to connect to the VPN globally.
I wish I could just input stuff into the Firefox networking settings and it would work, no extensions or programs needed.
If I’m using the tunnel, doesn’t that mean everything is using the VPN? What’s the point of using sock proxies then?
No, you can make the tunnel selective. For example, if you replace AllowedIPs = 0.0.0.0/0, ::/0 in your wireguard config you got from Mullvad with AllowedIPs = 10.64.0.1, 10.124.0.0/16, the only IP traffic that will go through that tunnel is the one addressed to an address out of this address space. 10.64.0.1 is the “Local” SOCKS5 proxy at the end of the tunnel while 10.124.x.y are the other SOCKS5 proxies you can also reach. So, if you want, you could configure Firefox (with multi-account containers + container proxies) so that you can use multiple different socks proxies over the same Wireguard tunnel, e.g. open cnn.com via a USA socks proxy and france24.com via a frensh proxy server.
Make sure to “disable” the kill-switch in your Wireguard config (look for PostUp/PreDown lines mentioning iptables), otherwise you won’t have any “normal” internet connectivity because only the Mullvad proxies (and DNS servers, I believe) can be reached through the tunnel.
That’s what I did for accessing some GDPR-blocked sites.
I’m using wireproxy as the solution as per the edit.
Did not change Mullvad config file other than add
[Socks5]
BindAddress = 127.0.0.1:1080
to the end. I then use 127.0.0.1:1080 as SOCK5 proxy in Firefox on that profile. I don’t use multi-account container extension, just use the regular container feature built into Firefox, however I’ve heard about container proxies and that seems interesting. Might help with not needing an entire new profile.
AllowedIPs = 0.0.0.0/0,::0/0 is still there. This works for me for now. I think this is better than editing the config IPs and running wg-quick or something, since with wireproxy it’s completely separate from my regular network stack, just userspace.
With Mullvad, you don’t need Wireproxy. You can use 10.64.0.1:1080 as SOCKS5 proxy and tunnel only that IP address by adjusting the AllowedIPs setting. And if you also allow 10.124.0.0/16, you can use many more SOCKS5 servers all over the world at the same time through a single tunnel, for example, au-syd-wg-socks5-102.relays.mullvad.net:1080 for Sydney, Australia or ca-tor-wg-socks5-002.relays.mullvad.net:1080 for Toronto, Canada and so on. These names map to the 10.124.x.y IP space that is accessible via their Wireguard tunnel.
Just saying.