I have a multi-user setup (Ubuntu) (simultaneously logged in users on different TTYs).
When I connect to NordVPN from one account using nordvpn connect, all users are now connected to the internet via that VPN.
How to somehow separate the networks of the users, meaning that when I connect to the VPN, only the current user is affected, and all connections of that user should use the VPN ?
nordvpnis just a wrapper aroundopenvpnand it's possible to directly connect usingopenvpn, thus a pureopenvpnsolution would be helpful, too.- The users have root access via
sudo. - I'm fine with a script solution.
Best Answer
How to use vpn separately for different user:
Situation where users are using different user space:
By default user space separate the network (netns) and thus
nordvpn connectwill not affect other user space but this is not the default functioning of users system under linux, you will need to setup a different user space in order to separate the network of each user; also the a network interface can only exist on a single name space bridges or veth interface and then used to tunnel traffic between user spaces.Situation where users are using the same user space:
Linux user system remain under the same network system if one user is connected to the wifi the other user will benefit from that connection because the network card is setup at the root level and thus shared for every one who are using the network with its default setup.
A VPN connection is done with a new virtual interface (tun or tap) and is linked to the main network interface (wifi or eth0)... when the vpn connection is initialized a tun/tap interface is created then connected to the VPN server and create a tunnel but this does not mean that all the connection are tunneled over the VPN interface, in order to have a classic working VPN connection first the connection is initialized with the virtual interface then a route is added to force all the connection to go through the VPN interface this is called routing.
Knowing those informations the solution would be to initiate the VPN connection without routing and then setup the routing separately for each user. no change are required for users that does not require the VPN; A special routing needs to be added with iptables/ip-route for users that needs to use the vpn. In other words the VPN interface will be setup but it wont be the default interface (because default vpn routing rules wont be pushed)
VPN Default Situation: [Connect Command] > [Create-Tun/Tap] > [Connect Tun/Tap] > [Route To Make Tun/Tap As Default Interface]
VPN Without Route: [Connect Command] > [Create-Tun/Tap] > [Connect Tun/Tap]
VPN With Custom Route: [Connect Command] > [Create-Tun/Tap] > [Connect Tun/Tap] then manually or automatically add [Custom routes]
Connect to your vpn without using the "route" step then push/setup a custom route, this could be done with iptables/ip-route or with the VPN conf setup file.
How can to configure openvpn without pushing default gateway/route:
Edit your vpn conf file and add
route-nopulldirective. (ifnordvpncommand are used accessible openvpn conf file, you can edit them according your need otherwise you would need to use openvpn or network manager to connect to your vpn)Use specific interface for a particular linux user:
This guide is achieving exactly the same thing you want to achieve. otherwise those answers give a detailed alternative.