Only tunnel one application through WireGuard VPN? Not everything

On Arch Linux (btw). There is this website that blocks access to people from the EU for GDPR reasons that I want to access, it’s a wiki for a game I play.

I pay for Mullvad VPN and use their app. It has split tunneling, but it launches the applications through the VPN app, where they are then bypassed. So everything uses the VPN, except the ones that are launched by split tunneling. I don’t want this. I want the opposite.

What I want is to ONLY tunnel one specific application through the VPN, Firefox in this case, and let everything else access the internet normally.

In fact, I only want a specific Firefox profile to use the VPN, not the whole Firefox application. For example, I launch my Wiki profile with firefox --profile .mozilla/firefox/asdasdasd.Wiki from the terminal and I only want this instance to go through the VPN, let everything else, especially my other main running Firefox profile still access the internet normally.

I need to look at this wiki while playing, I also listen to music and use Fractal to chat with people, and I’ll have my main Firefox profile logged in to stuff that needs my regular IP. I don’t want any of those to applications to use the VPN, I only want this specific Firefox profile to use it.

Is this possible? Perhaps with wg-quick and using WireGuard from the terminal? Mullvad provides WireGuard config profiles for the terminal. Please tell me this is possible.

For example, with Mullvad split tunneling, if I launch Lutris through split tunneling, it doesn’t use the VPN, but the games launched through Lutris do use the VPN, as they are their own .exe or .sh binares just running by themselves, they have no clue about the split tunneling. Lutris not using VPN is useless, as it doesn’t even need internet at all, other than to download media.

EDIT: SOLVED!!! Thanks to u/babiulep and their recommendation of wireproxy which was exactly what I was looking for. Now I can access the wiki on that specific profile in Firefox, using built-in network proxy settings. My other Firefox profile and system apps are VPN-free. Much simpler approach than all the other answers but I thank everyone for their time and effort. If anyone else ever comes across this thread in the future, wireproxy is what you’re looking for.

Why not set up your own http/socks proxy and route it through your VPN tunnel ? You can then point Firefox to it. Bonus points for containerizing it

Perhaps with wg-quick and using WireGuard from the terminal? Mullvad provides WireGuard config profiles for the terminal. Please tell me this is possible.

I have no experience in Mullvad, but with regular WireGuard,

I would either run WireGuard in a container (or VM) together with a http proxy and use the proxy in Firefox.

Or run WireGuard with policy based routing that only sends traffic if you explicitly use the WireGuard IP address as source, and then run a http proxy which use the WireGuard IP address for outgoing connections and use the proxy in Firefox.

I use gluetun for this and setup proxy in chromium settings.

Firefox can probably do the same.

Not sure about doing it all with once instance of a browser.

https://www.procustodibus.com/blog/2023/04/wireguard-netns-for-specific-apps/

You’d have to set up manual routing, probably by port. Since Windows networking is a hack of BSD 4.2 (yes, 1980s), it’s too stupid. You’d have to probably set up the firewall on OoenWRT and create routing rules there by port. That way you’d redirect only traffic to and from specific ports to your interface. Wireguard creates the interface. Think of it as having a virtual LAN cable with a special network.

Did exactly that with wireproxy. Works perfectly.

I’m not really looking to containerize it yet, or ever. Works for me for now.

I’ve already read this. It was in fact the only thing closest to the answer for me. But the reason I’m hesitant is because I don’t want to just run firefox with the VPN.

I want to run a specific Firefox profile with the VPN, alongside my normal Firefox profile that wouldn’t use the VPN.

firefox --profile .mozilla/firefox/asdasdasd.Wiki this should use the VPN, whereas Firefox launched by me clicking on the icon in GNOME shouldn’t use the VPN, but both should run at the same time.

But since they are both the same firefox binary, I feel like it wouldn’t work and both would use the VPN. I don’t want this.

firefox --profile .mozilla/firefox/asdasdasd.Wiki this should use the VPN, whereas Firefox launched by me clicking on the icon in GNOME shouldn’t use the VPN.

Then run that firefox in that specified namespace, and the other firefox in the default namespace.

But since they are both the same firefox binary, I feel like it wouldn’t work and both would use the VPN. I don’t want this.

If you actually read that article, you would have seen that it uses the ping command to test internet access through VPN or not, and the ping command is the same binary in both cases. The namespace differentiates the programs by PID, not by the filename of the binary.

This is more of a guide for my old VPS WireGuard server though, I wonder how I can translate this to WireGuard profiles provided by Mullvad…

This has nothing to with wireguard profiles, namespaces is an universal solution for routing between different network interfaces. If mullvad creates it’s own interface (ip -br a), then you can set a custom route for it.