Isolating 'Apps' (bittorrent) to always connect to internet via VPN tunnel or vlan_id?

[Intel]

Sorry if its been asked before, a quick search doesn't seem to quickly answer my question. I want to have 'Apps' whose connection to the internet is not the same as my truenas scale server. In other words, I want certain Apps to be completely isolated from my LAN network except when a LAN client tries to access the App - all of the App internet activity should be thru a different internet gateway (it can be a VPN tunnel 'app', or VLAN_ID on the physical truenas server)... how could this be done? is there an easy way to do it already?

I have both default TrueNAS app catalog + TrueCharts.

The Apps I want to always use my VPN outbound:
- qbittorrent
- jackett

 

[indivision]

The TrueCharts team has this feature built in to their qbittorrent and jackett apps. There is a section in the app settings where you can enter OpenVPN credentials/cert just for that app to use.

 

[Intel]

The TrueCharts team has this feature built in to their qbittorrent and jackett apps. There is a section in the app settings where you can enter OpenVPN credentials/cert just for that app to use.

Thanks I noticed this last night while experimenting and watching their youtube videos. It seems like they just configure the pod/app to act as a client and setup a killswitch with their template. I will have to test and see how it works for local network traffic.

In my use case I have 4 containers that need to use a VPN, some VPN providers limit how many concurrent sessions you may have alive at once in my current Proxmox setup I simply setup a "always on VPN vlan" so I tag the containers or VMs to a specific VLAN id and no need to run a vpn_client in each container.

Last night I did some tinkering and found a way to add a vlan+bridge interfaces to TrueNAS - but havent figured out how to block or remove the native network adapter that gets added by kubernetes/freenas: https://www.truenas.com/community/t...ernal-nic-how-to-disable-eth0-default.102596/

 

[indivision]

Makes sense.

I suspect this would require updated apps from the maintainers. But, am not 100% sure.

 

[Intel]

Makes sense.

I suspect this would require updated apps from the maintainers. But, am not 100% sure.

I experimented by launching a 'Docker container' blue button, this image has network tools into it: https://hub.docker.com/r/nicolaka/netshoot

Then did 'ip link' and 'ip a' and was able to confirm the 'external NIC' that you can configure via the GUI for custom 'Docker' works - just that it doesn't have a way for me to disable the other default-kubernetes-docker-nic

 

[indivision]

Yeah. It does seem like something that could be added as an "advanced networking" check box per your request.

It might be something that the TrueCharts team would add to their more customized apps rather than ix, official ones.

 

[shadofall]

Truecharts opted for the VPN addon option because it was the simplest solution due to how k8s networking works.

There is something known as a pod gateway (term may be wrong it's late) but it requires knowledge of k8s networking and Network policies and egress configuration And there is no easy way to create a gui for it that's user friendly with the current apps ui. As such truecharts did not go that route.