KDE 6 Captive portal login: How to deal with VPNs?

I saw the announcement of Plasma 6’s awesome new network tab!

Its really useful and exactly whats necessary, interestingly seems to integrate a feature request of mine.

The problem is, how to deal with VPNs? VPNs on Linux are real, not shady like on Android, where every System App can bypass it (i.e. the Captive Portal app).

Also a problem is Application IDs, because as far as I know one can not permanently identify apps, just launch them with specific parameters.

So how can you enable split tunneling for an application that deals with the Captive portal stuff?

And also how to improve privacy but keep the damn captive portals working?

  • DNSSec doesnt work
  • A custom DNS server doesnt even work
  • HTTPS only in Browsers does not work
  • Secure certificate settings in Firefox break it

The only way to avoid this is to have the VPN App also dictate the DNS Server, and disable the VPN when logging in to Captive portals. This is not a great solution though, and doesnt work with any (Selfhosted?) VPN.

So currently I

  • have the MullvadVPN app deal with it
  • keep systemd resolved unchanged
  • have a seperate Librewolf Profile I can launch via a desktop entry, that has all these weak settings and is purely for the Captive Portal logins

This could be solved using QTWebEngine though, having it inline, phone-like popup above the network dialog, and having all these weak settings. But is it even possible to have only the Captive portal stuff use insecure DNS settings, while the rest of the system doesnt?

Also for this solution I think having it manually opt-in (button press “scan”), instead of permanently scanning, is crucial. As well as the ability to select a custom HTTP-only server.

For anyone interested, here is the desktop entry creation command:

cat > ~/.local/share/applications/Captive-Portal.desktop <<EOF
[Desktop Entry]
Exec=/usr/bin/flatpak run io.gitlab.librewolf-community -p Captive http://captive.kuketz.de
Name=Captive Portal

A goal of mine would be to have a command deactivating the VPN, opening the app, waiting until it is closed and automatically activating it again, but idk a thing of the future