Hi.
Does Plasma-nm have a divided tunnel function for VPN? In my installation (Osuse Thumbleweed) nothing appears, but I don’t know if I could have left some package to install.
Thank you.
This text is software translated, so I hope you will be understanding of the possible nonsense.
I think it is integrated on the UI level but you might need to install a network manager package for the VPN in questions.
For example I’ve installed network-manager-openvpn (on KDE Neon) but I am not sure if the VPN UI would be hidden if I had not
Yep, for what it’s worth, on my OpenVPN connections I have the following Routes button in the System Settings Wi-Fi & Networking configuration screen, IPv4 tab:
Clicking that gives what I believe is the place where you configure what traffic goes where - my understanding of networking stopped with BBSes, but I’ve read that it’s the place that would do that 
Imported OpenVPN into NM, connects, but doesn't split tunnel • KDE Community Forums
I actually had to stop using NetworkManager for VPN’s as it does NOT honor split tunnel behaviors with enterprise vpn when sending specific routes and NOT a single default route. I have customers with fortigate’s that even though I only send specific routes for split-tunneling, it will still also add a default route as well which overrides my split tunneling.
As a work-around, I can delete the vpn default route, but quite an annoyance. One of my gripes with NM these days, instead I use openfortivpn for connecting which doesn’t add the default route and honors the specific routes.
I use split tunnel VPN on tumbleweed. (I think ‘divided tunnel’ = ‘split tunnel’ ?)
I did not need to install any additional packages for wireguard, but I have these packages installed for openvpn: NetworkManager-openvpn and plasma6-nm-openvpn
To configure the route, you can use the IPv4 and IPv6 tabs (someone posted a screenshot above, thanks!). Usually, your VPN provider will give you configuration files which already set this correctly.
To avoid DNS leaks, you need to install dnsmasq and configure NetworkManager to use it.
These are from my PC’s build instructions.
First we make sure dnsmasq is installed (it is probably already there, but anyway…)
sudo zypper install --recommends dnsmasq
Then we configure NetworkManager to use the local DNS server instead of the one from the connection:
sudo mkdir -p /etc/NetworkManager/conf.d/ ; echo '[main]
dns=dnsmasq
' | sudo tee /etc/NetworkManager/conf.d/dnsmasq.conf
The above command, is three lines, but it is one command, paste it all together. If you want to undo this, you can use
sudo rm /etc/NetworkManager/conf.d/dnsmasq.conf
I hope this helps.
Um, yeah, I see it’s the same thing. Libretranslate translated from my language as “divided” 
I’m using Wireguard, but It I guess that’s the same.
The only thing, would that method allow me to separate traffic at the application level or IP level? I’m interested in splitting traffic by application, because what I want is for my web browsers, RSS reader, Freetube, Kasts, and software that doesn’t have me identified -or not too much at least-, to direct their traffic through my VPN; but I don’t see the sense that programs that know my personal data, even those of my contacts, have the same IP address as the previous ones; so programs like Telegran, Kmail, Whatsapp, etc, i prefer to keep using my real IP.
But Openfortivpn doesn’t work more than with Fortinet’s VPN, does it?
Yes, in my installation there’s all that too, but I don’t see there’s anything to choose which programs we want them to direct their traffic through the VPN and which ones don’t. Something that for example is in RethinkDNS or ProtonVPN interfaces for Android and Windows -I have not tried Linux’s because I wanted to try to do it with the native tools that already incorporates my distro-.
I wouldn’t even know how to use the “thing” that of «Routes». Totally functionalist user here, IT for me is a medium, like my car or my washing machine, not a dedication and I know what it takes to use my equipments with acceptable efficiency but don’t ask me to come beyond 
.
Split tunnel configurations are pulling traffic by sending to the connecting client very specific routes, so instead of sending a default 0.0.0.0/0 route for ALL traffic, it will send only for example 10.0.0.0/8 used for an internal network, but really can be any list of ip prefixes to send as routes, if you control the VPN server.
If you want on a per-application basis, using a socks proxy might be more ideal to use. Internet VPN services tend to offer an option for a Socks proxy too, or at least PIA does for me.
But Openfortivpn doesn’t work more than with Fortinet’s VPN, does it?
Well, considering Fortinet has left their actual FortiClient broken for like the past year for most linux systems (boo, bad fortinet), using the open solutions is your only real option for linux clients if your business or customers use Fortigate firewalls for their enterprise VPN.
The only thing I’ve found either openfortivpn or nm+openconnect do NOT support properly is using SAML-based logins. Supposedly all the bits support SAML (plasma-nm, nm itself, openconnect), but none actually seem to work still for fortinet at least. I suspect openconnect might simply not support SAML for Fortinet even though others say it does for Palo or Cisco.
You want application-specific routing. This feature is not provided in the plasma GUI, and it is not provided by ProtonVPN’s client on linux. You would need to learn some basic networking and do some configuration using config files and special commands to start your applications.
That’s fair. What you’re asking is not commonly done, so this is not like normal driving the car, this is more like ‘fast and the furious’, you are going to have to improve the machine past the normal design and drive it a special way.
On Windows, some applications (eg some VPN clients) can do this special configuration for you, and it would be possible on linux, but I don’t know of any apps that do it. Perhaps you could find one, though.
I would not bother with this, if I were you. You do not gain any privacy by allowing certain apps to use your real IP. You only lose more privacy by doing that. You will get better privacy if you just use the VPN for all those apps.
I was hoping that maybe there was a package that would add this feature to Plasma’s NetworkManager GUI 
. And what you say about ProtonVPN’s client for Linux not having it either leaves me with no alternatives -I was counting on that as a last alternative since Windows and Android do have application-specific routing-. I guess I will have to cancel my subscription to Proton and look for another supplier, in case there’s any, or do in bugs.kde.org for a feature request for this.
Do you think so? If, for example, I receive in my desktop email client an HTML message with links to remote images, and I activate the rendering of those images, my client will contact that site and download the images making that site not only know my IP but also my email address; if I then click on that link and my browser loads the corresponding web page, Google Analytics or any other tracking tool that site uses will see that the IP that requested the images sent via URLs to my email account is the same one that shortly after visited the web page in question via a browser, ergo it is revealed that the user user@mailprovider.com, is the one who has visited that page.
Since my email client, my newsreader, messengers, etc, are associated with personal identifiers, some as revealing as my phone number, wouldn’t it be better that those programs that can “snitch” personal identifiers contact the web from one IP and the browser from another?
Thanks for your enlightening comments. I had no idea Proton considered Linux such a second-class citizen. 
Yeh, you wouldn’t do either of those things if you’re trying to maintain privacy, and you definitely can’t maintain privacy if you do both (even using separate networks - that would actually be worse).
Anyway this is a privacy rabbit hole, I will have to wish you good luck with that. I just wanted to share some instructions for accessing your home network while using a VPN, on Tumbleweed 
I don’t think there’s any automagical client that will do what you want on a per-application basis, but what you want can be done using iptables rules, ebpf, namespace containers ala docker, or whatever, but you’ll need to mangle your own set of firewall and routing policies to do these things.
You can also do this using firewalld along with networkmanager setting up zones for each interface to nat things this way or that out your vpn, ethernet, or wifi interfaces, but this gets complex to manage like a real firewall.
My suggestion is to do what I’ve usually done, keep a small vm desktop os inside of your main rig, have that vm connected to VPN for whatever you want to do there, Then whatever done within that host is subject to your VPN routing, and your main desktop normal use goes out your local network as normal.
I do this lots for work, using a windoze or a separate linux desktop vm for connecting to enterprise networks, such that they’re subject to enterprise VPN, DNS, security checks, and everything else for networking when that’s connected to their network.
I also do this as well with other linux servers that boot themselves, hop on a personal VPN to another country, and go harvest data for me as needed from there, keeping it cleanly in a mostly separate instance to minimize potential for data leakage.
As a quick down and dirty, I just use Tor Browser when I need to look at something around my own geography-based firewall filters for something shady like alibaba or anything foreign as it’ll just use tor out a random exit node for fetching data for me as well when I don’t want them to see where I’m coming from.