I always wondered this and should have asked way sooner about this, but here goes: when do app connect to the internet? Is there traffic going in and out at all times?
Let’s take a specific example. If my steam app is opened and I switch from a vpn connection to the other, does steam sees this?
Same question but for browsing experience. If I open 10 different tabs and they all already loaded. I turn off my VPN connection because let’s say a bank block all VPN connection. Will all the other tabs opened know?
It doesn’t really matter because I use 2 different browsers for 2 different set of browsing, but I was just wondering what is the opsec here.
When you switch or disable your VPN, apps like Steam may notice the IP change, causing brief disconnections. Loaded pages usually continue, but new actions will use your real IP, which some sites may block. Using separate browsers or incognito modes can improve security.
Do you really want to know the best practice? Because, well, the best practice would be having a separate device for non-VPN activities, or using Qubes and having a VPN-connected qube and a non-VPN qube
Off the top of my head there’s really no good ways to do it securely without compartmentalization, but there are more convenient methods than the ones I gave as an example.
Many VPN clients allow you to split tunnel and exclude apps from the VPN, so you could have Brave Browser going through a VPN and Firefox not going through a VPN (or, whatever), and then use each for different sites depending on need. Still compartmentalization though.
If you’re doing it on a router it is harder to bypass. This is why I don’t really like using VPNs on routers (or DNS-based ad blocking) unless you have to, it’s usually better to have a VPN (or adblocker) on each device.
Depending on your router you could probably set static routes to bypass the VPN connection for each individual IP address you want to whitelist.
Wouldn’t Portmaster SPN be an option for this? I’m currently running SPN with Proton set to Split Tunnel and only route certain, SPN excluded, apps through it.
" Does the SPN route connections on a per app basis?
No, it routes every connection individually. So as an example, when you open several websites in different tabs in your browser, every connection will be calculated individually - giving you multiple identities for each app."
And the catch is this, although I’m considering it: