If terminal needs to download or upgrade does it bypass my vpn?
 

If terminal needs to download or update a program does it bypass my vpn ? What about when I use synaptic or yt-dlp in terminal?
What command would I use to check to make sure my terminal is utilizing my vpn?

My understanding is that, if you are using a VPN, any actions you do should go through the VPN.

A "VPN" functionally exists as "a network appliance," covering a specified range of external IP-addresses as specified by the route command. If, and only if, that external address is "covered" by your "route," it will be protected.

Therefore: "all of this is occurring at the network level." It has nothing to do with any particular application.

What kind of VPN do you use? How do you connect to it?

/sbin/route will show you the routing table.
This is not necessarily the case. Eg: If you connect to a VPN using a browser extension, then only traffic generated by that browser session will go through the VPN.

We have a VPN which works only for our company. So facebook, google, microsoft, debian and other sites work without VPN and also all hosts inside the company are reachable with VPN, in the same time. (something like post #3).

In a typical corporate setting, VPN is used to provide a cryptographically-secure "tunnel" to a specified range of IP-addresses, such as 10.8.x.x. These addresses appear as if they are "local," on some "private network." But it is a "virtual private network = VPN." Because the secure connection is made over a public network instead of a purchased piece of wire.

It is possible to arrange for VPN to capture all outbound traffic and send it through the tunnel to "somewhere else" for re-distribution. Some people do this in coffee shops. Some people try to do this to evade firewalls.

VPN works by linking into the operating system's "network stack" at one or two specific levels, allowing it to intercept the traffic by routing it through a "virtual network device" which leads to its software. It encrypts or decrypts the traffic and places it back into the network stack for final delivery. In this way, everything is automatically handled, without any further special effort on the part of end-users. The route command will display this "device" as something like tun0, and show you exactly what is being routed to it.

VPN can be used in a corporate network as though it were a simple "gateway." Everybody's traffic within the office is routed to one particular machine (or, hardware device) that is running the VPN software. It appears to them to "just" be a router or a switch, and it functions as one.

I use the software client provided by the vpn company, simply click and connect/disconnect an icon on the desktop.
It is not a browser extension.

I have the output from that command you provided above, from that output what do I look out for that will tell:
- if terminal command is going thru the vpn client. Do I need to be running a command to gauge that?
- if synaptic is/isn't going thru the vpn client? Do I need to be downloading something to gauge that?
To gauge the above do I look at which title from the output of command /sbin/route below?Results

What if it's not a device but rather terminal or synaptic manager and I need to know if these two are going thru the vpn client. I am not using a browser extension vpn.

Do the commands from your terminal and package manager go thru the VPN, and can they both be tweaked to go or not go thru vpn?

How ill I know if synaptic and terminal are both "covered" by route i.e. green light to go thru the vpn?

So the terminal and synaptic do thru the vpn client whether you like it or not?

You seem to have taken ip addresses out of the output posted from the route command
I have this using "ip route show"
and this using "route"
Because you removed the ip information no one can tell exactly what the routing is telling us (we have no information).

Please redo that and post the full routing table without editing.

it depends on the target I want to reach, not on the software I use. For example if I want to use an internal package repository it will go thru vpn, if I use an external one it won't use that vpn. It also does not depend on other circumstances, like if I execute it from terminal or crontab or gui.

Does using synaptic package manager falls fall into the external package repository category? If yes then it would not go thru my vpn?
An example of an internal package repository would be a company with it's own repo? I guess individuals can have their own repo's too?

Did you mean to say "does depend"?

Synaptic package manager only works thru the gui whether your at work for a company or not?

If your at your workplace and you used terminal to download an item from your workplace distro's repo would that go thru the company vpn?

If you were at home on your personal computer using a vpn client downloaded onto your linux desktop and you used terminal to download an item from your personal computer's distro's repo would it go thru the vpn? What about your package manager?

Should the post without editing go ahead if:
- synaptic package manager was not actively downloading/upgrading etc in during the time I got the results for the routing table?
- terminal was not downloading or getting anything from external repo when I got the results of the routing table?

What was or was not in use at the time is immaterial to the routing table. You are asking about traffic which does not show when looking at routing.
The only thing critical is that the vpn should be connected so we can analyze what actually is being done by the routing. Vpn vs the regular routing since the routing table, complete, shows what is directed to which interface.
Editing the output hides what the routing is doing and makes analysis impossible.

Since both synpatic and terminal are deemed applications and vpn's are meant to direct all traffic, does that mean both are going thru the vpn client? Synaptic package manager accesses external repo's only?I do not have an internal repo to access.

I did spot my vpn ip multiple times in the routing results when I ran based on seeing the vpn ip the in results can we say:
- a gui synaptic package manager will go thru your vpn client?
- that when you use terminal to download something from your distro's repo the traffic will go thru your vpn client?

No, I wanted to say it does not depend on the app itself, whether it is apt, synaptic, wget, curl, firefox or whatever else you might use to connect to another host.
Synaptis is a graphical tool (not a command line tool).

No, if my PC is already connected to that corporate network I don't need to use vpn to reach internal resources.
If you mean the corporate vpn I don't need that at all to download anything from the net, it is only required if I want to reach anything inside. Including package manager, terminal or any other tool.


You need to think about vpn as a "highway" (or tunnel), it connects two points together, let's say it connects two subnets together. Because of the nature of this highway you don't need to take care of any distance, any problems (during the travel), because virtually these subnets are just connected to each other (reachable using this protected highway) despite the fact the connection itself goes thru a lot of insecure and open hosts.
Your router will tell to your host (in case of a request) if a (tcp/ip) package should go thru this highway or should find another way to reach its destination. (that's why it is called roouter).
Router has no idea where is this package coming from, if it was initiated by a program, gui, terminal, kernel, whatever, it is not important.

In may case the two subnets are my local home network and the corporate network and I can only reach company resources if I use this highway, there is no other route to internal hosts. But obviously the usage of it is allowed only for members.

If a retiree i.e. someone not working in a corporate setting, needed to download something from their official distro's repo using terminal commands, and the retiree has vpn client switched on i.e. connected to a random foreign IP, will these terminal commands get tunnelled via the vpn client? If yes then are you also saying the router not the vpn client decides if this gets tunnelled? Does synaptic go thru the vpn tunnel in this example too?

it is the router, that decides where to go, so you need to configure your router to be able to decide. When we start a vpn client, it usually tells the router the address range that can be reached with the tunnel (the router is informed about the new tunnel). Again, when you shut down your vpn client it will tell the router that the tunnel is not available any more. A random foreign ip is usually not tunneled, but occasionally it might be if it belongs to that address range.
(I don't know what kind of vpn do you have, how is it configured and what url do you want to reach, but your router does know the direction to use)

I think this description is slightly off.

A router acts as a director of traffic and all traffic reaching it is sorted and directed by the routing table on the router itself. Once a VPN is connected the gateway router sees that as a connection that is established and simply routes the traffic accordingly.

A PC that originates a VPN acts similarly. The routing table on the PC also sorts and directs traffic. When the VPN is active the pc routing table has 2 routes of interest.
Traffic is sorted and that designated as for routing via the VPN is directed to the tun0 device while all other traffic is sent to the local net or the gateway router. This means the local routing table on the PC is important so that apps connecting to an ip via the tunnel can be directed properly. Traffic not directed to an ip via the tunnel is sent via the default routing.

What this means is that there is a traffic split in the highway directly on the PC and tunnel traffic is separated from the remainder before it ever leaves the PC. The gateway router has no control over the traffic via the VPN that originates on the PC.

It also means the routing on the PC itself is critical to answering the original question here.

If your VPN is configured to route all traffic thru it, then it will route all traffic thru it. It makes no difference if that traffic is the result of the OS or an app you ran from a gui or from a terminal or from voice assistant, that is irrelevant. Traffic is traffic.

If you will simply post, using "code tags," the exact output of your route command, and tell us what URL or IP-address you are trying to connect to, we will now very-patiently explain it to you.

The route command applies a very specific set of rules to every IP-address that is presented to the Linux network-stack for delivery, telling it which "network interface" should handle the traffic, and which address is the "gateway." The final rule is a "catch-all" which handles everything else, and the rules are applied top-to-bottom.

Your VPN inserts itself into that list at one or more places, using a "virtual network device" to divert the traffic to its own software.

is /sbin/route the only command that will show if synaptic and terminal are being directed to the vpn tunnel?

But not necessarily all traffic?

Is there a way to tell if synaptic and terminal commands are designated for routing via the VPN tun0 device? By defualt does this vary on linux distro's?

So there are two routers and 2 routing tables, one external one connected to wall socket and another within the PC?

You're missing the point. It has nothing to do with what app you use it from. It's like you're not reading what people reply with. It depends where you're connecting to. Only. If you have all traffic set to go thru the vpn, then all traffic will go thru the VPN. It has nothing to do with OS or distro or anything like that - you could run a vpn client on your router for example if you wanted and get the same thing.

If you configured your vpn to only apply to certain domain or ip range, then only connections to that domain or ip range would go thru the VPN. Like for a corporate vpn, you might configure it to only apply for companyname.net adresses, but let everything else go straight to the internet. In that kinda case, companyname.net is probably not even accessible directly from the internet, they will have companyname.com as their public website which is unrelated to the internal network you use the vpn to join. This would likely be preconfigured by the company's IT department for you so you could work from home, but if you do regular web browsing, it won't appear to be coming from the companies IP, it'll be coming from yours.

additionally it is not the app (terminal, synaptic, firefox, whatever) which manages the network connection(s), routing and related things. None of them is capable to do that. They know in most cases just an URL, hostname or something similar, and the OS itself (including the kernel and some services) will do the real routing, network communication, data transfer.

Where is the vpn in the above route table?

Will the routing table reveal my real IP address?

Configuring all traffic to go thru the vpn is soley by the pc routing table?
To check if all traffic is going thru my vpn I would use use /sbin/route? The vpn client settings do not decide configuration rather the pc routing table decides?

It does not show my ip at 193.142.xxx.xxx
example...
so, just show it to us so we can see if it all links up before it goes into the vpn tunnel. :-)

btw, how does mine look?

Can we use Glenn's to answer my questions?

What question has not been answered yet? The answer to the question in the thread title is a hard NO. You cannot bypass your vpn from terminal.

By your answer that would mean this would go thru the vpn too?

Of course. How many times do you need to be told the same thing?

One other thing, Nordvpn in particular requires ipv6 not be used/configured.

I guess nordvpn service I have is ipv4 only.

It would not be any good if my system were to use ipv6 dns and dhcp go past or just be wasted cpu cycles, imo.

I use openvpn to launch the config as well.

No. The 'ip' command also shows routing. Use 'man ip' to see what all that command may do for you.
In fact neither of those commands will tell you anything about the connection path used by the apps you seem concerned about. Only the IP addresses used with those apps & commands will allow answering your routing questions.

The routing table will answer that.
The routing table will answer that.

The full output of the 'route' command as requested several times above will allow answering all the these questions

Sometimes a tunnel (depending upon the vpn) may get 100% of the traffic. Sometimes it may be a split routing and only some goes thru the tunnel and some uses the normal routing. The full routing info from the route command allows us to answer that.

There are always 2 routing points. The PC has its own internal routing table which is why the 'route' command exists and its data is important. The second routing point is the router on the LAN which is the normal gateway to the internet (or maybe a corporate WAN). The only exception to this I know of is when there is no gateway router and the PC is directly connected to the ISP network or internet which is very rare.

Absolutely not.
His routing table is for his own PC and his LAN and of course would not show YOUR VPN DATA.

I do not understand why when at least 2 others have shown you their full routing tables from their PC you would still be so reluctant to provide the one NECESSARY bit of information needed so we may hold an intelligent discussion about your original question. Almost 40 back and forth comments, most asking for the necessary info needed for us to answer you, and you still refuse.

We cannot help if you do not give us the information needed to properly answer.

We cannot even tell if your situation is split routing or vpn only.

What would be the advantage for Nordvpn and their customersto use ipv6 overipv4?

Why not use their software client for linux?

Any results from the above command that that start with 10 (ten) e.g.
(above) Will mean that they are local ip addresses and can not identify your isp provider, is that correct?

Any that starts with something like this:
(above) are considered public ip addresses and can be used to identify your location,is that right?

To be honest, I don't know exactly.

Perhaps they have bulk licence on the ipv4 network they use, maybe reduced bandwidth?

Openvpn has the nordvpn blob copied to its config. I haven't tried any other way.

The tutorial I followed helped me set up the vpn, /etc/sysctl.conf and the firewall.

All the best.

My vpn provider also provides openvpn config file; I use that cuz it doesn't require installing anything nonfree etc, just uses stuff from my distro, and I just check the box to "use vpn with this connection" so it connects automatically.

I guess the advantage of not using some software provided by vpn provider may just that - their software maybe proprietary and you can't audit it? Whereas openvpn plugins for network manager gui is provided by your distro...

If there is an advantage to using their software, they'd have to tell you, dunno what it could be....

I am trying to connect to youtube.com thru the terminal like this belowand in the future to my distro's repo via command line (but not at the moment)