Connect specific QNAP apps only to VPN client on router

[fathersmaidenname]

Hi all, very much a noob question, hopefully I can explain it well enough. I've tried searching and googling and either cannot find an answer or am asking the wrong question...
I've just upgraded to the RT-AC88U, running merlin firmware 382.1 . I have a vpn client set up using openvpn that is working well and can route all traffic through it. I also have a QNAP TS-251+ connected.
On the QNAP I'm running a usenet connection using NZBget - can access the webgui via 192.168.1.2:6789
I'm also using torrents for Qbittorrent, accessible via 192.168.1.2:6564
Both work just fine when routing all traffic, however, I'm wondering/hoping to only connect QBittorrent to the vpn, and have the nzb client (and all other traffic from the network) go directly through to my ISP. Is this possible?
I've tried forwarding ports on the router but tbh I've no idea what I'm doing.
Any help or ideas would be greatly appreciated.

Cheers!

 

[fathersmaidenname]

Bump.
Anyone willing to throw out some ideas to help a stranger?
Or am I just grasping at straws?

 

[Martineau]

Bump.
Anyone willing to throw out some ideas to help a stranger?
Or am I just grasping at straws?

If you know which static ports are explicitly used by the QNAP application(s), then you will need a script such as

/jffs/scripts/nat-start

#!/bin/sh

sleep 5

VPN_ID=1       # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)

# Customise the following (if additional DST/SRC ports are required)
QNAP="192.168.1.2"
DPORT=         # Destination Port number (or CSV list of ports) to be routed via VPN Client #
SPORT=6564     # Source      Port number (or CSV list of ports) to be routed via VPN Client #


# Apply the appropriate Selective Port VPN routing

TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}

RPDB_FWMARK="from all fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO"
IPT_FWMARK_DST="-i br0 -s $QNAP -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK"
IPT_FWMARK_SRC="-i br0 -s $QNAP -p udp -m multiport --sport $SPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK"

# Check if required RPDB fwmark routing rule exists; if not then insert it
if [ -z "$(ip rule 2> /dev/null | grep -oF "$RPDB_FWMARK")" ];then
   ip rule add $RPDB_FWMARK
   ip route flush cache
fi
# Check if required fwmark tagging rules exist; if not then append it to the chain
if [ ! -z "$DPORT" ];then
     iptables -t mangle -C PREROUTING $IPT_FWMARK_DST 2> /dev/null
     if [ $? -eq 1 ];then
        iptables -t mangle -A PREROUTING $IPT_FWMARK_DST
     fi
fi
if [ ! -z "$SPORT" ];then
     iptables -t mangle -C PREROUTING $IPT_FWMARK_SRC 2> /dev/null
     if [ $? -eq 1 ];then
        iptables -t mangle -A PREROUTING $IPT_FWMARK_SRC
     fi
fi

 

[fathersmaidenname]

Woah, thanks a bunch Martineau for spending the time on that. Gotta say though, unfortunately that goes well above my head and skills. I'll have to spend some time figuring all that out.
Thanks again!

 

[Jack Yaz]

If you know which static ports are explicitly used by the QNAP application(s), then you will need a script such as

/jffs/scripts/nat-start

#!/bin/sh

sleep 5

VPN_ID=1       # VPN Client #; Change to the appropriate VPN Client to be used (1-5, if available)

# Customise the following (if additional DST/SRC ports are required)
QNAP="192.168.1.2"
DPORT=         # Destination Port number (or CSV list of ports) to be routed via VPN Client #
SPORT=6564     # Source      Port number (or CSV list of ports) to be routed via VPN Client #


# Apply the appropriate Selective Port VPN routing

TAG_MARK=0x${VPN_ID}000
PRIO=999${VPN_ID}

RPDB_FWMARK="from all fwmark $TAG_MARK/$TAG_MARK table 11$VPN_ID prio $PRIO"
IPT_FWMARK_DST="-i br0 -s $QNAP -p udp -m multiport --dport $DPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK"
IPT_FWMARK_SRC="-i br0 -s $QNAP -p udp -m multiport --sport $SPORT -j MARK --set-mark $TAG_MARK/$TAG_MARK"

# Check if required RPDB fwmark routing rule exists; if not then insert it
if [ -z "$(ip rule 2> /dev/null | grep -oF "$RPDB_FWMARK")" ];then
   ip rule add $RPDB_FWMARK
   ip route flush cache
fi
# Check if required fwmark tagging rules exist; if not then append it to the chain
if [ ! -z "$DPORT" ];then
     iptables -t mangle -C PREROUTING $IPT_FWMARK_DST 2> /dev/null
     if [ $? -eq 1 ];then
        iptables -t mangle -A PREROUTING $IPT_FWMARK_DST
     fi
fi
if [ ! -z "$SPORT" ];then
     iptables -t mangle -C PREROUTING $IPT_FWMARK_SRC 2> /dev/null
     if [ $? -eq 1 ];then
        iptables -t mangle -A PREROUTING $IPT_FWMARK_SRC
     fi
fi

Giving this a go for a device on my network. If I drop the port specification and tell it to mark all traffic for VPN, will that work. Not having much luck so far, so I suspect not. Please and thank you for any help

EDIT: Ah, I think I see the flaw in my plan. Routing all stops any traffic hitting local resources such as DNS etc. Good to see it was just me making a silly error. Great script, btw!