Skip to content

dannyota/byway

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

2 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›€οΈ byway

Transparent per-app VPN bypass on Linux.

πŸ€” Problem

Your VPN hijacks all routes. Some apps need to go around it.

πŸ’‘ Solution

byway is a Go daemon that uses cgroup v2 + nftables + policy routing to transparently route traffic from specific apps through a different network interface. No wrappers, no namespaces β€” apps launch normally.

App in config ──► cgroup ──► fwmark ──► policy route ──► direct interface ──► 🌐
Everything else ──► default route ──► VPN tunnel ──► 🌐

βš™οΈ How it works

  1. πŸ“¦ cgroup v2 β€” groups configured app processes
  2. 🏷️ nftables β€” marks packets from that cgroup with a fwmark
  3. πŸ”€ policy routing β€” routes marked packets through your chosen interface
  4. πŸ‘€ proc connector β€” watches for new processes matching your config
  5. πŸ”„ reconciler β€” periodically verifies and restores rules if anything flushes them

πŸ“ Config

cp example.toml byway.toml
# edit byway.toml with your interface and apps
interface = "wwan0"
reconcile = "5s"

apps = [
    "/usr/bin/firefox",
    "/usr/bin/curl",
]

πŸ“‹ Prerequisites

  • 🐧 Linux with cgroup v2 (unified hierarchy) β€” default on Ubuntu 22.04+
  • πŸ”₯ nftables kernel support β€” default on all modern kernels (5.x+)
  • πŸ”Œ A second network interface for bypass traffic (or shared mode with the VPN interface)
  • πŸ”¨ Go 1.23+ to build

No userspace tools needed at runtime β€” byway talks directly to the kernel via netlink.

πŸš€ Usage

go build -o byway .
sudo ./byway -config byway.toml

Runs as root (required for cgroup, nftables, netlink, ip rule).

πŸ”Œ Interface modes

Mode Example Reliability
🟒 Dedicated wwan0, eth1, usb0 High β€” separate physical path
🟑 Shared wlan0 (same as VPN) Best-effort β€” reconciler mitigates rule flushes

πŸ”„ Lifecycle

  • Start β†’ detect gateway, create cgroup, nftables rule, ip rule + route table
  • Run β†’ three concurrent loops: config watcher πŸ‘οΈ, process monitor πŸ”, reconciler πŸ”„
  • Hot-reload β†’ edit byway.toml while running β€” app list, interface, and reconcile interval update live
  • Stop β†’ Ctrl+C cleans up everything β€” system returns to default routing
  • Crash recovery β†’ kernel state persists; on restart, existing rules are adopted without disruption

πŸ“¦ Dependencies

Go 1.23+ and:

About

πŸ›€οΈ Transparent per-app VPN bypass on Linux using cgroup v2 + nftables + policy routing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages