Tunneling browsers through VPN (Astrill) - binary locations?

Hi all, I have a fresh Zorin install on a new computer and so far everything is running very well except for one feature in the Astrill VPN client.

Astrill has a 'tunnel browsers only' function which I almost always use, and what it does is automatically detect which apps are browsers or have embedded browsers (e.g. Steam store, Discord), and tunnels only those browsers through the VPN. I would like to use this so I can keep Discord and browsers tunneled while games are untunneled, so I can still connect to local servers (China). Unfortunately Astrill seems unable to automatically detect the Firefox install that came with Zorin. I am looking at running Waterfox as my main browser, but have been using both Firefox and Waterfox to troubleshoot this problem.

It is possible to manually specify which apps should be tunneled, but even then, I am unable to find executable files for Waterfox and Firefox that work with this feature. I found three binaries for each deep within /var/lib/flatpak/, titled:

  • net.waterfox.waterfox
  • waterfox
  • waterfox-bin
  • firefox
  • firefox
  • firefox-bin

My understanding of the issue is that these are just not the right files that I need to allow through the tunnel. If someone could guide me to find the 'right' executables for these, please let me know. It is also possible that this is simply a problem with the Astrill Linux client, so I am also open to trying alternative clients to achieve the same goal. My Astrill subscription allows OpenWeb, StealthVPN and WireGuard protocols, so I can run any client that supports these.

I have tried using 'which firefox' and 'which waterfox' in terminal to locate the files but these return nothing.

The default firefox of Zorin OS 17 is a flatpak which nmeans it can't see or interact outside its sandbox other than what you tell it to do via flatseal. Either get the .deb of firefox or install and tweak with flatseal.

1 Like

Thanks for the fast reply. I downloaded a precompiled executable version of Waterfox and it tunneled through the VPN just fine. After dabbling in flatseal for another task yesterday I expect it would also probably work :slight_smile:

Unfortunately this issue is still persisting in some cases. I decided it would be easier to create an exclusion list rather than an inclusion list, so I can turn my VPN on at startup and then forget about it. However, I have not had any success in excluding games that are running through the non-flatpak version of Steam (Team Fortress 2, Fistful of Frags). I also tried excluding WeChat's flatpak version which is not working either. In flatseal, WeChat has permissions for 'Network' and 'Inter-process communications' which I would assume to be the relevant permissions for this.

I was able to solve my issue by using an inclusion list instead of an exclusion list and ensuring all included apps were not installed with Flatpak. I found this relevant post:


The key takeaway here is that the 'flatpak-bwrap' app in /usr/libexec/flatpak-bwrap controls the VPN access for all Flatpak apps installed on the system, so you can include or exclude that as you see fit, but it is apparently not possible to create separate rules for each Flatpak app.