Is this doable - one shared interface, separate routing tables, and vpn

i’d like to know how doable this might be, separating the host and one container. i have only one interface and only one gateway on that LAN. so i need to share. the host runs openvpn and the default route is through that one tunnel with the remote end routed directly for obvious reasons. i want to have the container default route to the local gateway so it does not use the vpn at all. this means both the host and container will use that interface and the local gateway.

i’m not opposed to using different IP addresses, but doing that will mean doing NAT somewhere since the wifi interface only gives one IP and enforces that.

i’m also thinking about a 2nd container running another openvpn to tunnel private IPs from an AWS EC2 VPC.

the existing tunnel is vtap over UDP on an obscure port.

You can use multiple routing tables and default gateways on the host with ip rule, known as policy routing.

i’m curious what the policy routing might look like to do this if regular routing is not sufficient. what would happen if i just used regular routing?

The managed network configuration that LXD can provide to you, uses the default route. It is a sane default. You can change that if you create an unmanaged network. For security purposes, I would suggest to get the container to use macvlan so that it gets its own IP address from the LAN (assuming ethernet connection and not WiFi). In that way, the container will be really unable to contact the host due to the way macvlan works in this case.

Alternatively, you could get the container to use openvpn instead of the host.

it is a wifi interface. i can use openvpn if needed. i already use openvpn to a small VPS to get IPv6 (/64) and hide my traffic from local netadmins. i do have 2 IPv4s on that VPS so there may be a way to give the container its own IPv4.