Filtering for some domain names and going directly passing-by OpenVPN

user_nsk · Apr 27, 2017, 10:43 AM

Hello, folks !
I have multi-lan router. Single WAN and several LAN
For the sake of simplicity, suppose I have only 1 LAN connection

All connections to Internet from LAN go through OpenVPN (WAN)
Is there a way for some connections(IP addresses) to pass-through and directly connect to the Net passing by OpenVPN ?
The best scenario is to have some filtering by domain address,
for example going to "www.direct-connection.com" would directly connect me to the site, passing by OpenVPN.

I'm also planning to setup DNS server locally if this matters.

johnpoz · Apr 27, 2017, 11:17 AM

Not sure why local dns server setup would come into play. The unbound or forwarder on pfsense would be fine to use even in such a scenario.

What your looking to do is policy routing. You would exclude what traffic be it port based, ip based either source or dest be excluded from what you route out the vpn connection. Simple rule with aliases containing what you want to route out your normal wan above the rule that routes the traffic out your vpn is all that is needed.

Your problem might be that depending on what fqdn your wanting to go to changing IPs, say for example of hosted on some large CDN with large amounts of netblocks in play. So it might be best to identify all of these IPs or netblocks and then in your rule use those.

Its simpler if you can use your source IP in the rule so you don't actually have to worry about dest IPs changing. So for example you always route 192.168.1.100 out the normal wan, and anything else use the vpn, etc.

user_nsk · Apr 27, 2017, 11:34 AM

@johnpoz:

Not sure why local dns server setup would come into play. The unbound or forwarder on pfsense would be fine to use even in such a scenario.

Your problem might be that depending on what fqdn your wanting to go to changing IPs, say for example of hosted on some large CDN with large amounts of netblocks in play. So it might be best to identify all of these IPs or netblocks and then in your rule use those.

Its simpler if you can use your source IP in the rule so you don't actually have to worry about dest IPs changing. So for example you always route 192.168.1.100 out the normal wan, and anything else use the vpn, etc.

I didn't quite understand about example with 192.168.1.100, but it seems it's not my scenario. I need filtering by domain name. So, I will show it with flow of processing

pfSense direct-connection-domains-sort-of-a-filter: www.direct-connection.com

Firefox(www.google.com) ==> DNS query (www.google.com) ==> pfSense direct-connection-domains-sort-of-a-filter ==> route through VPN
Firefox(www.direct-connection.com) ==> DNS query (www.direct-connection.com) ==> pfSense direct-connection-domains-sort-of-a-filter ==> route through WAN directly

Is there any sort of DPI(Deep packet inspection), so I would go to filtered site directly through WAN despite of fact, that DNS could return different IP address for the same site.
Also may be some sort of dynamic rule with cache of such IP addresses, where it has some sort of expire.

johnpoz · Apr 27, 2017, 11:41 AM

Dude that was just an example of doing it an easier way if you CAN filter based upon the client IP..

The whole first part of my post was how to do what you want.. With an aliases to where you want to go.. Does www.direct-connection.com only return 1 IP.. Or is it housed off a CDN where the IP could change every single time the TTL of the record expires and you have to look it up again?

"Is there any sort of DPI(Deep packet inspection),"

No..

As I already stated if your site is hosted off some CDN.. You would have to put into your rule all the netblocks of that CDN.. Problem is this could have direct connectivity to sites that you may or may not want to use the wan directly.

These sorts of issues is why its best to try and filter on something less likely to change or be a large range.. Like your source IP of the client, or the dest Port.. But what domain are you trying to go to.. Maybe it only returns 1 IP? If so then simple alias with the fqdn will work just fine.

Another option might be to use a proxy.. Let your proxy only go out the wan.. Then have your client use the proxy when it wants to go to these fqdn..

Finger79 · Apr 27, 2017, 10:29 PM

@johnpoz:

Another option might be to use a proxy.. Let your proxy only go out the wan.. Then have your client use the proxy when it wants to go to these fqdn..

Proxy sounds like a cool idea, maybe the most reliable since you could probably set it up to go off FQDN. And you could set the proxy to have a static source IP which like you said would make things much easier than messing around with destination IPs and netblocks. Lots of potential leaks that way going out the WAN instead of VPN.

Another idea might be to setup a separate wireless SSID just for WAN purposes. It could drop into a VLAN that is routed out the WAN and bypasses VPN. The normal wireless SSID could go out the VPN like normal.

Depends on OP's situation.

johnpoz · Apr 28, 2017, 9:54 AM

"Lots of potential leaks that way going out the WAN instead of VPN."

WTF.. How tight is your tinfoil hat anyway??

isolatedvirus · Apr 29, 2017, 5:35 AM

alright, here is what you do.

Firewall -> Alias
Under IP -> ADD
give it a name, and description if you want.
Type -> URL (IPs)

add as many urls as you like. either host.domain.ext or just domain.ext (www.google.com, google.com)

save and go to firewall->Rules
add a rule on your LAN interface, action pass, whichever sources you want, destination 'single host or alias' and use the alias you created above.
go to advanced options, choose gateway ->Wan or whatever you have it called. save.

then drag the rule ABOVE your VPN routing rule. save again and apply changes.

you are now routing traffic to specific url/domains out your WAN instead of VPN. :)