Route specific domains through VPN



  • Hi all,

    I've got PrivateInternetAccess setup on my local PC so that I can stream NFL games via GamePass. Instead of having all of my traffic going through the VPN, I was hoping to configure OpenVPN on my pfSense router and send any requests to the GamePass domain through the VPN, while keeping all other traffic on the main interface.

    Is this possible at all?


  • LAYER 8 Netgate

    Not really. There is no way to identify all of the IP addresses associated with a specific domain at a point they can be routed in a specific direction.

    If you subscribed to a service that had a list of destination IP addresses you could use as an alias, sure.

    It is generally easier to route everything from a specific source device over the VPN instead of trying to identify every packet related to a specific service over the VPN. That's how I geo-shift MLB.TV. Everything sourced from a specific Apple TV gets policy routed over the VPN.



  • @Derelict:

    Not really. There is no way to identify all of the IP addresses associated with a specific domain at a point they can be routed in a specific direction.

    If you subscribed to a service that had a list of destination IP addresses you could use as an alias, sure.

    It is generally easier to route everything from a specific source device over the VPN instead of trying to identify every packet related to a specific service over the VPN. That's how I geo-shift MLB.TV. Everything sourced from a specific Apple TV gets policy routed over the VPN.

    Hmm darn. Could I do something like setup a browser proxy on the pfSense box, use a Chrome addon to send all data through the proxy for a domain, then route it through the VPN that way?


  • LAYER 8 Netgate

    All you have to have is a way to identify the traffic by IP address/port/etc.

    One way I can think of is if you can actually get a chrome plugin that properly identifies all the traffic, just have it source that traffic from a second IP address on the host and route traffic sourced from that to the VPN. No idea what kind of plugin would do that.



  • @Derelict:

    All you have to have is a way to identify the traffic by IP address/port/etc.

    One way I can think of is if you can actually get a chrome plugin that properly identifies all the traffic, just have it source that traffic from a second IP address on the host and route traffic sourced from that to the VPN. No idea what kind of plugin would do that.

    Hmm, the only thing that came to mind was using Proxy Switchy Omega to have rules for routing traffic through a proxy based on domain. I'm not super proficient in the pfSense world yet, but I wonder if I can setup a proxy on the pfSense box and then route that through the VPN?


  • LAYER 8 Netgate

    Probably not. The only proxy I can think of is squid which probably won't do what you need.

    It is FAR easier to policy route traffic that does not originate on the firewall itself, since policy routing happens when traffic enters the interface. Something like privoxy running on the host might work.

    As might watching your football in a bridged VM. It would have it's own LAN IP address.



  • @Derelict:

    Probably not. The only proxy I can think of is squid which probably won't do what you need.

    It is FAR easier to policy route traffic that does not originate on the firewall itself, since policy routing happens when traffic enters the interface. Something like privoxy running on the host might work.

    As might watching your football in a bridged VM. It would have it's own LAN IP address.

    I was actually thinking of that last night. Perhaps just spinning up a VM on my PC and streaming from there.

    Thanks for confirming what I can and can't do, saves me from setting up Squid, etc.



  • I am interested in something similar to this and was thinking that integrating pfBlockerNG would facilitate creating an access list to be used for routing purposes.  In this case I would think that adding the domain to pfb would resolve all of the ip's for that site/domain and adding them to an access list, then setting a routing statement using that access list as the destination to route through the vpn instead of the WAN.

    What I am wanting to test is using pfblocker to create an access list for the .onion domain, then routing the traffic destined to that domain through a vpn.  For instance, there are ubuntu repos on tor, and when updating packages from that repo, I would like that traffic to automatically route through the vpn connection instead of attempting through my wan.


Log in to reply