VPN selective Routing for specific Websites and Apps

[machinist]

At the moment, you can't restrict to a specific client IP, but if I get some free time I may add that feature.

Thanks very much for your effort in creating this.

You can always add a manual rule to send all traffic from a specific client over the VPN though

So I can create a manual rule in VPN Director to pass all traffic from a certain device/local IP thru VPN, and then use your script to setup an IPSET to pass thru regular WAN, e.g. BBC iPlayer?

Is that right?

I tried that, and it doesn't seem to function properly.

EDIT: I've set up the script according to your instructions, but only the OVPN rules work for me. Going by your example:

# Edit this list of rules (just be careful with the single quote at the beginning and end of the list):
RULES='
whatismyipaddress.com|OVPN1
netflix.com|WAN'

-navigating to whatismyipaddress.com shows the VPN IP. However, accessing netflix.com gives the browser error of "can't connect" - it doesn't even try to load. I've tested this with other sites. Appending "|WAN" breaks the connection for me. What do you think it could be?

 

[ugandy]

I may do that
I was actually thinking of turning this into a proper addon with a GUI if I can find the time to learn how. Merlin's docs look pretty good, so I may give it a go.

thanks for your script! works great!
we can even see the rules on the vpn director gui. thanks!
the only manual step for me is to grep the dnsmasq.log to see all needed IPs

 

[Charles Wilkinson]

Hey there @machinist, sorry for not replying sooner - I didn't spot this question until now.

So I can create a manual rule in VPN Director to pass all traffic from a certain device/local IP thru VPN, and then use your script to setup an IPSET to pass thru regular WAN, e.g. BBC iPlayer?

Possibly, but I'm not sure how Merlin's code would handle two conflicting/overlapping rules.
The UI says:

• OpenVPN clients set to redirect all traffic have the highest priority
• WAN rules will have priority over OpenVPN rules

But I'm not sure how to interpret them in your specific example.

However, it may be moot anyway since I just got my head around a pretty big limitation of my script:

Some domains (like netflix.com) use DNS-based load-balancing and as such, return different IPs each time you do a lookup.
This means that nslookup always gets different IPs and so the script will always think that IPs have changed.
It also means that clients will often be provided with an IP that is not the one the script got and so that traffic would slip past the checks and escape over the WAN

I’ve tried to find a workaround for this, but sadly, I don’t think there is one. Providers like Netflix use huge IP ranges that change often. We don’t have a reliable way to get all of them at any time.
As such, I think it’s better to only use this script to direct specific traffic to smaller providers over the VPN, rather than send all traffic over the VPN and then add WAN exceptions.
Basically, don’t add hosts (like netflix.com) that have this issue.

I think you would hit that issue trying to add BBC iPlayer as a rule.

 

[Charles Wilkinson]

For anyone else who is using my script, I have recently published some major updates to it and have moved it to github to make it easier for people to see if it has changed.
It's been significantly improved and several bugs have been squashed.
I also recommend reading the Limitation section in the readme.
https://github.com/kabadisha/host-based-vpn-routing