1

It is not always necessary to route all traffic with OpenVPN. Is there any way to add some GeoIP rules (by country) in OpenVPN?

Second question how to use domain name wildcard in OpenVPN routing. This link help for a single domain routing

In summary, I looking for something like Clash for OpenVPN, that be able to ignore routing specific targets (by domain name and GeoIP) to the tunnel

Example Rules in Clash:
- DOMAIN-SUFFIX,google.com,auto
- DOMAIN-KEYWORD,google,auto
- DOMAIN,google.com,auto
- DOMAIN-SUFFIX,ad.com,REJECT
- IP-CIDR,127.0.0.0/8,DIRECT
- SOURCE-IP-CIDR,192.168.1.201/32,DIRECT
- GEOIP,CN,DIRECT
Ali
  • 294

2 Answers2

1

I want to say "you can't do that", but experience has taught me that it's better never to say never. So instead I'll adjust this: "I don't think you can do that, and here's why".

Routing is based on IP networks and gateways. So you could route traffic for a network such as 10.1.2.0/24 via your specific OpenVPN gateway, while leaving other traffic to use your default route. Or you could choose to do this the other way around, having most traffic sent across the VPN tunnel but with specific exclusions.

Domains, domain names, and host names usually map to IP addresses. In some cases they map to multiple IP addresses, and that's the problem here. You would have to create routes for every possible IP address related to a host name. Furthermore, you don't have any control over the mapping of host name to IP address, and it could change at any moment.

Right now for me here in UK, google.com maps to 142.250.200.46. If I try again I get the different address 172.217.169.78, and yet a third time gets me 142.250.180.14. Each time I get only one address, so I cannot identify the full set of possible addresses for google.com.

I could set up routes for 142.250.200.46, 172.217.169.78 and 142.250.180.14 to catch requests for google.com, but I wouldn't able to guarantee I'd got all the addresses for google.com so I couldn't guarantee that all my google.com traffic was routed the way I would want it to be.

The Clash tool you referenced works in a slightly different way. It is a SOCKS proxy so it has control over the name/address lookup. So when an address is required for a name it can first check its table of names to determine special case handling. Only then will it determine the appropriate IP address.

Chris Davies
  • 4,560
0

You want to dynamic split tunneling. As far as I can tell so far, openvpn only offers static split tunneling.

What Chris Davies suggests point to something theoretically possible with a modified client. The client does the DNS lookup, and using an internal GeoIP database, determines if a new route for that IP range should be added to the device's routing table (either to go through the tunnel, or not, depending on the rule).

Problem 1:

Having clients do the DNS lookup undermines the privacy of DNS lookups. Having the server do it, or do it by proxy preserves device-privacy.

Problem 2:

Some DNS servers resolve the IP address according to the GeoIP of the client making the request. Therefore, if the VPN server makes the request on the client's behalf, the IP may be the "wrong one".

That is to say, a perfect solution may not exist for all services.

Perhaps the devs have already made this feature. If not, check out the Android-client sourcecode.

Otheus
  • 121