OPNsense Forum

English Forums => Virtual private networks => Topic started by: Irishfluter on April 05, 2023, 01:22:03 am

Title: Way to allow specific URL to bypass VPN?
Post by: Irishfluter on April 05, 2023, 01:22:03 am

I don't know if what I want to do is possible -- having setup NordVPN using OpenVPN, is there a way that a specific set of URL's can bypass the VPN?

I know you can set specific device(s) to not use the VPN, but what I want is to be able to define URL's that will not route through the VPN for all connected devices.

Any thoughts / help greatly appreciated!

Title: Re: Way to allow specific URL to bypass VPN?
Post by: bartjsmit on April 05, 2023, 10:59:57 am

If you can't route on IP address, I'd say you need a proxy. For http URL's that would be Squid

Title: Re: Way to allow specific URL to bypass VPN?
Post by: andrewoliv on April 07, 2023, 02:22:02 am

I do not OPNSense has this capability. However, I have discovered Vilfo recently. I was going to set up OPNSense as a VPN Router but instead I installed Vilfo. Vilfo is a full featured VPN Router. WWW.Vilfo.com

There is a FireFox extension that works in conjunction with your Vilfo appliance (I installed it on a Protectli appliance). This extension allows you to choose my url what goes through a VPN and what does not.

It was the main reason I moved away from OpnSense for this effort
 I still have an OpnSense firewall

Title: Re: Way to allow specific URL to bypass VPN?
Post by: meyergru on April 07, 2023, 02:45:17 pm

Routing and URLs are different concepts. If you set up your default route going through a VPN, everything goes through that VPN. In order to have some URLs go through a different route, you need to

1. Set up a default route through the VPN and a more specific route to to be used for the specfic URLs. That in itself is very difficult and most likely would be a host-specific route that only links to an upstream HTTP proxy from which the traffic fans out (this you need to have, too).

2. Have something in place that can inspect URLs and decide which route to use. You could use squid for that, however, with most web traffic being encrypted these days, you must inspect HTTPS traffic in the first place, so your setup needs to do HTTPS termination which breaks with certificate pinning (https://help.zscaler.com/zia/certificate-pinning-and-ssl-inspection). You also need to inject your SSL termination CA into your browsers. So that is quite difficult as well.

You might be better off to use some native VPN client if that supports differntiation via URLs. If you aim to have this for an appliance like AppleTV or FireTV stick, where you cannot install such a client, you are out of luck.

If your URL list is short and depending on what you try to achieve, you only need a few IPs or networks as exceptions, you could get away with specific routes overriding the VPN default route.