OPNsense Forum

English Forums => Virtual private networks => Topic started by: djronh1 on March 21, 2021, 11:14:59 pm

Title: Trying to force certain hosts to use VPN when visiting certain URL
Post by: djronh1 on March 21, 2021, 11:14:59 pm

Hi All,

I've successfully setup my OPNSense with Mullvad VPN per this Wiki article-
https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html (https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html)

If I force all traffic not destined for local LAN it work great.

Now I'm trying to configure such that only a subset of hosts on my LAN will use VPN when visiting a given list of URLs.

I used aliases for both, list of host that should use VPN, as well as list of URLs.

I already posted the question in this thread  https://forum.opnsense.org/index.php?topic=21205.msg104373#msg104373 (https://forum.opnsense.org/index.php?topic=21205.msg104373#msg104373)

But could not find a solution , so it was recommended I repost here instead.

Title: Re: Trying to force certain hosts to use VPN when visiting certain URL
Post by: Greelan on March 22, 2021, 02:12:02 am

Maybe you need to include the destination URL Alias in the destination address field in the outbound NAT rule?

Title: Re: Trying to force certain hosts to use VPN when visiting certain URL
Post by: djronh1 on March 23, 2021, 12:24:01 am

I added VPN_Required URLs list alias to outbound NAT rule, and still having same issue.

Title: Re: Trying to force certain hosts to use VPN when visiting certain URL
Post by: Greelan on March 23, 2021, 01:15:05 am

Lemme do my own experimenting over the weekend and I will see whether I have any more luck

Title: Re: Trying to force certain hosts to use VPN when visiting certain URL
Post by: Greelan on March 27, 2021, 07:40:13 am

So I did some experimenting, and specifying a destination URL through an Alias in the firewall rule worked fine for me. I can see in the live logs only that traffic going down the WG tunnel, and I can also see my VPN provider's IP on the website (I used www.whatsmyip.org in my test, and compared what I saw there when browsing to what I saw with ipinfo.io).

One thing I did notice when setting this up is that DNS resolution on OPNsense was broken when I had specified in the WG Local configuration the DNS server IPs given to me by my VPN provider. Those IPs are local IPs (ie 10.0.0.x) and it appeared that OPNsense tried to use those for resolution - which was interesting, and not what I had intended. So I changed the WG Local configuration so the DNS Server field was blank, and the issue was solved. Maybe you are affected by this issue, ie the Alias you have created is not actually resolving the URLs?

On the subject of DNS, note some additional discussion in the original tutorial thread, where it has been discovered that, depending on the user's network DNS server setup, DNS leaks can occur.

Title: Re: Trying to force certain hosts to use VPN when visiting certain URL
Post by: Learning on August 20, 2021, 04:01:42 pm

Quote from: djronh1 on March 23, 2021, 12:24:01 am

I added VPN_Required URLs list alias to outbound NAT rule, and still having same issue.

Resurrecting an old thread to say THIS was the key to having URLs bypass the VPN for me.
I had created an alias list of URLs, and placed it in the Firewall Rules section, but had not generated a NAT Outbound rule.

Having searched the forum and found this post, it is now working for me (on simple URLs at least).
Thanks for the tip  :)