Join Log in
Score:0
avatar Server

Block websites for my VPN users

id flag
Realbitt

I have strongswan running fine, I need to block some bad websites by it's domains from being visiting by VPN users, I tried many methods but no luck as redirect traffic from vpn to proxy server like squid but I discovered that forwarded traffic to squid it done by it's website IP not domain name so this technique not succeeded.

maybe this is not strongswan business but any idea will be welcomed.

thanks in advance

126
0 + 0
Omid Estaji avatar
cn flag
Omid Estaji
It's possible to find website's IPs, then block them in firewall (iptables), but it's not based on FQDNs.
0
Reply
id flag
Realbitt
@OmidEstaji some sites shared same ip and they sub domains, so I want to block exact domain.
0
Reply
Score:1
Ginnungagap avatar Server
gu flag
Ginnungagap

This has nothing to do with VPN and everything to do with proxy software.

What you're looking for is a transparent intercepting proxy. Unless you can push a new CA certificate to your client machines you're most likely looking for Squid's peek-and-splice mode to inspect the ClientHello of TLS connections.

Note that this isn't perfect as domain fronting will bypass it and so will using another proxy that isn't blacklisted but it's the best you can do with those constraints.

0 + 0
Score:1
Roman Spiak avatar Server
it flag
Roman Spiak

the way I would solve such a problem is to adjust the strongswan VPN exit node with transparent proxy:

https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

You will however either need to allow https to bypass the proxy or setup SSL intercept (which is quite difficult and needs access to your clients PCs) ..

Another way to solve the problem is to introduce your own DNS that will point your users to your own IP address for domain names that are black listed... this of course means that you are running dhcp and nobody's smart enough to use custom DNS.. or DNS over HTTPS

0 + 0
id flag
Realbitt
I installed DNS server in new pc, lets name it pc1, and I pointed pc2 network dns to pc1 and i blocked facebook.com but it not worked as i saw in some tutorial, this is just test if i can block domain on my own pc by own dns server.
0
Reply
Roman Spiak avatar
it flag
Roman Spiak
no idea on specifics of your DNS setup - please know that also big corporations use this DNS blocking mechanism to prevent (for example) facebook access for their employees. This means that the domain blocking via DNS server is a tested & working solution. If you have trouble setting DNS blocking - ask another question related to that topic & provide details of that setup.
1
Reply
id flag
Realbitt
it worked for me thanks
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.