openvpn split-tunneling for a blacklist

fluxrider

7/6/24, 9:20 PM

I want all my internet traffic to go through the vpn, except a few sites (e.g. so I can stream shows normally, but run other things through the vpn).

My vpn provider gives me a .ovnp file. I should quickly mention I have fibromyalgia and can't think well. So I've blindly added verbatim somewhere in the middle kinda randomly to the ovnp file the following, which I got from other threads.

allow-pull-fqdn
route www.netflix.com 255.255.255.255 net_gateway
route www.disneyplus.com 255.255.255.255 net_gateway
route www.primevideo.com 255.255.255.255 net_gateway

But alas, when I visit the site listed, I can see that I go through the vpn because they don't behave correctly, with missing shows or simply not loading (whereas, when I don't use the vpn, they are fine). Hopefully it's not because those domains have multiple ips or something. I'm running arch linux. Is there a special place in the file I need to put my block? The file looks like this (I think those files are public anyway but I removed the keys):

client
dev tun
proto udp
remote 89.47.234.171 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no

<-- I tried here

remote-cert-tls server

auth-user-pass
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

1 + 0

openvpn

split-tunneling

Score:1

Server

Nikita Kipriyanov

7/7/24, 3:51 AM

Hopefully it's not because those domains have multiple ips or something. — they definitely do. Also they might use DNS round-robin load balancing, which results in that answers to each individual DNS reply can differ substantially (not just order, but the whole set of IPs may differ), and they likely use geographically distributed CDNs supported by DNS, so DNS answers to queries made through VPN and without it will also differ. When OpenVPN prepares to establish the connection it queries the DNS through currently available locally configured name servers, while when the VPN connection is established it might be queried through the VPN or even DNS servers to query might change to VPN-provided ones, so browser gets different answer than OpenVPN during initialization.

Look:

merlin@hpprobook ~ $ host www.netflix.com
www.netflix.com is an alias for www.dradis.netflix.com.
www.dradis.netflix.com is an alias for www.eu-west-1.internal.dradis.netflix.com.
www.eu-west-1.internal.dradis.netflix.com is an alias for apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com.
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has address 54.246.79.9
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has address 54.170.196.176
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has address 52.214.181.141
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b685:3b38:679d:2640:1ced
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b684:8e48:47c9:84aa:b34d
apiproxy-website-nlb-prod-1-5675d5ecda6efdd8.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b683:f711:f0cf:5cc7:b815
merlin@hpprobook ~ $ host www.netflix.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases: 

www.netflix.com is an alias for www.dradis.netflix.com.
www.dradis.netflix.com is an alias for www.eu-west-1.internal.dradis.netflix.com.
www.eu-west-1.internal.dradis.netflix.com is an alias for apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com.
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has address 54.155.246.232
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has address 18.200.8.190
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has address 54.73.148.110
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b685:c898:aa3a:42c7:9d21
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b683:e1fe:9fbf:c403:57f1
apiproxy-website-nlb-prod-2-b4de62b516adfbbf.elb.eu-west-1.amazonaws.com has IPv6 address 2a05:d018:76c:b684:b233:ac1f:be1f:7

Two consecutive queries, one through local DNS, other via Google. Clearly it uses geolocation. Also we see two different AWS datacenters; I am sure some AWS mechanisms are also in play here.

As a consequence, when you work with routing, don't use names. Instead, you should determine all the IPs you want to guarantee to be routed in a certain way and put them into config file as IPs. Routing doesn't know anything about names, IP addresses is its topic.

As of OpenVPN configuration file format: there is no special place and you can put directives in any order. Only make sure you don't put it within cert and other such blocks.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: openvpn split-tunneling for a blacklist

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.