0

I am currently trying to block some websites by their domain names for all the clients of my OpenVPN server.

My first idea was to use the /etc/hosts file. But, its effects seem to be limited to the host only and not to be taken in consideration by OpenVPN.

I then tried to configure bind9 and to interface it with OpenVPN, but that solution was unsuccessful and uneasy to use.

After this, I considered using iptables to drop all the packets from/to those websites but that forum thread made me thought otherwise since iptables' behavior with FQDN may generate complex issues.

Have you got a solution to block websites for all clients using an OpenVPN server on which I am root?

Asche
  • 101
  • 1
  • 1

4 Answers4

1

You do it the same way you block websites for users on your company network: Run a proxy server and force everyone's web traffic through it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
0

I faced a similar issue. I just changed the DNS on OpenVPN's server.conf file to

push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

i.e. OpenDNS And from OpenDNS control panel, I blocked the sites I didn't want clients to access from VPN. P.S. OpenDNS free home account would be needed along with a static IP of VPN server.

Ruchit Patel
  • 1
0

That's quite logical as the DNS server used by the client is probably not your host. What you can do is get all their IPs and block those IPs instead of the hostnames.

Even when you configure a DNS server which "block" these domain names, the client might still choose to operate with a different DNS server and he will be able to bypass this control.

Lucas Kauffman
  • 16,818
  • 9
  • 57
  • 92
0

You can also try to filter using iptables and the string filtering capabilities. It should be something like this:

iptables -A FORWARD -m string --string 'Host: facebook.com' -j DROP

It would be rather complicated (as you need to keep a list of DNS names and build a command like that for each one), but, as @LucasKauffman already pointed out you are not in control of the DNS, so no filtering there.

Also, please note that this would only work for HTTP and not HTTPS, as all requests are encrypted in HTTPS.

Gonzalo Alvarez
  • 36
  • 4