17

I noticed a DNS proxy service I saw utilizes openvpn and tunnels supposedly only DNS traffic through the VPN which masks the users of the VPN's geolocation and allows the users system to use their initial connection for all other traffic.

I could see this being very useful for a project I'm working on that utilizes VPN's and the traffic that I would want routed through the tunnel would be dns specifically for certain intranet sites we have.

I have tried thinking of how their setup is working via openvpn, I cannot seem to find information on openvpn's source/destination filtering. What I have found are examples of openvpn administrators filtering client access traffic so that one openvpn client can talk to another openvpn client which is not what I want.

The only way to accomplish this from what I can think of would be if openvpn has a filtering option for administrators where the admin can place in a exclusions IP filter list. For instance if a user queries via DNS for google.ca the openvpn IP exclusions filter will see that google.ca's(I know openvpn is only up to layer3 so a request for google coming in would just be the IP of google that isn't in the exclusions list) IP is not an acceptable IP for trafficing over the tunnel, but if the user wants to talk to myIntranetServer.com, the vpn knows to allow the traffic through the VPN.

When the openvpn server denies google.ca IP traffic through due to google's IP's being not an IP in the list of IP's that's allowed to be trafficed through the VPN, it sends a notification back to the openvpn client for the client OS to make the DNS query instead of openvpn's DNS route.

Since I am not familiar with all the options openvpn provides and cannot seem to find explicit info for this type of setup, what do you guys think of how that service is doing this?

I have found one example that touches a bit on the subject but I'm not familiar with how to specify the traffic: OpenVPN - Client traffic is not entirely routed through VPN

Community
  • 1
RCG
  • 784
  • 1
  • 6
  • 15
  • This site isn't the place to ask for people to reverse engineer some 3rd party service for you, this site is about solving problems that you are have. The OpenVPN server/client does not do any packet filtering at all. That is left up to the operating system on the server or client. How filtering is applied depends on the OS and the configuration. – Zoredache Sep 25 '14 at 00:09
  • Thank you for the feedback. However this is a problem that I do have as all traffic currently is going over the VPN and wasting bandwidth. When I saw this other service I knew that is what we wanted to implement to help us save bandwidth costs as well, thus why I'm asking for clarification on how it could be achieved, which you've stated it is a server/client configuration along with potential firewall filtering. I'm trying to figure out what combination of server/client configs plus additional potential OS/firewall configs are required so I can accomplish this task of saving bandwidth. – RCG Sep 25 '14 at 00:18

1 Answers1

29

From researching this with a different angle, I have found with openvpn routes that it can be possible to traffic specific content.

I've found the following type of setup could be used:

# redirect all default traffic via the VPN
redirect-gateway def1
# redirect the Intranet network 192.168.1/24 via the VPN
route 192.168.1.0 255.255.255.0
# redirect another network to NOT go via the VPN
route 10.10.0.0 255.255.255.0 net_gateway
# redirect a host using a domainname to NOT go via the VPN
route www.google.ca 255.255.255.255 net_gateway

however with the last configuration variable:

# redirect a host using a domainname to NOT go via the VPN
route www.google.ca 255.255.255.255 net_gateway

when it queries for resolution of google.ca it will only filter the first IP in the queries response.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
RCG
  • 784
  • 1
  • 6
  • 15
  • 3
    To push this config to clients remember to use the "push" command. So, if you'd like to use the first rule, you would use this line in your openvpn.conf on the server: `push "redirect-gateway def1"` – lucaferrario Mar 14 '15 at 00:10