How to block youtube category using OpenWrt?

How to block particular youtube category using openwrt?
I want to block all the videos under GAMING category,
is it possible?

No. That happens within the HTTP protocol, on the application layer, way later than what the router manages or can interfere with.

3 Likes

I am quite sure this can be easily done by some configuration or creating package for OpenWrt or some bash script.
here's what I want to do (It will be great if I get some starting pointers)

  1. User visits the URL from browser
  2. OpenWrt analyzes the URL
  3. If it is youtube video URL
  4. Call youtube API to get category of the video
  5. If the category is GAMING then reject the request

as @takimata said, this cannot be achieved at the router. While it would be possible to filter on the IP address or domain name, it is not possible to filter on a full URL at this layer. Beyond that, the URL isn't necessarily going to contain useful category information... Sure, a search directly will show the search terms, but change the search term slightly and your filter wouldn't work anymore.

For example, I went to youtube and then typed in gaming in the search filed. Then I clicked on a video. This was the end of the URL: "watch?v=IDPiSEnFIAs" -- this is the URL to the video itself, but you're not going to be able to figure out the category from the URL.

You need to do this with an application layer filter -- or better yet maybe an account level one that can be configured with parental controls.

1 Like

we can do that using youtube API
https://www.googleapis.com/youtube/v3/videos?part=snippet,contentDetails&id={VideoID}&key={Youtube_API_KEY}

That is all nice and dandy, but your router can't do that - all it gets to see is an encrypted stream of data to some IP.

2 Likes

I suspect this can be done at DNS level
e.g. PiHole, AdBlocker

Nope. Try again. Not unless you can figure out a way for the DNS resolver to make calls via the youtube API and then block selectively... that is not something that DNS based blockers currently offer as a feature (maybe you could build such a feature and donate your time and effort to PiHole and/or other DNS resolvers).

Also, to be clear, AFAIK, the DNS resolvers like PiHole do not analyze the whole URL. They look at the domain name and then compare the domain against the allow/block lists. You would need to add functionality to perform further analysis of the URL (beyond the first '/') and then make decisions based on that. And this only would only work for sites that use explicit URLs -- if the actual functional URL is actually not exposed as a browser-level address but is instead embedded within the encrypted HTTPS data, you won't be able to inspect it at all.

You've been told by 3 people already that this cannot be done at the router.

2 Likes

No, it really can't. There's a basic misunderstanding on your side about how routers work and what routers do. While it has already been answered by others above, I still would like to lay it out flat, in order to not cause you frustration or make you think we are unwilling to help.

Here's what's happening:

The browser does exactly two things when you open https://www.youtube.com/watch?v=RNuUgbUzM8U

First, it makes a DNS request, "what IP corresponds to www.youtube.com" to the router. The router in turn asks the internet and responds with "www.youtube.com is at IP address 142.250.206.238" (and several other IPs.)

This is exactly the point where PiHole and other DNS-based blockers come into play, they intercept this DNS request and answer with "does not exist" or something similar. They also do not know exactly what your browser is asking for, they just know it is asking for the IP address of www.youtube.com and decide you can't have it.

Then the browser opens a connection to 142.250.206.238. This connection is end-to-end encrypted between the browser and the server (that's the "S" in "HTTPS"). Inside of this connection, encrypted, it asks "I want watch?v=RNuUgbUzM8U from the host www.youtube.com, is that you, can you give it to me?"

OpenWrt, or any router really, just sees a new connection to 142.250.206.238. Because it is encrypted, it has no way of knowing what is happening within that connection, it does not even know it goes to a server that answers to www.youtube.com, let alone what "page/path/resource" it is asking from the server. The router does not care, it just knows from the IP address that it has to go out to the internet, so it sends it out to the internet, it receives the answer, and then it hands the answer back to your computer where your browser receives it, decrypts it, and shows it.

At no point does OpenWrt or any router know exactly what you're asking from the server. And not only that, it doesn't even know that the server is answering to www.youtube.com. And that is why you can't block parts of a website using OpenWrt in the middle.

7 Likes

Your suspition is wrong.

As already noted by the others, pihole is a DNS resolver, if blocks based on FQDN, or parts of it.

An adblocker running in the browser have access to the full URL, and can trigger based on parts of the URL, the DNS resolver never sees this.

1 Like

There MIGHT be a possibility to do what you want using an explicit proxy, running on the router. Which means, you first of all have to configure your client systems to use this especially programmed proxy. Second, you need to install self signed certificate on the clients. The browser of which might complain about it.
Which also might be the case without explicit proxy config, so called transparent proxy, which you can run on openwrt device. Needs a lot of custom programming, though, and is rather fragile, to be broken by security measures of youtube.