How to exclude certain websites from wireguard vpn

seccam49 · August 24, 2023, 10:29pm

I have configured wireguard on router but using wireguard because it has higher speed than openvpn. using protonvpn server to connec to.
I want to exclude certain site like studentaid.gov from vpn becasue it wont connect saying access denied.

Is there any way to exclude certain website from wireguard vpn
please give steps...pic is better if you have one.

Please note when I pin studentaid.gov - most times it gives different ip address

I tried following - https://docs.openwrt.melmac.net/vpnbypass/#requirements
But I dont see web ui configuration for luci-app-vpnbypass so not sure how to configure in web ui under pbr ?

I have OpenWrt 22.03.5 version

egc · August 25, 2023, 6:01am

vpn-bypass has a successor:

See if that suit your needs, scroll down for the Install Section

seccam49 · August 25, 2023, 6:10am

So you are saying vpn-bypass is outdated now and it is replaced with pbr in 22.03.5?
I guess I understand that but how to configure under policy routing tab I see in the header?
Where actually I need to do to exclude/bypass this website studentaid.gov

Thanks. @Dantes @psherman @lleachii @xize

psherman · August 25, 2023, 6:11am

@seccam49 - why are you tagging other users into this thread?

xize · August 25, 2023, 6:47am

It should be kinda the same as the wiki page you sent and then I mean that section of dnsmasq-full.

For ipset, you should take some consideration, on newer versions of OpenWrt you have a new firewall with nftables and nftset, to be honest I normally would keep it there.

The only thing that might be different is that ipset also catches subdomains as wildcard, while nftset via dnsmasq could not ( though I'm speaking from the past, so it is possible that this is no longer a issue )

Now when you create a PBR rule in Luci, give it a name, set the domain in remote and set the target to wan on prerouting.

Note: this rule should always be on top above the rule where traffic get sent to the VPN, I guess similar as how vpnbypass worked all routes should be handled by PBR/vpnbypass.

If you flush your dns (on Windows under cmd: ipconfig /flushdns), and also the dns in a browser through chrome://net-internals/#dns and it still does not work, you get something like a refused error then try the following:

(this likely only happen on more advanced setups with more interfaces and only with forwarding zone to vpn zone ment for being a firewall kill switch)

Since I'm typing on a phone it's difficult to explain it accurate:

In one of these tabs inside lucis PBR management you have some settings for WAN with a marking, the only thing you have to do is copy that hexadecimal mark, and go to firewall and create a new traffic rule as follows:

src zone: yourcustomnetwork
dst zone: wan
click on advanced tab->marking or mark->paste the mark here in.
target: accept

This way you say to the firewall to allow traffic to be forwarded matching with mark supplied by PBR to wan and it should work under this type of firewall setup

-edit-
here is a screenshot of my advanced pbr configuration, I highlighted how a simple setup could look like, for vpn the source/local ip's are not needed perse if you want to route all through vpn but for my setup that is not handy to do.

the ignore rule in case you wonder is because PBR can block other routes because of the killswitch feature, if I had a pi-hole instance running on a different network route then PBR would block it, so with the ignore target I can tell PBR to ignore the block, you have to check this in the advanced tab if you need it.

seccam49 · August 25, 2023, 2:30pm

Please check the image
I have only entered info - learning from your split tunnel policy rule
is that right ? please note local address and local port is blank
I have only one policy rule enabled.

You mentioned about setting for wan with a marking ..but I checked all 3 tabs
basic/advanced/web ui - only on advanced tab there is mention about wan but there is hexadecimal mark ..its blank or default

On traffic rule - I am not sure what I should choose as source zone?
For dest zone u mean output zone correct? I guess so so I will choose WAN there
on advanced tab u r advising to put that mark but like I said there is no mark

Thanks for help

egc · August 25, 2023, 3:13pm

Why not try it

I add for testing ipchicken.com
in this list of space-separated remote/target IP addresses, CIDRs or hostnames/domain names

Browsing to ipchicken.com should show you your WAN ip address if everything is working correctly.

systemcrash · August 25, 2023, 3:19pm

This seems like a use-case for ipsets.

egc · August 25, 2023, 3:30pm

If it is just a single domain without subdomains etc this will work but otherwise yes ipset is the way to go.
For things like ipchicken (two IP addresses which do not alter it will work, no experience with, studentaid.gov thoug, I am the local student aid at home (money drain)),

seccam49 · August 25, 2023, 3:43pm

Under software when I update list it shows dnsmasq-full 2.86-16 installed but when I check under policy routing tab - under Use resolver set support for domains - only one option available - dnsmasq-ipset as shown in pic

It also shows -- The dnsmasq.nftset is not supported on this system.
I am not sure if that is the reason why it does not work ?

xize · August 25, 2023, 3:43pm

It depends on your case of use.

Let say you have multiple network interfaces with different ip subnets, then you may want to allow to use one network range and the other not.

If you leave it empty all traffic goes over the vpn.

Normally for a split tunnel it should be two rules, first one is the one you show, the second one is routing the traffic through the vpn.

however you need to take note about this that you have to disable all vpn related routing from the vpn side itself for wireguard in the peers section in the interface:

And in the advanced tab on the vpn interface:

Because PBR takes now care about the routing.

seccam49 · August 25, 2023, 4:40pm

I tried to follow this video - https://www.youtube.com/watch?v=FN2qfxNIs2g
but clearly studentaid.gov does not work

if in a terminal I type curl https://ipinfo.io
it shows protonvpn provided wireguard ip address

But in policy routing even if I enter studentaid.gov - it does not work ..it still show access denied.

I am really lost ...for now I just disabled wireguard interface and went ahead without vpn to login to studentaid.gov to finish what I needed to

I have no clue what I am doing wrong

xize · August 25, 2023, 5:21pm

And you are 100% sure you flushed your dns?

On Windows you need to use ipconfig /flushdns and in your browser depending which I use chromium: chrome://net-internals/#dns

You are also 100% sure the device you use to connect to the site uses the router ip as dns?

egc · August 27, 2023, 4:07pm

It is possible that the connection does not go via the WAN but you can do a:
traceroute studentaid.gov to see the route it is taken.
If it is the WAN then repeat it a few times to see if there are more addresses which all take the WAN

But even if it is routed via the WAN your DNS query will likely go out via the VPN and websites have a habit of also tracking where the DNS request is coming from.
This is called a DNS leak, in your case it is the reverse.
DNS is going via the VPN and you want it to go out via the WAN.

If this is your problem you can set a different DNS server for a certain domain in DNSMasq e.g.:
server=/studentaid.gov/9.9.9.9

You can add this as in /etc/config/dhcp as:
list server '/studentaid.gov/9.9.9.9'

In PBR you also set 9.9.9.9 to use the WAN in the same box as studendtaid.gov (space delimited) you must not use 9.9.9.9 anywhere else as DNS server.

After you are done reboot or restart DNSMasq: service dnsmasq restart

Now to resolve studentaid.gov the DNS server used is 9.9.9.9 and this should be routed also via the WAN.