See below -----Original Message----- From: Jochen Bern <jochen.b...@binect.de> Sent: Friday, September 22, 2023 1:06 AM To: openvpn-users@lists.sourceforge.net Subject: Re: [Openvpn-users] URL forwarding and blacklisting
On 21.09.23 21:50, Jason Long via Openvpn-users wrote: > Hello,I have two questions:1- When someone connects to an OpenVPN > server, is it possible to be redirected to duckduckgo.com when trying > to go to google.com? > 2- How can I block access to certain websites? > Does OpenVPN offer such features? You can manipulate traffic that *does* go through the VPN and, thus, your server(s) in whatever way *other* soft- and hardware allows you to. OpenVPN itself does not have any such functionality. Relevant sidenotes: a) There are OpenVPN(-protocol) clients that allow the user to override the routes the OpenVPN(-software) server sends it, not to mention adding routes with more specific prefixes pointing to selected servers (e.g., Google's), and also any DNS manipulation can be countered by way of /etc/hosts, so users can trivially circumvent your blocks (as long as they're willing to have the traffic *not* go through your VPN). b) As of right now, Google.com's servers have IPv6 addresses, which will be preferred in a dual stack setup, so you'll have to add IPv6 to your VPN to even stand a chance of intercepting those users' connections to Google. c) As of right now, DuckDuckGo.com does *not* have IPv6 addresses, so be prepared to run a 6-to-4 gateway as well ... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH Just my $0.02 for general discussion.... All of google's machine are capable of doing IPv6 for a long time, they were one of the front runners. Regarding blacklisting: It is hard to do it in a controlled way... (too many sideways) For the clients going through the VPN that you control: you define what DNS-servers they use. It’s a parameter pushed from the VPN-server. You CAN push the ip-addresses of your own DNS-servers, and block all other DNS-request with a iptables-rule. On your own DNS-server, you can declare yourself as "authorative" for the unwanted domain. If you want to completely deny everything, that is doable, but if you want to allow some URLS to remain reachable that will become rather labour intensive to maintain. For me, it works right now. But for details, see the manual pages of IPTABLES and BIND. Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
