Block websites for my VPN users

Question

I have strongswan running fine, I need to block some bad websites by it's domains from being visiting by VPN users, I tried many methods but no luck as redirect traffic from vpn to proxy server like squid but I discovered that forwarded traffic to squid it done by it's website IP not domain name so this technique not succeeded.

maybe this is not strongswan business but any idea will be welcomed.

thanks in advance

It's possible to find website's IPs, then block them in firewall (iptables), but it's not based on FQDNs. — Omid Estaji, Dec 29 '21 at 15:46
@OmidEstaji some sites shared same ip and they sub domains, so I want to block exact domain. — Realbitt, Dec 29 '21 at 21:16

score 1 · Accepted Answer · answered Dec 30 '21 at 22:08

1

the way I would solve such a problem is to adjust the strongswan VPN exit node with transparent proxy:

https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

You will however either need to allow https to bypass the proxy or setup SSL intercept (which is quite difficult and needs access to your clients PCs) ..

Another way to solve the problem is to introduce your own DNS that will point your users to your own IP address for domain names that are black listed... this of course means that you are running dhcp and nobody's smart enough to use custom DNS.. or DNS over HTTPS

answered Dec 30 '21 at 22:08

Roman Spiak

583
3
11

I installed DNS server in new pc, lets name it pc1, and I pointed pc2 network dns to pc1 and i blocked facebook.com but it not worked as i saw in some tutorial, this is just test if i can block domain on my own pc by own dns server. – Realbitt Jan 03 '22 at 14:39
1

no idea on specifics of your DNS setup - please know that also big corporations use this DNS blocking mechanism to prevent (for example) facebook access for their employees. This means that the domain blocking via DNS server is a tested & working solution. If you have trouble setting DNS blocking - ask another question related to that topic & provide details of that setup. – Roman Spiak Jan 03 '22 at 19:56
it worked for me thanks – Realbitt Jan 05 '22 at 16:07

score 1 · Answer 2 · answered Jan 01 '22 at 08:34

This has nothing to do with VPN and everything to do with proxy software.

What you're looking for is a transparent intercepting proxy. Unless you can push a new CA certificate to your client machines you're most likely looking for Squid's peek-and-splice mode to inspect the ClientHello of TLS connections.

Note that this isn't perfect as domain fronting will bypass it and so will using another proxy that isn't blacklisted but it's the best you can do with those constraints.

Block websites for my VPN users

2 Answers2