Does anybody know how to create a WireGuard VPN against geoblocking that only works for the geoblocked domains?
I tried many things with AllowedIPs and even setting dnsmasq. Either the VPN would route all the traffic or fail to connect to the domains I wanted routed through the VPN.
I good test would be getting the same VM getting different IPs for:
It is not that simple. You are dealing with 2 separate issues. Please let me elaborate.
Some websites (domains) are served via a single webhost server. Some are served via a CDN (e.g. CloudFlare). Some have multiple web-hosts in different parts of the world that could deliver content to users faster (or even different content based on their location).
When you (DNS) query a domain, in the last two above examples, the address of the nearest server is returned to user based on their location (or they are forwarded to a blocking server/page). So you have to either resolve all DNS queries via your VPN. Or resolve the blocked one via the VPN.
Once the DNS query is resolved, then you should setup split routing. This is done via GeoIP databases (search for Wireguard+GeoIP).
In most scenarios, all DNS requests are resolved via VPN and only local IP requests are routed directly (the rest is routed via the VPN).
I could just set up dnsmasq so the few domains that get geoblocked for me can be DNS-queried through the wireguard VPN, and then I can add their IPs as AllowedIPs to the wireguard configuration.
I actually tried this but doesn’t work.
Just getting ipinfo.io and ipconfig.io to resolv one with the VPN and one without should be easy enough, but I wasn’t able to do it.
I could share my broken scripts but I think it’s better to start anew.
Sorry to butt in here… can you elaborate on your use case?
As @alimirjamali summarized, there is quite a bit more going on under the hood. The complexity of dealing with a remote load balancers/IIS/CDN would be enough to hamper most resilient protocols…
This can only work for hosts that have a long lived static IP address (almost 0 for real production services nowadays).
The only solution I could figure is to configure a service qube with a VPN and running an http proxy.
Then, install a web browser extension to use this proxy (through a qrexec ConnectTCP in the qube to the service qube witht the VPN) so that depending on the host it would use the proxy or the netvm. Once you have this setup, just add hosts in the web extension configuration file to go through the VPN (or not).
You could swap the setup, so that the web browser is behind a service qube with the vpn, and the proxy is running in a qube connected to sys-firewall.
In theory, this should be possible, and I’m surprised that WireGuard doesn’t have this functionality (or even a secondary tool that you can use to whitelist domains for WireGuard).
That doesn’t sound right. Surely someone out there in the world has created something that does this. I would have thought it would be a pretty common use case…
WireGuard purpose is to establish a secure tunnel two endpoints to route the traffic to certain IPs, and it does exactly that. WireGuard was not created for privacy or this kind of setup in mind.
While it’s easy to achieve (depending on the setup) the use of a VPN per application, choosing this per DNS name connections is really tricky.
a single web page could require more than a dozen FQDN to resolve, and load data from all these different hostnames, you would have to list them all if you split like this
some connections could happen to a direct IP without a FQDN (this rarely happens on web pages as it prevents to have https:// with a commonly shared CA)
there is no way to tell if a domain or host is geoblocked, so you have to build the list yourself, and it may be hard to make such lists in community has it’s heavily ISP / region dependent
Actually it’s being much easier than you might think:
my travel insurance blocks IPs from many countries (LOL ); they seem to always use the same domain IP.
I’m tired of getting Google in weird languages depending on my IP (true for Maps even when logged in), so I set www.google.com to one of their IPs with dnsmasq and it’s working fine.
same with PayPal (I can’t even understand the login page in some languages), and I completed a purchase already.
Pandora
I’m sure it will break at some point, but the maintenance seems to be less annoying than the inconvenience of geoblocking/geocontent.
It might be easier to have a web browser for stuff you trust that does not use a VPN (or one from your country), and another web browser in another qube with a random VPN.
Thanks for answering. I think this is a prime example of where security and workflow can lead to some interesting use cases. This is creative and obviously easy to overthink. If it works for you and others, then that’s all that matters.
You create app-banking qube for banking and sys-vpn-banking for banking and app-bankinge use sys-vpn-banking for network. You don’t need to remember anything. When you start firefox from app-banking it automatically run sys-vpn-banking.
And this guide works for you? You cam watch in one browser/qube CNN, Russia Today and Chinese TikTok without manually changing VPN for each thing?
I would set separate qube for Russia Today as everyone using this site might be target of attack. Same with TikTok. And for X/Twitter… why use it with EU domain if it block things from you?