Split VPN by domain (against geoblocking) with WireGuard?

Does anybody know how to create a WireGuard VPN against geoblocking that only works for the geoblocked domains?

I tried many things with AllowedIPs and even setting dnsmasq. Either the VPN would route all the traffic or fail to connect to the domains I wanted routed through the VPN.

I good test would be getting the same VM getting different IPs for:

curl https://ipinfo.io
curl https://ipconfig.io

after routing one of the domains through the VPN.

2 Likes

It is not that simple. You are dealing with 2 separate issues. Please let me elaborate.

Some websites (domains) are served via a single webhost server. Some are served via a CDN (e.g. CloudFlare). Some have multiple web-hosts in different parts of the world that could deliver content to users faster (or even different content based on their location).

When you (DNS) query a domain, in the last two above examples, the address of the nearest server is returned to user based on their location (or they are forwarded to a blocking server/page). So you have to either resolve all DNS queries via your VPN. Or resolve the blocked one via the VPN.

Once the DNS query is resolved, then you should setup split routing. This is done via GeoIP databases (search for Wireguard+GeoIP).

In most scenarios, all DNS requests are resolved via VPN and only local IP requests are routed directly (the rest is routed via the VPN).

2 Likes

I could just set up dnsmasq so the few domains that get geoblocked for me can be DNS-queried through the wireguard VPN, and then I can add their IPs as AllowedIPs to the wireguard configuration.

I actually tried this but doesn’t work.

Just getting ipinfo.io and ipconfig.io to resolv one with the VPN and one without should be easy enough, but I wasn’t able to do it.

I could share my broken scripts but I think it’s better to start anew.

1 Like

I got it working. Simple WireGuard configuration:

[Interface]
PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=
#AllowedIPs = 0.0.0.0/0
AllowedIPs = 34.117.59.81/32  # ipinfo.io
AllowedIPs = 34.160.111.145/32  # ifconfig.me
Endpoint = 79.127.185.193:51820

I set /etc/resolv.conf to always use the DNS of the tunnel. This is not ideal, but works for me.

nameserver 10.2.0.1

Now the following command will return the same IP for ifconfig.me anad ipinfoio, but a different one for ifconfig.io:

curl https://ifconfig.me; echo; curl https://ipinfo.io; echo; curl https://ifconfig.io/all

I hope this helps others.

1 Like

Sorry to butt in here… can you elaborate on your use case?

As @alimirjamali summarized, there is quite a bit more going on under the hood. The complexity of dealing with a remote load balancers/IIS/CDN would be enough to hamper most resilient protocols…

Or are you doing some host-based rerouting…?

This can only work for hosts that have a long lived static IP address (almost 0 for real production services nowadays).

The only solution I could figure is to configure a service qube with a VPN and running an http proxy.

Then, install a web browser extension to use this proxy (through a qrexec ConnectTCP in the qube to the service qube witht the VPN) so that depending on the host it would use the proxy or the netvm. Once you have this setup, just add hosts in the web extension configuration file to go through the VPN (or not).

You could swap the setup, so that the web browser is behind a service qube with the vpn, and the proxy is running in a qube connected to sys-firewall.

2 Likes

In theory, this should be possible, and I’m surprised that WireGuard doesn’t have this functionality (or even a secondary tool that you can use to whitelist domains for WireGuard).

That doesn’t sound right. Surely someone out there in the world has created something that does this. I would have thought it would be a pretty common use case… :frowning:

1 Like

WireGuard purpose is to establish a secure tunnel two endpoints to route the traffic to certain IPs, and it does exactly that. WireGuard was not created for privacy or this kind of setup in mind.

While it’s easy to achieve (depending on the setup) the use of a VPN per application, choosing this per DNS name connections is really tricky.

  • a single web page could require more than a dozen FQDN to resolve, and load data from all these different hostnames, you would have to list them all if you split like this
  • some connections could happen to a direct IP without a FQDN (this rarely happens on web pages as it prevents to have https:// with a commonly shared CA)
  • there is no way to tell if a domain or host is geoblocked, so you have to build the list yourself, and it may be hard to make such lists in community has it’s heavily ISP / region dependent
2 Likes

Actually it’s being much easier than you might think:

  • my travel insurance blocks IPs from many countries (LOL :joy:); they seem to always use the same domain IP.
  • I’m tired of getting Google in weird languages depending on my IP (true for Maps even when logged in), so I set www.google.com to one of their IPs with dnsmasq and it’s working fine.
  • same with PayPal (I can’t even understand the login page in some languages), and I completed a purchase already.
  • Pandora

I’m sure it will break at some point, but the maintenance seems to be less annoying than the inconvenience of geoblocking/geocontent.

1 Like

It might be easier to have a web browser for stuff you trust that does not use a VPN (or one from your country), and another web browser in another qube with a random VPN.

1 Like

(duplicate post)

Yes, it’s easier to set up, but not easier to use.

As Qubes users we use diferent VMs with their different browsers for different areas of our lives: multimedia, cloud, banking, shopping, work, etc.

But remembering to use a VM for Google Maps + Pandora + my travel insurance is not easy to remember. My brain doesn’t work that way.

1 Like

Thanks for answering. I think this is a prime example of where security and workflow can lead to some interesting use cases. This is creative and obviously easy to overthink. If it works for you and others, then that’s all that matters.

2 Likes

You create app-banking qube for banking and sys-vpn-banking for banking and app-bankinge use sys-vpn-banking for network. You don’t need to remember anything. When you start firefox from app-banking it automatically run sys-vpn-banking.

1 Like

Imagine you have social-vm where you do all your social media.

  • If you use a US IP, you cannot browse TikTok.
  • f you use a EU IP, some X/Twitter accounts are restricted, like Russia Today

I’m an adult and I choose what I want to read/watch (including foreign propaganda), not the politicians.

You can have vpn-eu and vpn-us and social-eu and social-vm, but I find easier to have everything in the same browser.

And you might find issues like this for banks too.

Or for streamming, you might want Netflix US and BBC UK.

This guide is basically your own smartDNS that routes agains censorship/geoblocking. Your own net neutrality of sorts.

1 Like

And this guide works for you? You cam watch in one browser/qube CNN, Russia Today and Chinese TikTok without manually changing VPN for each thing?
I would set separate qube for Russia Today as everyone using this site might be target of attack. Same with TikTok. And for X/Twitter… why use it with EU domain if it block things from you?

Yes it works.

I wonder how it will works when on TikTok you traverse advertisement from YouTube