This is what routers are for. My router (a cheap fanless box with several network ports running linux) is the only thing on my network that knows there's a VPN. I can selectively route whatever I want through it, including having a separate SSID/VLAN from which everything is routed through the VPN. It's wireguard based so there's no "installing a VPN", just an interface/network configured in systemd-networkd (once, on the router).
Edit: Routing by domain name could be tricky, though. I haven't had a need for that, and a proxy with local DNS override (as in the article) might needed if it came to that. I'd still do it on the router, though.
[1]: https://du.nkel.dev/blog/2021-11-19_pfsense_opnsense_ipsec_c...
Useless in modern days though. IP addresses with anything backed by any cloud/CDN can vanish whenever they want, you'll always need to keep track of the upstream DNS responses.
That's extra fun if you do site-to-site-VPNs with a major customer. Won't name names, but they do have a habit of going through IP renumbering sprees every year or two and it's a true pain to keep the routing table, Zerotrust provider config and firewall rulesets in sync.
Do you remember the name of the product?
PC Engines APU2, AMD x86_64, 4-core, 4GiB, 3x Gigabit Ethernet, 3 x mini PCIe, SIM slot, USB 3, Serial, SATA ports. Mine has dual band WiFi in one mPCIe, SSD in another.
Turris Mox, Marvel aarch64. This can expand via plug and go via a range of extension modules. I've got one with 25 Gigabit (3 x 8-port modules) Ethernet, 1 x SFP, 5 x USB3, Wifi, Serial.
I'm running OPNSense on a GMKtec G9 (a N150-based NUC with dual 2.5Gbps NICs), and a cheap managed switch. All-in, you can get it today for well under $300. Even that is rather overpowered for running my house.
The toughest component to pin down was a mesh wifi system that supports tagging VLAN segments. That's almost exclusively enterprise territory, so it's hard to find something affordable.
https://www.friendlyelec.com/index.php?route=product/product...
2GB Pi5 maxes out the 1Gb port.
You don't have to. You create a container which runs openvpn to connect to your vpn provider, and also hosts an ssh daemon. The ssh daemon receives incoming SOCKS5 connections from a firefox portable browser, which has been configured to use the proxy (your Docker openvpn-container) for browsing and DNS resolution, and pipes it through the VPN tunnel.
So you have that one browser just to surf imgur. if that's your thing. And you could also use Firefox on Android (maybe also iOS) with those proxy settings (a secondary Firefox browser, like the beta version).
So you get very high control about what you are using the VPN for, you don't just pipe your entire OS's network traffic through the VPN.
You can default route domains through a VPN using a Firefox tab container, you don’t need a separate browser instance running!
> I wanted something cleaner: a solution that works for every device on my network, automatically, without any client-side configuration.
Doesn't solve the real problem, being fails of imgur embedded it many others you surf.
From the last couple of weeks of researching some stuff, it makes perfect sense - I keep stumbling across blogs and documentation that uses Imgur, and it's really quite annoying that I can't see the screenshot or image that is being referenced. It hasn't /quite/ hit the point to put something in place, but this is super helpful for the final straw - when it comes!
This simple block is relatively trivial to bypass - but if they disappear tomorrow, a lot of things break.
Tale as old as time, long-running forums are graveyards of dead Photobucket, Tinypic and Imageshack embeds. Imgur has lasted longer than most but the cycle will probably repeat eventually, especially since they were acquired by faceless corpos a few years ago.
that made multiple forums I've been on rush to download everything to their servers
Which means that we'll all have to run our own VPNs, possibly masquerading as HTTPS traffic, if that remains viable against government interference (eg. they might ask to re-encrypt all traffic by ISP-level certs, and block any traffic unreadable by them).
Internet as we know it is fading away.
also, if foreign servers notice no real loss of traffic because people just circumvent draconian censorship measures from authoritarian regimes, then they can more safely ignore them without real repercussions
the EU seems to be following soon, so it's important that people have readily available tools so the power dynamics change and it doesn't become economically unfeasible to refuse censorship pressures
Reddit is worse… you can’t even view someone’s profile if they’ve ever submitted a post labeled NSFW.
Honestly you could probably even use the 0 cost back charge that visa has, which is used by some finance services to verify that you are who you say you are through the visa connection to your national digital identity.
I am in the UK.
archive.org is not blocked — not the Library or the Wayback Machine.
ETA: I just checked re: the comment toomuchtodo linked to, and it actually is blocked by default on my mobile phone as adult content, because I've never bothered to disable the adult content lock on that device. I get redirected to a page operated by my mobile network where I can undo the lock by giving them info; I might do that one day, might not.
For non-UK users: UK mobile phone providers all block adult content by default at the account level as a simple parental control measure, and have done for some time, largely because PAYG data is really rather cheap here.
Interesting but not particularly bothersome. Apparently this decision is about eleven years old.
I'm with "1p Mobile" now who are a virtual network on EE, and their adult content block is just a toggle in your online account, with no faffing around required - you can just hit the toggle. I presume the idea is that you don't give little Timmy the password to his own account portal, but I don't know what's to stop him getting his own SIM by himself.
With Three, I found the adult content block caused other problems with SSH connections dropping, various random stuff getting blocked and so on, which all went away as soon as I had it disabled, so it's worth doing even for non porn fans.
it isn't
https://www.privateinternetaccess.com/blog/internet-archive-...
Is there a way to install a VPN such that requests to/from certain domains (e.g. imgur.com) are routed via the VPN and the rest of your traffic is via non-VPN?
This would solve the problem of constantly having to dis/re connect VPN, and do it in an automatic fashion (i.e. without the manual steps of first recognising there's an unavailable asset on the page, opening VPN app, switching it on etc).
Such a configuration would also be very useful in other situations, e.g:
- using social media in countries that require age-verification
- using apps that geoblock (e.g. spotify blocks my subscription every few days because it detects a change in country, but what it's really detecting is simply whether or not my VPN happens to be on/off)
- accessing sites which are blocked (e.g. Thailand blocks common UK news sites which have said unflattering things about Thai royalty).
For example, the equivalent in Tailscale would be an "App Connector":
https://tailscale.com/kb/1342/app-connectors-setup#add-a-cus...
E.g. I'd definitely pay $10/month for an app that lets me input domains and which country to re-route traffic through.
E.g. a handful of social media apps via US (my country has age verification), a handful of news sites via UK (some countries I travel to block them entirely), spotify via a single country (I don't care which one, so long as it's constant).
I currently use ProtonVPN iPhone and macOS apps but AFAIK it routes all traffic through a single country which requires opening the app and manually changing it each time you want traffic routed via a different country.
Extremely keen to hear any solutions people have used on their own devices.
I haven't needed to do this since I move to the US, but IIRC the rules were based on IP subnets.
The approach in TFA is more sophisticated and fine-grained.
The route rule would route out a VPN instead of the main route.
If the domain name resolves to many IPs you can keep an address list up to date using a simple script.
I'm sorry but suggesting buying and setting up hardware as an easier and more accessible alternative to a purely software-based solution that will take at most a couple of hours to install is simply ridiculous.
Way to exaggerate to make a point much?
A mikrotik router can be purchased as low as $24.95 and it will not only provide you with an enterprise grade router, it will also provide you with the functionality I mentioned above.
The point of my comment was that it can be done at the router level, instead of requiring the user to run and maintain Pi-hole, Traefik, Gluetun, Nginx, and the server required to run these apps/containers.
Haha. You mean like Meta, Google, Apple and Microsoft ? If EU really cared about children, those companies would not be doing business in the EU.
Seems the author forgot one step.
Of course, it is true that it is being supported by the current government, however the only way a future government could have avoided the law coming into force would be to repeal it with a new act of parliament (because it was already enacted).
Instructions using the unifi mobile app as it’s what I have to hand:
1) download wireguard conf file from vpn provider. On mobile app settings -> vpn client -> add new -> wireguard. Upload the file and save it
2) settings -> policy engine -> policy based routes. New. Select what to route -> specific traffic. Source = all devices. destination = domain name. Here add any domains you like. Interface = add the vpn you added in step 1
I ended up making a long list of firewall rules to block specific sites IPv6 ranges, which worked until I hit cloudflare backed sites.
I’m really hoping UniFi start supporting IPv6 WireGuard soon.
{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}
Also, Imgur blocks many VPN IPs. I use Mullvad and I have not yet found a single Mullvad IP that can access Imgur.
Install the Wireguard packages, create a connection to your VPN of choice in a nearby country (I chose Sweden). Then I used the "vpn-policy-routing" package to route Imgur IPs (199.232.196.193 199.232.192.193) through the VPN.
Works for websites that keep nagging you for age verification too.
But seriously, it's been more emotional than I'd expected to get my cat memes back.
Also fastly-hosted services are a bit awkard to configure IP ranges to cover whole blocks as they seem to not use normal CIDR-blocks for different customers.
But you use PBR's ntfset functionality to have your dns server automatically update a set whenever an DNS entry is resolved, then set the policy rules based on the set.
I just set up a similar system (Debian LXC permanently connected to a VPN, nginx proxying imgur.com and all its subdomains with the rest being dropped), and it works quite well. Setting DNS records for imgur.com and {api,i,s}.imgur.com seems to be sufficient to get the site and inline images working (not 100% if all are needed - I haven't fully tested it yet).
This is true, and I learned to hate every bit of this fact. It taught me to despise hotlinking with passion.
All of those links are now down the train, and you have to pray that someone not only backed up the specific image you're looking for, but that they did so in a discoverable way.
To anyone that wants to follow this article, it's more general guidance than an actual tutorial, there's a lot of holes to figure out.
It also doesn't work when directly accessing imgur, even if you add rules for the domain and the other subdomains they use, which is annoying.
I've thought about doing something similar as well! It drives me nuts this ban, everywhere I look I see these blocked images. I thought about making a chrome extension that proxies.
From Italy (no VPN) I've been getting «{"data":{"error":"Imgur is temporarily over capacity. Please try again later."},"success":false,"status":403}» for any imgur url for maybe an year
Also browsing Minecraft mods/shaders was my motivation ha.
Unless you vpn back to your house, but then again, now you are using double vpn!
