Split Tunneling based on domain name possible?

David Woodhouse dwmw2 at infradead.org
Tue Jun 6 01:14:48 PDT 2023


On Tue, 2023-06-06 at 10:09 +0200, Michael Herzhauser wrote:
> Hello, 
> 
> I've setup Ocserv in my corporate network with split tunneling and it's
> working good so far.
> However some of my colleagues in home office need to connect to some cloud
> servers of 
> our customers, which implement IP whitelisting to our company's public IP. 
> Due to split tunneling, requests to these cloud servers are not routed via
> VPN but the normal
> internet connection and the connection gets blocked.
> 
> Therefore I'd like to add a route based on the domain name of these servers 
> (public IPs of these servers are dynamically assigned and change
> frequently), but didn't find 
> any information about that. All the examples in the config file only use IP
> addresses.
> 
> Is it even possible? And if so, any info on syntax (e.g wildcards for
> subdomains) would be great to have.
> Otherwise I'd have to convert to "tunnel all", which I'm trying to avoid.

I think we did have something like this implemented on the client side
in ConnMan once. It would monitor the DNS lookups and automatically add
routes to the target IP address.

Probably easier to do it with a proxy PAC file though, and set the
relevant domains to use a proxy within your corporate network.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5965 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20230606/59b61536/attachment.p7s>


More information about the openconnect-devel mailing list