The local ISP has blocked several sites. They have a transparent HTTP proxy so even if you used alternate DNS servers, HTTP traffic to those sites will still be intercepted. To get past this I choose to use a proxy located on a VPS I have elsewhere. However not all traffic should be routed via the VPN since it will slow things down. Also the bandwidth for the VPS is not "unlimited" like the local ISP offers.
[[ TODO CREATE AND INSERT IMAGE ]]
Router will connect to VPS using OpenVPN in a site-to-site configuration. A dummy network will be set up on the VPS side to act as the other "site". A SOCKS proxy running on the VPS will listen for requests from clients at home coming through the tunnel. A proxy autoconfig (PAC) file will be used to direct access to blocked sites only through the SOCKS proxy. Other sites will just go through the ISP as usual. As a bonus, there will be an extra SSID added to the wireless router where clients connecting to that SSID have their traffic automatically tunneled through the VPN.
Actually I used the startssl.com certificates (client S/MIME and web server certs) for this, but readers may find the instructions in the OpenVPN howto less troublesome: https://openvpn.net/index.php/open-source/documentation/howto.html#pki
I installed OpenVPN from pkgsrc on a NetBSD VPS. Configuration follows. This routes 10.1.1.0/24 to the VPS (this additional address was added to the loopback interface) and tells the VPS that 192.168.1.0/24 (home network) and 172.16.0.0/24 (home "always VPN" SSID network) are to be reached through OpenVPN.
and for the client config in clients/certificate-cn, this says that this particular client will handle the 192.168.1.0/24 and 172.16.0.0/24 network:
OpenVPN is installed from opkg. There is probably a luci app to configure it, but I used the config files.
On up this will run /etc/openvpn/up-vps.sh which is:
That is done so the default gateway for the "always VPN" SSID can pass through the VPN (TODO document this more).
http://monkey.org/~marius/pages/?page=nylon download, compile, install
Startup rc.d script (taken from FreeBSD port (?) not sure anymore):
Luckily the ISP's DNS servers returns a different address for blocked sites. Thus we can assume that any answer that lies within the ISP's network means the site is blocked.
We can use OpenWRT's web server to serve PAC files. They are automatically served with the correct MIME type if saved with the extension .pac. The document root is /www (e.g. /www/proxy.pac = http://router.ip/proxy.pac).
The function itself is relatively clean, with just some hacks to skip youtube and home domain. Also Apple's CFNetwork implementation is detected and a more appropriate proxy string is returned. PAC has an "isInNet" function that is useful. However, you can also choose to match it using a regex if that feels better. One regex can match multiple disjoint ranges with the alternation operator. The IP ranges for your ISP can be obtained from APNIC's WHOIS (if in Asia-Pacific region).
Browsers can be configured to use the PAC file. Chrome follows the Windows system settings for this. Since sometimes things don't work properly, there should be another browser that can be used if the proxy is to be bypassed e.g. Firefox with Proxy Selector.
Random Notes >