I've been trying to do this for the last few days and each time I thought it would work, it ended up causing me to lose internet. It's not as simple to fix it as just changing and deleting the domains. I'll have to delete all the tunnels so that the Beryl AX gets Internet working again.
What I want to do is that all the connected devices use the default tunnel with a VPN connected to New York. I'll create a secondary tunnel that will use a VPN connected to Tokyo. The TV’s Netflix app will be redirected to Tokyo while all of its other apps like HBO Max and Hulu will continue to connect to New York.
I put the netflix.com domain in the secondary tunnel, but it doesn't work. I know it's definitely a user error.
Can someone post instructions or screenshots on how to set this up?
I think you theory of adding the domains to the split tunnel is fine.
But here is the difficult part:
How sure are you the vpn works with netflix and is not ip banned?, for this it is for netflix super easy to maintain vpn ip block lists.
Also be very carefull with the dns origin from the tunnel every dns you have setup i.e doh will likely not follow inside the tunnel, this is due to so that wireguard could resolve domain names as endpoints, the dns field in wireguard configs forces dns inside the tunnel, in the dns setting in the gl ui you also have a option to use wireguard dns.
This dns origin mismatch could leak your country, in where netflix blocks it.
Imho, I gave this up a long time ago simply because most of them use reverse proxies behind cloudflare or akamai, they have better vpn lists which make it extremely hard.
And you also have to know how to ensure things like dns, you likely have to flushdns alot of times or stop all sockets especially with ssl, and in chromium browsers use: chrome://net-internals#dns
It was just an example and probably a bad one because of your response. There are plenty of sites including my bank and ISP that don't tolerate VPNs or only seem to work with an IP from my country. I want to route those specific domains to the appropriate tunnel including one with no VPN on. all
What do you mean? I see the ability to add domains. I know I'm doing something wrong because I lose Internet when using 3-4 tunnels with my configuration.
Can we try to make progress on the matter and not debate whether the VPN is blocked or not? I don't want to talk about that anymore. It was a mistake using Netflix as an example. The point isn't whether Netflix is blocking the IP or not.
Netflix TV app has a built-in DNS server, including the DoH and DoT.
So maybe the only way to make it work with VPN is to forward all traffic from TV through the VPN tunnel.
But if Netflix is just one example, similar scenarios can be achieved through the multiple VPN instances supported by firmware 4.8.x:
Thanks @will.qiu. What do you mean by built-in DNS server?
Are you saying it'll override and ignore DNS settings from the router?
What about the YouTube app on the TV in addition to YouTube TV (US-only)?
For TVs and streaming boxes, should I just put the entire device behind the VPN instead of routing by domains?
I regret using Netflix as an example because of the conversation that unfolded. We all know NF doesn't like VPNs and proxies. I wanted to have a conversation about domain routing and whether I could implement it.
With regard to your example, thanks again for the template to get me started. I should have used examples like maybe T-Mobile, Verizon, McDonald’s (app), Chase, Citibank, or Bank of America. I'll use your screenshot as the basis to test things out and see whether I can get things to be stable and reliable.
One last thing for now and that is how I should set up a tunnel that doesn't use a VPN?
I'm thinking domain routing will be more effective and easier to manage than specifying devices. What do you think? On the desktop or mobile browsers, is domain routing for YouTube or Netflix easy to implement or are there lots of other domains and IP addresses to consider? If so, what is it?
I'm definitely doing something wrong because this isn't working. Excuse the naming of the tunnels as I was moving and playing around with the priority of the tunnels. The difference between my configuration and the one from @will.qiu is that I specify “all clients” instead of a specific client. I set four domains that should all be directed to use a Hong Kong VPN and four domains that shouldn't use a VPN. It seems like only the four domains not using a VPN are working while the previous four domains aren't being directed to Hong Kong. What am I doing wrong? I even added “IP.me” to the Hong Kong tunnel, but it showed my current IP and geographic location.
I can't seem to get the screenshots in order, but I think you'll know by looking at them which order the tunnels are actually in.
There are lots of questions spanning three posts and I’m hoping you guys can lead me to a resolution as I've tried every single possible combination I can think of and nothing works to my satisfaction.
As you can see in the first screenshot, I want all clients to use the Hong Kong VPN if they connect to 5 specific addresses. There are also 17 certain addresses that I don't want to use any VPN since they don't play nicely with VPNs. So these addresses (mainly banks and telecommunications) will directly connect to the internet.
For the third tunnel, I want all but two devices to connect to a VPN in Vancouver. “All targets” is selected under “to”. Given what you said about priority, I put tunnel 1 first since it has a smaller domain list followed by tunnel 2. My understanding of how this should work is that the 22 specified addresses will either connect to a Hong Kong VPN or not use a VPN. Any other traffic except for two devices will be directed to the Vancouver VPN. Yet, it doesn't work. Currently, it seems like all traffic are routed to the non-VPN tunnel.
For tunnels 4 and 5, I named them Tokyo and Singapore and specified the devices that will use those tunnels. “All targets” is selected and I can confirm this does work.
Very frustrating and I'm hoping someone here can help me get this to work.
Technically it shouldn't matter but it's easier to scan the screen/'VPN Dashboard' when testing/checking results. I'd cut, paste'em into your preferred text editor/note app but that's just me. 'Visual noise' & all that.
I just did what you suggested. I cleared the address list. I put in a different IP identifying site for the first two tunnels. I was stunned that both returned the same IP as tunnel 3! When I disabled tunnel 3 to see what happened, I lost internet. Clearly, there is something wrong. Either it's a user error or there is something wrong with the firmware.
IDK how you can do this all on a phone. Your tablet should have a portrait mode, no? Post a screenshot of the VPN Dashboard using that. Let's see the whole setup.
Seems self-explanatory and screenshots look similar to the one @will.qiu posted. I did exactly what you suggested. Not sure why I need to show a screenshot from the computer.
If you are currently using AdGuard Home and have the option “AdGuard Home processing client requests” enabled, please disable it.
When this option is enabled, domain-based VPN policies will not take effect.
