Two VPN connections, one for all traffic and the other for specific domains. Possible?
Hi,
I have a Firewalla Gold in router mode. Love it.
I have a question that hopefully someone more knowledgeable can help me with.
If I setup two client WireGuard VPN connections (A and B), can I have all traffic go through A (default) while specific domains go over B?
I want to also maintain my Unbound DNS over a specific VPN (C) if possible. Or any other suggestion if the DNS part is not achievable.
I tried using Routes > Internet, but it seems that everything got routed over a certain VPN.
Thank you for any suggestions or clarifications.
-
Can I have all traffic go through A (default) while specific domains go over B?
Yes! You can route specific domains, IPs, Regions, etc. over a particular VPN.
See Force DNS over VPN https://help.firewalla.com/hc/en-us/articles/360023379953-VPN-Client
-
Thank you for your reply.
Yes, I've referred to that page a few times before. My problem is that if I try the following it won't work:
I created VPN A and VPN B (clients on my FWG).
On the app I go to VPN client > VPN A, and I choose the LAN (LAN 1 in my case) to cover all the devices.
(This will be the default traffic route for all devices. It works and all devices will route via VPN A).Now I want some exceptions (certain domains) for all devices to go over a different VPN (B).
On the app I go Routes and I add a domain (say ipinfo.io) and then under select a device I choose "all devices". And for interface I choose VPN B.(This won't work, ipinfo.io will still go over VPN A). I've also tried LAN 1, same.
It'll only work if I choose a single device for ipinfo.io domain.
-
It sounds like you have one rule at the LAN level and another one at the global level, and you are expecting the global rule to override the LAN level rule. That doesn't work, as LAN level rules take precedence.
Either create your routing rule at the LAN 1 level, or change VPN A to apply to all devices.
Also, note that you can define the VPN to not apply to any devices, and just routes to handle all the routing to the VPN clients. That might make things simpler, because then all the rules are in one place.
-
@David is right.
The priority list for device scope is Device > Group > Network > Global(All devices).
- When there is conflict, device/group rules will take precedence over Network rules.
- When there is conflict, Network rules will take precedence over Global rules.
For targets, the priority list is IP/Port > CIDR > Domain > Target List/Category > Region > Internet.
-
@David
You nailed it! Once I made both work on the LAN level it behaved as I want it to. Didn't try that before because I want to exclude some devices (servers). I guess I'll move them to their own LAN for better control.
This router never ceases to amaze. Love it.I will pay more attention to the precedence of the rules in the future :) Thanks a lot.
@Michael
Thank you so much for summarizing it this way. I've copied/pasted this to my password manager's Firewalla notes for future reference :)
Please sign in to leave a comment.
Comments
5 comments