For different countries, there are restrictions on visiting certain resources. In this article, we’ll look at a way to proxy only certain traffic, so as not to reduce the download speed of other resources. Prerequisites:
- Nginx
- Debian 9
- UFW
- Configured server to proxy all traffic
Step 1. Create a new config file
You can make a copy of previous configuration we create in the previous article.
1
2
cd /etc/openvpn/
cp server.conf server2.conf
Then open newly created config:
1
nano server2.conf
Edit the following lines and change highlighted parts: /etc/openvpn/server2.conf
1
2
3
4
5
6
port 1195
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp2.txt
client-config-dir ccd2
status logs/openvpn-status2.log
log logs/openvpn2.log
So the final version of file should looks like: /etc/openvpn/server2.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
port 1195
proto tcp
dev tun
ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/server.crt
key /etc/openvpn/server/server.key # This file should be kept secret
dh /etc/openvpn/server/dh4096.pem
server 10.10.0.0 255.255.255.0
ifconfig-pool-persist ipp2.txt
client-config-dir ccd2
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
duplicate-cn
keepalive 300 900
tls-auth /etc/openvpn/server/ta.key 0 # This file is secret
cipher AES-256-CBC
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status logs/openvpn-status2.log
log logs/openvpn2.log
verb 3
As you can see we added new line client-config-dir ccd2. That will help us to apply newly added hosts without disconnecting active clients.
So next we should create ccd2 folder at out directory /etc/openvpn/:
1
mkdir ccd2
And create new file with IPs to proxy via our OpenVPN:
1
nano ccd2/DEFAULT
File content you can find in the attached .txt file
Step 2. Firewall configuration
You need to allow new port through UFW:
1
ufw allow 1195/tcp
Then open before.rules file:
1
nano /etc/ufw/before.rules
And add new line with subnetmask of your server2.conf file:
1
2
3
4
5
6
7
8
9
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to eth0
-A POSTROUTING -s 10.8.0.0/8 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/8 -o eth0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
Apply new settings with command and press y when promted:
1
ufw enable
Start and enable our new instance:
1
2
systemctl start openvpn@server2
systemctl enable openvpn@server2
So now you can control your OpenVPN instances separately
1
2
systemctl status openvpn@server
systemctl status openvpn@server2
Step 3. Create client config file
Copy previously created reheda-all.opvn file and change port to 1195.
1
cp /etc/openvpn/client/reheda-all.ovpn /etc/openvpn/client/reheda-restricted.ovpn
So our new file reheda-restricted.opvn should look like:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
client
dev tun
proto tcp
remote vpn.reheda.pro 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
key-direction 1 # For tls-auth
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>
And finally, you can configure your client app with a newly created .ovpn file to proxy only specific traffic we pointed above.