Block websites for my VPN users

the way I would solve such a problem is to adjust the strongswan VPN exit node with transparent proxy:

https://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

You will however either need to allow https to bypass the proxy or setup SSL intercept (which is quite difficult and needs access to your clients PCs) ..

Another way to solve the problem is to introduce your own DNS that will point your users to your own IP address for domain names that are black listed... this of course means that you are running dhcp and nobody's smart enough to use custom DNS.. or DNS over HTTPS


This has nothing to do with VPN and everything to do with proxy software.

What you're looking for is a transparent intercepting proxy. Unless you can push a new CA certificate to your client machines you're most likely looking for Squid's peek-and-splice mode to inspect the ClientHello of TLS connections.

Note that this isn't perfect as domain fronting will bypass it and so will using another proxy that isn't blacklisted but it's the best you can do with those constraints.