GeoIP and wildcard domain routing rules in OpenVPN

It is not always necessary to route all traffic with OpenVPN. Is there any way to add some GeoIP rules (by country) in OpenVPN?

Second question how to use domain name wildcard in OpenVPN routing. This link help for a single domain routing

In summary, I looking for something like Clash for OpenVPN, that be able to ignore routing specific targets (by domain name and GeoIP) to the tunnel

Example Rules in Clash:
- DOMAIN-SUFFIX,google.com,auto
- DOMAIN-KEYWORD,google,auto
- DOMAIN,google.com,auto
- DOMAIN-SUFFIX,ad.com,REJECT
- IP-CIDR,127.0.0.0/8,DIRECT
- SOURCE-IP-CIDR,192.168.1.201/32,DIRECT
- GEOIP,CN,DIRECT

Solution 1:

I want to say "you can't do that", but experience has taught me that it's better never to say never. So instead I'll adjust this: "I don't think you can do that, and here's why".

Routing is based on IP networks and gateways. So you could route traffic for a network such as 10.1.2.0/24 via your specific OpenVPN gateway, while leaving other traffic to use your default route. Or you could choose to do this the other way around, having most traffic sent across the VPN tunnel but with specific exclusions.

Domains, domain names, and host names usually map to IP addresses. In some cases they map to multiple IP addresses, and that's the problem here. You would have to create routes for every possible IP address related to a host name. Furthermore, you don't have any control over the mapping of host name to IP address, and it could change at any moment.

Right now for me here in UK, google.com maps to 142.250.200.46. If I try again I get the different address 172.217.169.78, and yet a third time gets me 142.250.180.14. Each time I get only one address, so I cannot identify the full set of possible addresses for google.com.

I could set up routes for 142.250.200.46, 172.217.169.78 and 142.250.180.14 to catch requests for google.com, but I wouldn't able to guarantee I'd got all the addresses for google.com so I couldn't guarantee that all my google.com traffic was routed the way I would want it to be.

The Clash tool you referenced works in a slightly different way. It is a SOCKS proxy so it has control over the name/address lookup. So when an address is required for a name it can first check its table of names to determine special case handling. Only then will it determine the appropriate IP address.