Synclias Overview
What is it?
Synclias is a best effort tool to route specific websites over a VPN for OPNsense routers.
With modern changes going on on the internet, it’s common to need a VPN for some things, but it’s not ideal to route everything over it. Turning it on and off can be a pain, using separate browsers for different things isn’t ideal, there’s a speed impact of a VPN and setting up clients on all devices can be a lot of overhead.
It would be much easier if your router could automatically take care of it for you and just send some sites over the VPN and leave the rest of the traffic alone.
You configure a VPN on OPNsense, and tell Synclias some websites, it’ll discover all the links and then adjust the firewall to route them over a VPN, then it’ll set up a schedule to repeat the process daily etc.
For the techy people already saying “That doesn’t work” - I get it and I’m not disagreeing with you, I know enough about DNS and routing to know that, I’ve got a page for you.
For everyone else:
What does “best effort” mean?
Websites move about, they change IP address every so often, some quickly, some very, very slowly.
At any time, www.<website>.com will point to an IP address (or multiple)
Synclias will scan a website, work out it’s IPs (and IPs for any subdomains etc) and automatically update your router to send them over the VPN. It repeats on a schedule you set, re-scanning and updating the list for you.
There’s things we can do to monitor that and adjust, but there’s a few scenarios where a site moves and we’re not up to date. If that happens, you’ll fall back to a connection in your country. At which point, you can force a re-sync or turn on a VPN client.
This all sounds a bit too good to be true
There’s a reason this could never be a business and isn’t part of some routers - “Best Effort”, it works most (like 99% for most sites) of the time for most sites, but there will be misses. Every site is different, some will “miss” for one reason or another once a month, others will work fine for a year, then have a day when they miss, followed by another year of working fine.
When a site does change IP address, you might end up at your country’s version of the site until the next sync.
Do I need to change any settings on my PC/Phone
No, I hate having to remember to apply some tweak/setting to a device, any client device won’t need any configuration, just the router. And there’s an extra, optional feature for some DNS servers.
There’s rules and specifications for how IP addresses change, nothing Synclias does it outside of those specs.
What happens when it doesn’t work?
You’ll end up on the version of the site for your country. If it did work before and doesn’t now, you can either wait for the next sync to happen, or trigger it yourself, but generally these times are rare. Again, it depends on the site.
So how useful is it?
It started as a python script on a Raspberry Pi and actually worked so well I wanted to make it usable for people I know, so here we are. I genuinely wasn’t expecting that, and I needed to make it easy enough to use so that people don’t have to tell me their browsing habits if they need support.
It won’t work for all sites, don’t use it to route Google or your bank etc, (but the point of Synclias is that you don’t have to) I use it to sync the route for an image hosting website to the UK so forums I use work. It also works for most of those sites…
And because the work’s done by the router, every device on your network works, if you want it to.
Everyone has different use cases, for some people it’ll work perfectly, for others they’ll want sites that just won’t work
Of the three devices I use daily - laptop, computer and phone, I’ve never had to use a VPN on my computer or phone, it’s always got there first.
Does this replace my VPN client?
No, since we’re aiming at Best Effort here, most sites will work fine with it, but you’ll probably still find there’s some things that still need a VPN, the goal is to reduce those times dramatically. It’s about giving you an extra option. Your VPN client will still function perfectly, just as it did before.
How hard is it to configure a Site?
It depends on the site, most of them are a case of putting them in the Scanner, clicking go, and adding the sites to the Sync list.
Some need a lot more work, and digging through some tools already in your web browser, again there’s guides for that, or I’m sure if people use it, there’ll be some public lists available, or, I like a challenge, let me know the site.
There may also be a developer button to import some presets in the interface so I can prove it can do what I say.
What’s it not for?
Most of the stuff you don’t use a VPN for now, the big sites - Google, Youtube, Reddit etc.
Reddit blocks VPNs, Google/Youtube will work, but they’ll know you’re on a VPN and may turn on some extra stuff for logins etc. I doubt Netflix will work.
And obviously, because there’s a chance that some traffic won’t get routed, bear that in mind if you don’t want to risk being in a log file. There isn’t a guarantee, but it generally just works.
What happens if it all breaks?
The only thing we apply changes to is a “Firewall Alias”, a group of IPs on your router. Any problems, just disable the firewall rule for it, or delete everything in the alias, and it’ll be like nothing happened.
There’s guides to walk you through setting that up, so you’ll know exactly where to go, and detail how to disable anything it does.
What about security?
This is a really important question when it comes to anything talking to the router. The permissions required are very specific and detailed in the setup guide, along with more details in the technical section. In short, only permissions for viewing/editing an alias is required and the permission to apply the config.
That part of setup is all manual, and short, mainly because I want people to see what permissions are granted rather than me just supplying some commands to run on the router. And the code for everything, and every call it makes to the router, can be seen in the Github repo.