Tell me more
What is it?
Synclias is a best effort tool to route specific websites over a VPN for OPNsense routers.
With modern changes going on on the internet, it’s common to need a VPN for some things, but it’s not ideal to route everything over it. Turning it on and off can be a pain, using separate browsers for different things isn’t ideal, there’s a speed impact of a VPN and setting up clients on all devices can be a lot of overhead.
It would be much easier if your router could automatically take care of it for you and just send some sites over the VPN and leave the rest of the traffic alone.
Here’s a demo of it in action
It’s a bit long and dry, but I don’t want to edit/shorten bits of the process.
Delays in site loading only happen after just adding a site, after 15 seconds, they’ll always load as fast as on a VPN.
Let’s take a trip to Romania and back, for one site only.
How does it work?
We’ll guide you through configuring a VPN on OPNsense and make an Alias - a group of servers/IPs that you want to send over the VPN.
Synclias lets you:
- Scan a website for links it needs
- Add those links to a Sync list
- Then, on an automatic schedule, or manually:
- Rescan the sites (if needed)
- Work out all the servers
- Remove any sites that match rules you set up (eg Youtube)
- Work out all the IP addresses and update the Alias
For the techy people already saying “That doesn’t work” - I get it, there’s certainly some challenges here and I’m not disagreeing with you, I know enough about DNS and routing to know that, I’ve got a page for you explaining my choices - Right Here
There’s a full flowchart of everything a sync does Here
For the rest:
What does “best effort” mean?
At any time, www.<website>.com will point to an IP address (or multiple)
Websites move about, they change IP address every so often, some quickly, some very, very slowly.
Synclias will scan a website, work out it’s IPs (and IPs for related parts of the site) and automatically update your router to send them over the VPN.
It repeats on a schedule you set, re-scanning and updating the list for you in the background.
The problem the techy people spotted is that there’s a few scenarios where a site moves and we’re not up to date. If that happens, you’ll fall back to a connection in your country. At which point, you can force a Sync, or turn on a VPN client.
This all sounds a bit too good to be true
There’s a reason this could never be a business and isn’t part of some routers - “Best Effort”, it works most (like 99% for most sites) of the time for most sites, but there will be misses.
Every site is different, some will “miss” for one reason or another once a month, others will work fine for a year, then have a day when they miss, followed by another year of working fine.
When a site does change IP address, you might end up at your country’s version of the site until the next sync, or you can just turn on a VPN client like you already do. Synclias gives you another, automatic option that should mean you don’t normally have to do anything.
Do I need to change any settings on my PC/Phone?
No, I hate having to remember to apply some tweak/setting to a device, any client device won’t need any configuration, just the router. And there’s an extra, optional feature for some DNS servers.
There’s rules and specifications for how IP addresses change, nothing Synclias does it outside of those specs.
What happens when it doesn’t work?
You’ll end up on the version of the site for your country. If it did work before and doesn’t now, you can either wait for the next sync to happen, or trigger it yourself, but generally these times are rare. Again, it depends on the site.
So how useful is it?
It started as a python script on a Raspberry Pi and actually worked so well I wanted to make it usable for people I know, so here we are. I genuinely wasn’t expecting that, and I needed to make it easy enough to use so that people don’t have to tell me their browsing habits if they need support.
It won’t work for all sites, don’t use it to route Google or your bank etc, (but the point of Synclias is that you don’t have to) I use it to sync the route for an image hosting website to the UK so forums I use work. It also works for most of those sites…
And because the work’s done by the router, every device on your network works, if you want it to.
Everyone has different use cases, for some people it’ll work perfectly, for others they’ll want sites that just won’t work
Of the three devices I use daily - laptop, computer and phone, I’ve never had to use a VPN on my computer or phone, it’s always got there first.
Does this replace my VPN client?
No, since we’re aiming at Best Effort here, most sites will work fine with it, but you’ll probably still find there’s some things that still need a VPN, the goal is to reduce those times dramatically. It’s about giving you an extra option. Your VPN client will still function perfectly, just as it did before.
How hard is it to configure a Site?
It depends on the site, most of them are a case of putting them in the Scanner, clicking go, and adding the sites to the Sync list.
Some need a lot more work, and digging through some tools already in your web browser, again there’s guides for that, or I’m sure if people use it, there’ll be some public lists available, or, I like a challenge, let me know the site.
There may also be a developer button to import some presets in the interface so I can prove it can do what I say.
What’s it not for?
Most of the stuff you don’t use a VPN for now, the big sites - Google, Youtube, Reddit etc.
Reddit blocks VPNs, Google/Youtube will work, but they’ll know you’re on a VPN and may turn on some extra stuff for logins etc. I doubt Netflix will work.
And obviously, because there’s a chance that some traffic won’t get routed, bear that in mind if you don’t want to risk being in a log file. There isn’t a guarantee, but it generally just works.
What happens if it all breaks?
The only thing we apply changes to is a “Firewall Alias”, a group of IPs on your router. Any problems, just disable the firewall rule for it, or delete everything in the alias, and it’ll be like nothing happened.
There’s guides to walk you through setting that up, so you’ll know exactly where to go, and a page for Emergency Backout Synclias Changes
Have a look, it’s a really short piece of work, with few steps, and no thinking or needing to work things out.
What about security?
This is a really important question when it comes to anything talking to the router. The permissions required are very specific and detailed in the setup guide, along with more detais in the technical section. In short, only permissions for viewing/editing an alias is required and the permission to apply the config.
That part of setup is all manual, and short, mainly because I want people to see what permissions are granted rather than me just supplying some commands to run on the router. And the code for everything, and every call it makes to the router, can be seen in the Github repo.