VPN Split Tunnel by URL

I have users that require certain sites to traverse the VPN tunnel to come from our company public IP due to IP whitelisting on those sites. Up until now we have manually curated a list of IPs in the split tunnel config, but due to the number and lack of built in labeling, that list is becoming unmanageable.

I have attempted to implement filtering by creating a test Address Space for a specific site containing examplesite.com and *.examplesite.com (contains another site in reality ofc) in the DNS Address Space. I then select that address space in the Dynamic LAN Address Spaces under the Client Settings config. My expectation would be that would create a dynamic entry in the client routing table to send traffic matching those patterns over the tunnel instead of out the direct interface. It does not seem to work that way.

I have had a ticket open with F5 for weeks, and despite many tests, no solution has been found. Has anyone had any luck implementing this sort of scenario?

We are running 17.1.1.3.

Thanks!

I’ve had the same issue but I’m afraid there is no real good solution. ( At least not that I’m aware of )

The DNS address space will only send the DNS query for resolving over the tunnel but it will not send the actual traffic. To send traffic over the tunnel you need to add the IP in the IP address space.

So as far as I know there are 3 possible solutions:

1. Wildcard send all IP address space over the tunnel and start excluding the traffic you don’t want through the tunnel.

2. Create a script which collects the IP addresses using for example “dig +short” on the appliances and put these in a dynamic address space. Have your script update the dynamic address space regularly with an iCall.

3. Have examplesite.com provide a dynamic list of their IP’s. And use the dynamic address space to populate the F5.

For both 2 and 3 the clients would still have to restart their edge client. The edge clients will not automatically retrieve new config.