Finally making the jump to a custom router so I can have all my outgoing traffic over mullvad but that brings with it two questions for me
Changing Mullvad server at router level
Reddit is becoming increasingly more and more hostile to VPN connections to the point where I often get the "whoa pardner" error message and have to try 4-5 different VPN servers on my desktop or phone before I finally get one to work with Reddit. Same thing sometimes with Google/YT, it keeps asking me to prove I am not a bot and a bit of experimentation with the servers gets me through.
This makes me wonder, is it as easy to switch my Mullvad server on OPNsense? I get the sense from the YT videos I have watched, I have to effectively setup an entry for every Mullvad router as separate instance on my OPNsense' VPN WireGuard settings and toggle which instance is being used at the router level?
I know I can technically have Mullvad on my router to hide all my traffic and then on all my devices that I use Reddit on, I can additionally have Mullvad on them too and play with the servers I am connected to on my device specifically until I find one that works but I am curious what the workflow is if I choose to do all my Mullvad related configs at the router level.
Making custom block?
I have a love-hate relationship with Reddit. On one hand, I can't deny that certain subreddits are useful as someone in tech, but I also can't deny that certain subs are just a time-sink and some subs are just toxic (looking at you AITA). I can often prevent myself from browsing the time-sink/toxic ones but sometimes I lose myself in them and I am in search of a way to block them via Mullvad at my router. Obviously a DNS-block won't work if I want to block reddit.com (the home page) and certain specific subreddits but leave any other tech related subreddits open for me to read so the next best thing I assume is some kind of firewall? But I don't know if such a firewall exists that can basically start doing regex on a URL to see if it should be accessible from within the network? Which makes me wonder if I can create my own firewall but I don't even know the first step, as in would this be something that integrates with OPNsense, or a stand-alone program I have to create myself? I know Python, Java and have some basic knowledge of C++ but don't even know if those are the language I need to know to create such a filter or if the filter I am looking for is even possible? Any and all pointers welcome.
I hate to be the luddite here, but unfortunately your end goal isn't really achievable by technology. Any security measure you put in place, can intrinsically be disabled by you. You can't tech your way into focus, unfortunately. Yeah, you can block it on your router, but how hard is to log back into your router and just unblock it? You can block it on your computer, but same goes there. If all else fails, you can just browse reddit on your phone.
I think the problem really needs to be addressed by being more mindful and deliberate with yourself. I'm a lifetime sufferer from ADHD, so I know the struggle. Medication can help a bit if you have similar executive functioning issues, but it's not a panacea.
The thing that's helped me the most is having work that I'm passionate about, and by... Sorta counterintuitively, being more stern with myself.
The minute I start thinking "well I worked so hard yesterday, time to take a break today", 8 hours go by without accomplishing anything. I have to be focused and disciplined with myself, adhere to a schedule with break times built in, and force myself to stay in track with notes and Todo lists.
At the same time, I don't beat myself up when I inevitably fail. I tell myself, "you strayed from the path you set out, and you aren't going to get those hours back or somehow make up for them, but it's not the end of the world, just get back on track".
That sort of attitude has helped me way more than any software or self imposed technical controls ever have.
Now that you've gotten a serious answer (I've been lurking) I want to point out that with a logged-in Reddit account you can block each sub you dislike from the sub's page. It's easy enough to unblock it, or go to it directly if you want, but I find that once a sub is blocked I don't really want to to go near it anymore. At least, that's what I do. I also don't use the Reddit app, I use Opera's phone browser to browse Reddit, so...
I do this with my setup, and all you really need to do is setup an outbound routing rule under
Firewall > NAT > Outboundand a rule to route to the Mullvad gateway underFirewall > Rules > FloatingCurrently I'm just using aliases to route specific IPs to specific Mullvad servers, but you can easily expand that to route anything using
Match local tagYou can just use a single instance, and have each Mullvad under it as a different peer you can just toggle.
I don't think that is really possible.
Everything after the domain in the URL is encrypted so only the website and your browser knows the full URL.
No firewall really exists (or can exist) to man-in-the-middle that handshake without breaking a lot of things (like certificates), it would also be pretty computationally expensive to do.
Really your best bet would be to have a browser extension do the blocking.
This is absolutely doable with a (professional/enterprise level) next-gen firewall. What they do is decrypt the original packet, inspect it, and then re-encrypt it with their own certificate. That certificate needs to be trusted on the endpoints, but to the end user it is seamless and basically unnoticeable. Of course, an end user can inspect the certificate and see that it doesn't match the source, however if the firewall's certificate is trusted the user won't see anything in the browser to indicate it's been tampered with (like a missing lock icon).
In my experience managing one of these devices, the vendor also supplies certain groupings for sites so that you can choose to decrypt only certain sites' traffic and not others, so for example you can say "do not decrypt known banking sites, shopping sites, or medical sites." This will allow for some level of user privacy for certain things, but allow the system to check encrypted traffic for other sites.
It should also be doable with a forward proxy like Squid, as long as it's configured to man-in-the-middle HTTPS and the client devices are configured to use it. It still carries the burden of CA certificate management, and it still needs somewhere to run, but it can be done without a next-gen firewall.
Edit: It looks like it's possible to run Squid on the OPNsense host itself. This potentially opens up the option of transparent mode, so that clients don't need to be configured to use the proxy.
You are not wrong but my problem is that is easily disabled on the device I am using. If it was possible to block on router, much more permanent and more difficult to disable from my phone.
Damn, but I think I knew it was a crapshoot. Just hoping I was wrong.