Menu
What's new
By:
Filters Better Search

Device vpn and router bypass

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jrbmw

Regular Contributor
If a device is connected to a vpn then connected to the routers vpn bypass, is the data encrypted just from the device to the router or encrypted through the router to the location.So is it the same as if the vpn on the router
is enabled and not the device.If not does it mean the traffic comes and go through the isp servers unencrpted before the vpns?
 
Assuming you use a VPN connection with encryption:
The encryption applies to the traffic between VPN client and VPN server.

I don't fully understand your question, but these are options:
laptop without vpn <-unencrypted over lan-> router with vpn client <-encrypted over ISP+internet-> vpn server <-unecrypted over internet-> to destination

if you add the laptop to the VPN bypass list (in kamoj addon) or disable VPN on router:
laptop without vpn <-unencrypted over lan-> router <-unencrypted over ISP+internet-> to destination

if you then install a VPN client on that laptop:
laptop with vpn <-encrypted over lan-> router <-encrypted over ISP+internet-> vpn server <-unecrypted over internet-> to destination

Note, even in the cases above where unencrypted is written, if for instance the traffic is HTTPS, then still the traffic is encrypted. (but the headers aren't, so your ISP can see where you are connecting).

Note2, even with VPN encryption, depending on how you configure DNS, it could still be the case that your ISP is receiving the DNS requests, and thus can see where you are connecting.
 
I will add to the excellent answer from @R. Gerrits that on this part: vpn server <-unencrypted over internet-> to destination, the IP that the destination sees is the one from the VPN server, and not your public IP (provided by your ISP), nor the IP of your laptop on the LAN.
of course, the content of what is sent by your laptop to the destination being unencrypted is fully visible by it, but that is the goal.

Unless the packets contain in the data the IP from your ISP or other personal piece of information, the destination has no clue from the headers of your ISP or anything that happened between the VPN client and server, and in both cases (VPN with encryption used either on the router or your laptop), all your ISP sees is encrypted packets exchanged between you and the IP of the VPN server, without any clue of what is in the packets.

Any traffic sent outside of the VPN tunnel is visible though, and the most common leak/mistake is to use a DNS server outside of the VPN tunnel to resolve domain names to be used in the tunnel.
 
Thanks for both of your very interesting replies.The vpn has its own private encrypted dns servers.I assume that whatever dns servers are set in the router the vpn redirects the traffic to theirs. I have set the dns to use cloudfares in the router for when the vpn is off.I have found the vpn works differently on the router to the vpn app on a device.That is when using the same location just on the router or device.When the vpn is set on the router some locations detect its being used but doesent when set on the laptop app.That is the reason for my question . From your answers it seems the vpn is at fault.
 
jrbmw said:
Thanks for both of your very interesting replies.The vpn has its own private encrypted dns servers.I assume that whatever dns servers are set in the router the vpn redirects the traffic to theirs. I have set the dns to use cloudfares in the router for when the vpn is off.I have found the vpn works differently on the router to the vpn app on a device.That is when using the same location just on the router or device.When the vpn is set on the router some locations detect its being used but doesent when set on the laptop app.That is the reason for my question . From your answers it seems the vpn is at fault.
Click to expand...
Very likely, the VPN app on your laptop is forcing to use the VPN DNS, but this it is not the case on the router! All DNS requests are still using the default DNS outside of the VPN!
You would need to either set up the router DNS to the VPN one or force all DNS traffic to use the VPN one with some iptables rules.
 
HELLO_wORLD said:
Very likely, the VPN app on your laptop is forcing to use the VPN DNS, but this it is not the case on the router! All DNS requests are still using the default DNS outside of the VPN!
You would need to either set up the router DNS to the VPN one or force all DNS traffic to use the VPN one with some iptables rules.
Click to expand...

Issue is if you do this statically, DNS stops working if you stop the VPN tunnel on the router.

So you'd have to automate it.
If you have the Kamoj add-on, then there are already scripts /etc/openvpn/ovpnclient-up.sh and /etc/openvpn/ovpnclient-down.sh

Then in /etc/openvpn/ovpnclient-up.sh put the logic that needs to be performed if the VPN is started. (for instance change the router DNS-servers (in resolv.conf) to the VPN DNS servers.
Alternatively, make it integrate in kamoj-addon, from there extract the devices that would use the VPN tunnel, and add iptables rules to redirect all DNS queries from those devices to 1 of the VPN DNS servers (so you lose a bit of redundancy).
All other devices that bypass VPN would then still use the normal DNS servers.

(to make it more dynamic, parse the vpn connection log to find the newest "PUSH: Received control message: 'PUSH_REPLY,.....,dhcp-option DNS x.y.z.1,dhcp-option DNS x.y.z.2", and extract the VPN DNS servers from that.)

(challenge of this approach: existing processes on the router could rewrite resolv.conf or reload the firewall, again undoing the changes of this script.
For the iptables approach, the solution would be to generate an additional /opt/scripts/firewall-start-xxx.sh to create the redirect rules. (this way they are recreated if something restarts the firewall)
For the resolv.conf approach, perhaps the new VPN DNS servers must also be written to specific nvram variables. (so that if something recreates the resolv.conf that it then uses those DNS servers from nvram.)

In /etc/openvpn/ovpnclient-down.sh you would have to put the logic to restore the original DNS in resolv.conf or remove the iptables redirect rules.

(but if VPN crashes, then probably ovpnclient-down.sh won't be run. So then DNS is also (partially) broken until someone restarts VPN)
 
Last edited:
I am using Kamoj addon on my r7800 but the vpns dns servers are private so I dont know the adresses.Although I understand what your saying @R.Gerrits doing it is beyond my knowledge.However I will try changing the dns servers.
 
You must log in or register to reply here.

Similar threads

hunk-dory
help with iptables / routing
Replies
5
Views
743
hunk-dory
hunk-dory
O
Assigned IP address to the WAN interface via VPN director: no internet connection - why?
Replies
1
Views
184
OB1
O
B
Download Master escapes VPN Director 192.168.50.1/24 Rule and bypasses VPN
Replies
7
Views
905
pavlfz
P
I
VPN Fusion questions
Replies
0
Views
165
in2ndo
I
A
Domain VPN Routing Question
Replies
2
Views
178
Armandooooo
A
Similar threads
Thread starter Title Forum Replies Date
LeKeiser WiFi device can't connect to my 2.4GHz SSID NETGEAR AC Wireless (Wi-Fi 5) 4
K Open VPN Configuration File Question NETGEAR AC Wireless (Wi-Fi 5) 5
S R6330 in bridge mode suddenly refuses to connect via Wi-Fi to the "main router" NETGEAR AC Wireless (Wi-Fi 5) 0
D Orbi Router RBR50 Bricked Voxel NETGEAR AC Wireless (Wi-Fi 5) 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 981 (members: 17, guests: 964)
Top