What's new

New SurfShark VPN doesn't allow two VPN connections

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

jorgsmash

Senior Member
Hi all. So for about 3 years now I have been using a VPN called VPN Unlimited. I got a lifetime subscription for like $30 on StackSocial one time. The performance is below what I'd like, but for $30 for lifetime subscription I can't complain. They only have one US-based server that allows torrents, in San Francisco. So I have a VPN client profile set up to use that server, and I have several LAN clients set to route through that VPN. I have VPN Kill-switch 'ON' for this profile. I have a second profile that uses a different server, for devices like my smart TVs and Nest Thermostat. The VPN kill-switch is set to 'OFF' for this profile. Both of these VPNs can be on and active at the same time. I get an IP from both VPNs and my devices routed through each one generally have no issues.

The speeds of the VPN are about 10% or lower my actual wired Internet speed.

Enter SurfShark.

I just purchased SurfShark today (30 day money back guarantee so hopefully I can figure this out before then or else I might cancel). Running speed tests I am getting drastically faster speeds with SurfShark when compared to VPN Unlimited. Plus, I think SurfShark allows P2P traffic on all of it's servers.

Here's my big issue. I can't have two VPN client tunnels running at the same time with SurfShark. I created one profile for Tampa (Kill-switch on) and one for Miami (kill-switch off). If one profile is on, I get a public IP from the VPN server and everything works. If I try and start the second one, it never gets an IP address. I went to SurfShark support through Livechat and the guy was telling me that it should work. He was asking me if I had tried TCP instead of UDP, and if I had tried different protocols. I wanted to come here and see if anyone has experience with SurfShark. I went with them because they are getting a lot of attention and great reviews with good pricing. I was considering ExpressVPN but their pricing and their 5 device limit turned me off.

Any one here have experience with SurfShark? I'm liking the faster speeds, but if I can't have two VPN clients connect at the same time then I'll be very disappointed.

I can post screenshots of configurations and system logs here if needed. One thing I did notice for sure was when I import the ovpn file for SurfShark, they seem to use different authentication that VPN Unlimited.

SurfShark uses TLS Authorization with username and password, and "Username and Password Auth. Only" set to "Yes"

VPN Unlimited uses TLS Authorization without a username or password.

I'm thinking maybe SurfShark doesn't allow two connections from the same device since the username and password are the same? Just a thought.

Connection Summary.pngSurfShark.pngVPN Unlimited.png
 
Anytime you're dealing w/ more than one concurrent OpenVPN client, you have to consider the possibility that more than one is using the same IP network on the tunnel (esp. if it's the same OpenVPN provider), which then creates ambiguity in the routing. Looking at those images it appears both connections are using the 10.8.8.x network!
 
Last edited:
Anytime you're dealing w/ more than one concurrent OpenVPN client, you have to consider the possibility that more than one is using the same IP network on the tunnel, which then creates ambiguity in the routing. Looking at those images it appears both connections are using the 10.8.8.x network!

I had considered that and initially thought that might be an issue. But then I was convinced that it wouldn't be an issue since the VPN Unlimited configuration works and it does the same thing. You can see here in this screenshot, both tunnels are up for VPN Unlimited, both get different server IPs, and they both are using the 10.200.0.x network. Any clients I route through either of these tunnels will work seamlessly.
 

Attachments

  • Screen Shot 2020-10-22 at 6.45.36 PM.png
    Screen Shot 2020-10-22 at 6.45.36 PM.png
    361.6 KB · Views: 194
Might be a difference in the topology, where VPN Unlimited is PTP (point to point), but perhaps Surfshark is using a subnet. IOW, when its PTP, you don't have a conflict provided the endpoints themselves don't conflict. But a subnet vastly increases the chances of a conflict.

Dump the output of ifconfig when both those tunnels are active.
 
Might be a difference in the topology, where VPN Unlimited is PTP (point to point), but perhaps Surfshark is using a subnet. IOW, when its PTP, you don't have a conflict provided the endpoints themselves don't conflict. But a subnet vastly increases the chances of a conflict.

Dump the output of ifconfig when both those tunnels are active.

Both of the VPN Unlimited tunnels or both of the SurfShark tunnels? I just got a different support rep from SurfShark and he is now saying they only support one tunnel per router connection. Not sure how they would be able to enforce that on their end since the Merlin firmware has support for 5 clients. Do you think this could be something on their end blocking it from happening?
 
Both of the VPN Unlimited tunnels or both of the SurfShark tunnels?

Well ideally both, since I could then compare them. But minimally, Surfshark since that's the one at issue at the moment.

I just got a different support rep from SurfShark and he is now saying they only support one tunnel per router connection. Not sure how they would be able to enforce that on their end since the Merlin firmware has support for 5 clients. Do you think this could be something on their end blocking it from happening?

As you said, I don't know how that could be enforced since several Windows clients all using the same OpenVPN provider and config would look the same as the router (same public IP). And even if they could, I don't know why they would care.

Frankly, you can't fully trust what tech support tells you. Most don't really know. Only the ppl administering the system know for sure.
 
Here is with the two VPN Unlimited Clients connected. You may be right!! Both the tun13 and tun14 show they are P-t-P!

Also, I just noticed in this instance, both tunnels are using the same 10.200.0.22 ip. That is really weird. When I posted the screenshot of the two VPN Unlimited clients connected, they had different IPs. Let me get the surfshark ones.

Code:
# ifconfig

tun13     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.200.0.22  P-t-P:10.200.0.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1697 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2583 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:625731 (611.0 KiB)  TX bytes:662641 (647.1 KiB)

tun14     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.200.0.22  P-t-P:10.200.0.21  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:29 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2412 (2.3 KiB)  TX bytes:68 (68.0 B)
 
Here is the two SurfShark tunnels. Strangely enough, they appear to be working now. I tried for several hours earlier and they weren't working before. I had the Policy Rules set differently, but I will continue to monitor and tweak the settings to see if it stays working:
Screen Shot 2020-10-22 at 7.26.12 PM.png

Code:
tun11     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.8.3  P-t-P:10.8.8.3  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:546 errors:0 dropped:0 overruns:0 frame:0
          TX packets:580 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:176012 (171.8 KiB)  TX bytes:180220 (175.9 KiB)

tun12     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.8.2  P-t-P:10.8.8.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:60 (60.0 B)  TX bytes:68 (68.0 B)
 
Maybe you could explain to me the difference in "Policy Rules" and "Policy Rules (Strict)" if you know the differences between the two? I don't see a reason that would interfere but I did have it set to strict previously, when it wasn't working. Now I have it on regular policy rules and it seems to work.
 

Actually, I apologize. It isn't working at all. While they appear to be working, I just went to my smart TV to run a speed test, and it's showing the IP of the VPN Client that it's NOT supposed to be on. According to the policy rules I have set up, my Smart TV should be on the VPN tunnel with IP 66.115.182.68. However, when I go to speedtest.net, it shows up on the OTHER tunnel, 209.216.92.196. I only have two devices set to use that tunnel.


I go over to my Work Laptop, which is not set up to go through any VPN on the router, and it's using the 209.216.92.196 tunnel as well. So even though I have the policy rules set on the tunnel to only route two devices through the VPN (not the smart TV or my work laptop), it looks like the router is routing ALL traffic through the one VPN. This is nuts!
 
Even if it works sometimes and not other times, this is always a risk when dealing w/ multiple concurrent OpenVPN clients, esp. w/ the same provider, and so you may just get lucky sometimes and not others.

The more I think about it, the more I wonder if using Routing Policy (Strict) might be the better choice. PBR (policy based routing) works by creating alternate routing tables for each OpenVPN client. And when using Strict, I would assume the *only* route to the internet for a given OpenVPN client would be the one established by that connection. And so at least wrt that OpenVPN client's routing table, there would be no ambiguity. Something that would presumably NOT be the case when NOT using Strict.

Haven't ever tested this out (since I rarely use multiple OpenVPN clients anyway, and when I do, it's always to different providers), but it does seem plausible.
 
Try changing port number on one client eg 1194 on the first and 1197 on the second
 
Try changing port number on one client eg 1194 on the first and 1197 on the second

Isn't the port number the port I'm connecting to? For instance the VPN servers I'm connecting to are listening on port 1194. So if I switch it to a different port the connection wouldn't succeed because the server isn't listening on that port.
 
I use pia vpn so I do not know which ports surf shark has available, you must check the surf shark website for info on it.
Most vpn providers require different ports for multiple connections from the same device.
I have a connection to a Danish VPN on port 1197 and a connection to a US VPN on port 1198
and it works without problems
 
I use pia vpn so I do not know which ports surf shark has available, you must check the surf shark website for info on it.
Most vpn providers require different ports for multiple connections from the same device.
I have a connection to a Danish VPN on port 1197 and a connection to a US VPN on port 1198
and it works without problems

Yes, it will work, provided your VPN provider purposely changes the config (specifically the tunnel's IP network) whenever you change the server, port, protocol (which is why the tech support person suggested trying tcp and udp), whatever. Just depends on the VPN provider. And obviously, the more similar the two connections are, the more likely there's a conflict.
 
Yes, it will work, provided your VPN provider purposely changes the config (specifically the tunnel's IP network) whenever you change the server, port, protocol (which is why the tech support person suggested trying tcp and udp), whatever. Just depends on the VPN provider. And obviously, the more similar the two connections are, the more likely there's a conflict.

Netflix isn't even working on the new SurfShark VPN. It's looking like I will be cancelling it and getting my money back. I think I saw that PIA isn't as good as it once was. I think I saw a YT video describing some recent issues with it.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top