[titan32]

I upgraded dd-wrt firmware in a WRT1900ac a few months ago and I started to see an strange behavior related to my IP location which is now set to Teheran, Iran.
And because of that some Google and Spotify services started to fail somehow.
I use Express VPN via OpenPVN that gives me a USA IP address, but since a few months ago something went wrong with location, probably related to VPN misconfiguration?, but I can't avoid using it because of censorship, I'm connecting from China. I'm not in Iran and I've never been there.
I checked and no apparent DNS leak, all geo locations based on IP address respond with a USA location; but if I go to google.com in my browser the location says Teheran and spotify.com return 403.
I think I fucked up something because if I connect using Expressvpn app everything is fine, but not if connected from router.

Some settings that I have configured:
- DNS1, DNS2, DNS3 with opendns and the last one is using google dns.
- DNSmasq is ON.
- DHCP-Auth is ON.
- Forced DNS Redirection is ON.
Under dnsmasq options:
- No DNS rebind.
- query DNS in strict order.
- additional dnsmasq options: dhcp-option=6, 208.67.222.222, 208.67.220.220, 8.8.8.8

Under Services/VPN
- PBR is enabled for some ranges in the subnet and is working fine.

Also have two bridge configuration under Networking because one virtual wlan goes outside vpn tunnel...
all seems to be working fine.

Firewall is configured this way:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
# Make sure br1 has access to the internet:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clampmsstopmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

dd-wrt is working in Router mode dialing PPPoE using a modem to get access to internet in the same subnetwork (I know)
Any clue why this is happening? Looks like something is leaking, I don't know I'm just an amateur in this matter and need some advise.
PD: On every firmware upgrade I restore a config file with all the settings.

[Monza]

I don't have a solution but .. with no responses .. I will offer a couple of things you could try. I've found, sometimes, setting my "Setup/Basic Setup/Time Settings/Time Zone" to the correct time zone for the selected vpn servers in the country the servers are located helps. Depends on the country you are claiming to be in but some are picky about the detected time if it's not their local time it seems. Wrong time for location flags you as imposter??? I leave the Server IP/Name blank always.

You might try using a different DNS resolver?? I've had great success with Quad9 servers. They supposedly have 150 resolvers in 90 countries. If you do try different different resolvers don't forget to change the setting under "Additional DNSmasq options" as well since that can cause issues if different from your static inputs. Your current DNS resolvers may be sending you to the nearest server, Iran??

https://www.quad9.net/
Their IPv4 addresses in case you can't reach the site - 9.9.9.9 - 149.112.112.112

Check your router VPN setup entry "Server IP/Name" as that input determines the Expvpn server you use. The "Port" input is also specific to Expvpn so check that against setup instructions from Expvpn site. This setting (I use ExpressVPN too) sets server location on the router vpn. Teheran, Iran??? Not sure how you got there. If you go to the ExpressVPN site,log in and go to Setup, Manual Configuration you can download .ovpn setup files for specific countries/cities. Having checked dozens of .ovpn files against each other I found I can simply copy the server address from the desired .ovpn location and paste it alone in my ExpressVPN router setup "Server IP/Name". The server data is the only difference between the files it seems but may have changed since I tested a couple of years ago.

I don't change this setting nowadays as I have the router "Security/VPN Passthrough/IPSec Passthrough = Enabled". This allows my network to always be on a desired vpn server while I have the ExpressVPN apps on my connected devices but not turned on. If I need a different location I just fire up the Expvpn app. It is much easier to set the server location in the apps than to change it on the router. I can fire up the app, pick a location and get passed through the router for that particular device. After use, shut down the app and device is back on my usual vpn server. It also allows my wife's corp vpn to connect when she works from home. Without the VPN Passthrough IPSec Passthrough = enabled NO OTHER VPN connection can be made thru my network.

I have never connected from/to China so my suggestions may be of little or no use to you. The above is all I can offer as I have nothing on your other issues, sorry. =)

[titan32]

Thank you for your reply!
I did all the changes that you suggested, but no change.

[titan32]

[Monza]

[Monza]

Out of curiosity I wanted to see if there was a difference in the DNS options settings mentioned above. My Sony BR players give me the most DNS info so I used one as a test device. I first took and image of my existing setting output as seen by the player. I then changed the setting, saved, applied and rebooted the router/player. I was surprised at the very different way the settings appeared. There is a definite difference between the settings. BTW, I only tested the "Additional Dnsmask options" settings with no change to my vpn settings for either test.

The "dhcp-option=6, 9.9.9.9, 149.112.112.112, 1.1.1.1" returned my exact static inputs

The setting below only returned my router address (I blurred the last two inputs) with no Secondary DNS.
no-resolv
server=9.9.9.9
server=149.112.112.112
server=1.1.1.1

I'm not really sure which is the best setting for security so any feedback would be appreciated. Image attached.

[titan32]

I don't understand what is wrong...
Isn't working now, still see Iran down below google.com and Spotify service is blocked.

I started from scratch doing a factory reset.
Running Firmware: DD-WRT v3.0-r48432 std (03/01/22)

- No vlan, no additional bridges, no scripts on firewall or anywhere else.
- DDWRT working in Router mode with PPPoE connection.
modem <--- DDWR Router <--- computer

- All under the same subnet.
- no static gateway set, no local dns.
- no static DNS set
- force DNS redirection Off.

I'm using expressvpn with no PBR this time, all traffic route through vpn tunnel. Nothing on additional dnsmasq config.

Maybe some new feature or something has changed in this new firmware version that has affected my previous settings?
Next thing I will try to discard this possibility is downgrade the firmware to a previous working version and check the results.
But in the mean time, any suggestion of what could be wrong?

[Monza]

Edit: Your vpn config is exactly like mine except for my "Tunnel UDP Fragment" is set to 1450.

You may be experiencing "The Great Firewall" up close and personal. Since you are located in China you are definitely using state controlled wires. Your issue might not be your setup but the great firewall detecting your attempts to use blocked sites. Your changes may have temporarily worked but once detected . . blocked. I would contact ExpressVPN support for info concerning the VPN setup for use in China.

In the article linked below ExpressVPN is highly recommended which is a positive since you already use it. One thing stood out was the following. "When you install the ExpressVPN browser extension, it can spoof your HTML5 geolocation as well as change the perceived location of your IP address." I have not tried the browser extension but it seemed worth investigating. BTW, the article was picked at random based on the publish date. (Also, I do not work for or receive compensation from ExpressVPN)

Since this is most likely a common issue at that location I would ask others in the area about their setups. Fellow users may have the best insight as to how to "fix" the problem??

Here is a link to an article I found by searching for "The Great Firewall . . they seem to be very sincere about controlling "their" internet. =(

https://www.thetechlounge.com/great-firewall-of-china/

https://www.expressvpn.com/support/vpn-setup/expressvpn-browser-extension/

Edit: Not sure it would be worth the effort/time but it would be interesting to see the results of a DNS spoof test done in China. If you do consider running the test be sure and read the possible router "crash" info near the middle of the page. I completely understand it you had rather not run the test.

I will attach and image of the test I just ran here in the US with ExpressVPN enabled and my DNSmasq servers set to the Quad9 servers for comparison. Test was run on a WRT1200ac v1 running DD-WRT r48432. Test was run with wife's corp VPN being passed through while all other devices are thru the router vpn including the laptop initiating the test. Since it only found one server I assume it was the Quad9 primary? Test site has been around for years but today is the first time I've used it in a long time . .

Link to test - https://www.grc.com/dns/dns.htm

[titan32]

Thank you for reply!
I'm aware of express vpn browser extension, but the idea is to have the vpn working fine from the router.

I have a google cast and Nest audio devices that will not work other way than connecting to the router vpn.

Also did the test and the results seems ok to my eyes, and even behind this great wall firewall my vpn service was working fine a few months ago and never had this issue before, so that's why I think that something change, but is no my config, I reset all form cero, looks pretty standard OpenVPN config for Express vpn and nothing else.

Using the DNS that expressvpn service provide by default, nothing customized.

If i contact ExpressVpn support they will recommend me to use their apps in all my devices, and I can't, and don't want it. But I will try anyway, maybe if I'm lucky someone in support team will really help me, perhaps...

All looks fine except for my location in Tehran, Iran. All the time present and blocking some services because of this location.

[Monza]

Sorry I've been no help. I have no other suggestions other than downloading .ovpn files from Expressvpn for other cities/countries and trying different ones until you location matches the location of the .ovpn server your router setup is currently using. May be one that is unknown to the firewall? All you need to change is the server input in you router setup rather than inputting the entire .ovpn file.

Where does the Expressvpn site return as your location?

https://www.expressvpn.xyz/what-is-my-ip

If it does not match your setup server then I believe you are truly affected by the great firewall (DNS poisoning/VPN blocking). No doubt they are constantly improving the effectiveness of their firewall so this issue may be ongoing as long as you are there.

Ask others at your location what vpn works or what setup changes you may need to implement. If anyone knows how to avoid the firewall it will be your fellow citizens.

Maybe someone from your location will respond here?

[titan32]

I'm currently testing other VPN service provider and it works fine. (Surfshark)

The location issue is forever gone! So is not an issue with my configuration nor my dd-wrt version.
That makes me think that something went wrong with the Express VPN server that I used to connect before, that gave me location problems...
The thing is I don't have many options for servers located in USA that rally works with OpenVPN, at least for me.

Anyway, I can't bare Surfshark, it gives me high latency and is a bit unstable.

Still no clue wtf is going on here.

[Monza]

Check the ExpressVPN server page, find a server you like from the many listed and download the .ovpn file for that server. Replace the server name in your ExpressVPN setup with the new server name. Any country with a small, black arrow right after the country name has multiple server locations including the US which has many to choose from.

The ExpressVPN server you have been using is obviously compromised in China. If you can't log into your ExpressVPN account from there then I have no other suggestions to offer.

https://www.expressvpn.com/vpn-server

The .ovpn files are all available to you after you log into your account and navigate to manual config. You must be logged in to your account to access the .ovpn files of which there will be a large list to choose from similar to the link above but with download buttons. You can download as many .ovpn files as you want so you can try several country servers or a server in many countries that have only one. I reboot my router after a server change.

Try the ExpressVPN app on one of your devices, if successful connection can be made via the app then it's most likely a router setup issue. You need to disable the OpenVPN client OR enable vpn pass through to test an app.

Just for testing try the UK, Sweden or Denmark or any listed server that will give you access to the sites you want to access. Trying the different servers is easy and is the only way I know to gain access to otherwise restricted sites.

If you have already tried several server locations than ignore my suggestion. =)

Edit: another option is to try ExpressVPN virtual servers.
https://www.expressvpn.com/support/troubleshooting/virtual-server-locations/

https://www.expressvpn.com/support/troubleshooting/server-locations/