Posted: Thu Aug 05, 2021 7:14 Post subject: Security problem and speedtest with VPN
I have two problems with my VPN:
1) When the VPN is active the system, checking with GRC (https://www.grc.com/x/ne.dll?bh0bkyd2) the port 443 is open, without everything is fine. https://ibb.co/x68HQ2bhttps://ibb.co/dfC7cC3
2) If I do a speedtest the speed with the VPN is much lower https://ibb.co/TcXR0vdhttps://ibb.co/jvHRRhj Is this normal? At VPN support they say it depends on the router (Netgear R7000) which is not fast enough to handle the line in full. Tips/solutions
Thank you,
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Thu Aug 05, 2021 7:28 Post subject:
It is always helpful if you state not only router model but also build number.
I am assuming you run a recent build like 47117.
Also the General forum is not really for router help or router specific questions those either belong in the Advanced Networking forum or in the router specific forum.
When you're NOT using the OpenVPN client, what GRC is checking is your WAN's firewall. But when the OpenVPN client is active, and the client is bound to the VPN, what GRC is checking the VPN's firewall! So it's entirely possible the VPN provider has port 443 (and others) open, something you don't control.
For my own purposes when using GRC, I always bind the GRC IP network ( 4.79.142.192/28 ) to the WAN w/ a static route so that I'm always checking my WAN's firewall, NOT the VPN. Simplest way to do it is to add a route directive to the Additional Config field.
When you're NOT using the OpenVPN client, what GRC is checking is your WAN's firewall. But when the OpenVPN client is active, and the client is bound to the VPN, what GRC is checking the VPN's firewall! So it's entirely possible the VPN provider has port 443 (and others) open, something you don't control.
For my own purposes when using GRC, I always bind the GRC IP network ( 4.79.142.192/28 ) to the WAN w/ a static route so that I'm always checking my WAN's firewall, NOT the VPN. Simplest way to do it is to add a route directive to the Additional Config field.
Code:
route 4.79.142.192 255.255.255.240 net_gateway
So should you do these checks by connecting the router directly to the network When connected to the VPN the protection remains the same and that port is used by the VPN manager but the security of my PC is not changed in any way Is the parameter you wrote the same for all VPN / Routers or does it change according to the operator (4.79.142.192 255.255.255.240)
Thank you.
GRC checks the endpoint in this case the VPN server that has some ports open apparently.
If you disable the VPN (provided your DDWRT router is connected to the internet with a public IP) and run the test again I think/hope that GRC will show all ports stealthed (at least that is how it shows with my DDWRT router )
In fact by connecting it directly without VPN all ports are fine. Can I feel comfortable?
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Fri Aug 06, 2021 10:02 Post subject:
Frakko wrote:
In fact by connecting it directly without VPN all ports are fine. Can I feel comfortable?
yes...
as the other said, if GRC shows open ports they are inside the VPN and you are in personal VPN tunnel, so nothing to be afraid of...its normal to have an open ports as the VPN needs those to operate, its normal to have open 443, 853, 80 and ect. those that VPN needs...
its the way how VPN works... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
So should you do these checks by connecting the router directly to the network When connected to the VPN the protection remains the same and that port is used by the VPN manager but the security of my PC is not changed in any way Is the parameter you wrote the same for all VPN / Routers or does it change according to the operator (4.79.142.192 255.255.255.240)
Thank you.
@Alozaros, let's not confuse ports used *outbound* to the OpenVPN provider's servers with the *inbound* ports that might be open on the OpenVPN provider's public IP on the remote side of the tunnel. Those are two different things.
Of course the OpenVPN provider has to have ports open on the public IP of his servers. But those are typically NOT the same public IPs reported by clients of the VPN. It's the inbound ports on the public IP of the tunnel that GRC is checking. And as I said, those may or may not be open. But generally speaking, you don't need to concern yourself w/ what GRC reports since it's NOT your firewall, and thus don't control it. If it's an issue at all, it's for the OpenVPN provider. That's why I use the route command for GRC to force it to test my WAN.
