Security problem and speedtest with VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Frakko
DD-WRT User


Joined: 06 May 2016
Posts: 493

PostPosted: Thu Aug 05, 2021 7:14    Post subject: Security problem and speedtest with VPN Reply with quote
I have two problems with my VPN:
1) When the VPN is active the system, checking with GRC (https://www.grc.com/x/ne.dll?bh0bkyd2) the port 443 is open, without everything is fine. https://ibb.co/x68HQ2b https://ibb.co/dfC7cC3
2) If I do a speedtest the speed with the VPN is much lower https://ibb.co/TcXR0vd https://ibb.co/jvHRRhj Is this normal? At VPN support they say it depends on the router (Netgear R7000) which is not fast enough to handle the line in full. Tips/solutions Question
Thank you,
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12077
Location: Netherlands

PostPosted: Thu Aug 05, 2021 7:28    Post subject: Reply with quote
It is always helpful if you state not only router model but also build number.

I am assuming you run a recent build like 47117.

Also the General forum is not really for router help or router specific questions those either belong in the Advanced Networking forum or in the router specific forum.

To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

Regarding your question:
Do you connect on port 443 to your VPN provider?
Do you have the Inbound Firewall on TUN checked?

A normal OpenVPN speed for dual core ARM A9 CPU at 1 GHz is between 30-40 Mb/s depending on settings and how the router is taxed.

If you want better speeds use WireGuard which gives often almost 3 times as much performance

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Frakko
DD-WRT User


Joined: 06 May 2016
Posts: 493

PostPosted: Thu Aug 05, 2021 14:49    Post subject: Reply with quote
build number: 08/01/2021 - r47117

Regarding your question:
Do you connect on port 443 to your VPN provider? No.
Do you have the Inbound Firewall on TUN checked? Yes.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12077
Location: Netherlands

PostPosted: Thu Aug 05, 2021 15:03    Post subject: Reply with quote
Then you should be good Smile

GRC checks the endpoint in this case the VPN server that has some ports open apparently.

If you disable the VPN (provided your DDWRT router is connected to the internet with a public IP) and run the test again I think/hope that GRC will show all ports stealthed (at least that is how it shows with my DDWRT router Smile )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Aug 05, 2021 18:11    Post subject: Reply with quote
When you're NOT using the OpenVPN client, what GRC is checking is your WAN's firewall. But when the OpenVPN client is active, and the client is bound to the VPN, what GRC is checking the VPN's firewall! So it's entirely possible the VPN provider has port 443 (and others) open, something you don't control.

For my own purposes when using GRC, I always bind the GRC IP network ( 4.79.142.192/28 ) to the WAN w/ a static route so that I'm always checking my WAN's firewall, NOT the VPN. Simplest way to do it is to add a route directive to the Additional Config field.

Code:
route 4.79.142.192 255.255.255.240 net_gateway

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Frakko
DD-WRT User


Joined: 06 May 2016
Posts: 493

PostPosted: Fri Aug 06, 2021 7:45    Post subject: Reply with quote
eibgrad wrote:
When you're NOT using the OpenVPN client, what GRC is checking is your WAN's firewall. But when the OpenVPN client is active, and the client is bound to the VPN, what GRC is checking the VPN's firewall! So it's entirely possible the VPN provider has port 443 (and others) open, something you don't control.

For my own purposes when using GRC, I always bind the GRC IP network ( 4.79.142.192/28 ) to the WAN w/ a static route so that I'm always checking my WAN's firewall, NOT the VPN. Simplest way to do it is to add a route directive to the Additional Config field.

Code:
route 4.79.142.192 255.255.255.240 net_gateway


So should you do these checks by connecting the router directly to the network Question When connected to the VPN the protection remains the same and that port is used by the VPN manager but the security of my PC is not changed in any way Question Is the parameter you wrote the same for all VPN / Routers or does it change according to the operator (4.79.142.192 255.255.255.240) Question
Thank you.
Frakko
DD-WRT User


Joined: 06 May 2016
Posts: 493

PostPosted: Fri Aug 06, 2021 8:02    Post subject: Reply with quote
egc wrote:
Then you should be good Smile

GRC checks the endpoint in this case the VPN server that has some ports open apparently.

If you disable the VPN (provided your DDWRT router is connected to the internet with a public IP) and run the test again I think/hope that GRC will show all ports stealthed (at least that is how it shows with my DDWRT router Smile )


In fact by connecting it directly without VPN all ports are fine. Can I feel comfortable?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6043
Location: UK, London, just across the river..

PostPosted: Fri Aug 06, 2021 10:02    Post subject: Reply with quote
Frakko wrote:

In fact by connecting it directly without VPN all ports are fine. Can I feel comfortable?


yes...

as the other said, if GRC shows open ports they are inside the VPN and you are in personal VPN tunnel, so nothing to be afraid of...its normal to have an open ports as the VPN needs those to operate, its normal to have open 443, 853, 80 and ect. those that VPN needs...
its the way how VPN works...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 53045 WAP
TP-Link WR1043NDv2 -DD-WRT 53469 Gateway/DoT,Forced DNS,AP Isolation,Ad-Block,Firewall,VPN,x1VLAN
TP-Link WR1043NDv2 -DD-WRT 53469 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN(no-wifi)
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear R7800 --DD-WRT 53544 Gateway/DoT,AD-Block,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 53469 Gateway/Stubby DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 53469 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri Aug 06, 2021 17:42    Post subject: Reply with quote
Frakko wrote:
So should you do these checks by connecting the router directly to the network Question When connected to the VPN the protection remains the same and that port is used by the VPN manager but the security of my PC is not changed in any way Question Is the parameter you wrote the same for all VPN / Routers or does it change according to the operator (4.79.142.192 255.255.255.240) Question
Thank you.


@Alozaros, let's not confuse ports used *outbound* to the OpenVPN provider's servers with the *inbound* ports that might be open on the OpenVPN provider's public IP on the remote side of the tunnel. Those are two different things.

Of course the OpenVPN provider has to have ports open on the public IP of his servers. But those are typically NOT the same public IPs reported by clients of the VPN. It's the inbound ports on the public IP of the tunnel that GRC is checking. And as I said, those may or may not be open. But generally speaking, you don't need to concern yourself w/ what GRC reports since it's NOT your firewall, and thus don't control it. If it's an issue at all, it's for the OpenVPN provider. That's why I use the route command for GRC to force it to test my WAN.

As long as you have the "Inbound Firewall" option enabled on the OpenVPN client, you at least know the firewall on the *near* side of the tunnel is blocking any attempt by a remote device to initiate an inbound connection. IOW, *your* firewall wrt the VPN is providing protection.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum