[SOLVED]Websites not loading (UDP) or slow (TCP)

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Jul 19, 2022 0:52    Post subject: Reply with quote
Let me explain my reasoning.

What I suspect is that when you specified the NordVPN DNS servers on the WAN, you did NOT also check the "Ignore WAN DNS" option.

If that's the case, that means the NordVPN DNS servers will be combined with those of the ISP. But if the ISP reserves those DNS servers for the exclusive use of its own customers over the WAN (i.e., they are effectively *private*), then when the OpenVPN client gets connected, access to the ISP's DNS servers will fail, since the VPN requires *public* access! That might explain why some DNS queries work and other do NOT.

As I explained in the prior post, leave the WAN configuration alone. Let it default to the ISP's DNS servers. It doesn't matter because we're *overriding* those DNS servers anyway w/ server directives in DNSMasq, then binding those same DNS servers to the OpenVPN client.

IOW, before the OpenVPN client is connected, 1.1.1.1 and 1.0.0.1 are accessed over the WAN. Once the OpenVPN client is connected, they're access over the VPN. Simple.

Of course, you can use *any* DNS servers you want, it doesn't matter. Just so long as they are *publicly* accessible, even those from NordVPN. We're just trying to avoid the use of those from the ISP, which are probably only *privately* accessible.

P.S. I suppose the other obvious solution is to ignore what I said above and just check the "Ignore WAN DNS" option (if indeed that's the problem). But what I described in that prior post is how *I* always do it.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Sponsor
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 1:28    Post subject: Reply with quote
Again, thanks for taking the time to help me with this and to explain how and why.

Now to up the security of the router...
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Jul 19, 2022 1:32    Post subject: Reply with quote
n9nlu wrote:
Again, thanks for taking the time to help me with this and to explain how and why.

Now to up the security of the router...


Did it fix the problem?! (don't leave in suspense, lol)

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 2:01    Post subject: Reply with quote
I thought I posted the "it works" message.... lol maybe in my excitement I forgot to click post... lol

But yes, It is working now. I tried my idea of putting the CloudFlare DNS server addresses in the WAN DNS fields, that didn't work.

I then did your method by adding the additional configs and without any issue, the websites that were not working, they now are loading without issue.

Thanks again!

By the way, do you have any suggestion for a tutorial on how to secure a DD-WRT router from external threats? Searching Google, it seems everyone has their own opinion on "How To" but I'd also like to know the "Why"
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 2:11    Post subject: Reply with quote
Aw heck, Just when I thought I got the VPN set up to work with everything... Amazon Prime on the TV is angry that its on a VPN ...
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Jul 19, 2022 2:35    Post subject: Reply with quote
n9nlu wrote:
Aw heck, Just when I thought I got the VPN set up to work with everything... Amazon Prime on the TV is angry that its on a VPN ...


Well that's a completely different kind of problem. It's technically NOT a configuration error. It's just the content provider preventing unauthorized access by detecting your usage of a VPN, be it the VPN server itself (which is usually well-known) and/or the use of DNS over the VPN.

You either have to have a VPN provider that offers to get around such restrictions using specific OpenVPN servers, or else route the TV through the WAN. But even then, sometimes the content provider can detect you're still using the VPN at least for DNS.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 3:05    Post subject: Reply with quote
Just the total opposite of what a conquered a few years ago... I travel out of the USA for the winter months, my wife wants to watch NASCAR so I needed a VPN so she could watch the races.

Currently, being Stateside, simply centrally securing my internet with a VPN that I've had, now my wife cannot watch Amazon Prime Video with the VPN active on the router...

GAD! Technology is a headache!

Well, I guess I could:

A: DMZ a LAN port of the DD-WRT VPN router and put another DD-WRT router - non-VPN, on that DMZ port, put all the IoT junk on a managed switch connected to the non-VPN router as well as the WiFi devices.

or

B: Have a DD-WRT Non-VPN router first in the LAN chain after the modem, plug in the managed switch and IoT devices, also use this non-vpn router for WiFi.

Plug in the DD-WRT VPN router into one of the non-vpn LAN ports and disable the wifi.

If a device in my house has a LAN port, its using wired. The only things that are wifi are the phones and tablets... so no biggie...
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Jul 19, 2022 3:22    Post subject: Reply with quote
I'm still NOT clear here what the VPN is intended for.

If you can live w/ having Amazon Prime routed over the WAN, then you can simply use PBR (policy based routing) to route all the traffic over the VPN, except for the TV. You can also use Split DNS so the WAN and VPN use different DNS servers (as I said, sometimes the content providers can detect the use of a VPN for DNS, even if the content itself is being routed over the WAN).

However, if you need to route Amazon Prime over the VPN to circumvent region restrictions, then obviously the above doesn't solve that problem. You need to resolve that w/ the choice of VPN provider, one who offers specific servers to circumvent region restrictions. In some cases, that might require a static IP w/ the VPN provider ($$) because it's far less likely to be KNOWN as coming from a VPN provider.

Then there's the issue of needing to route only *some* of the content from the TV, and not the internet generally, such as things like YT (YouTube). That's another configuration entirely.

Then there's users who want nothing more than to obscure their public IP, like me! I couldn't care less about content issues since I don't watch any of it anyway!

IOW, ppl are using VPNs for a variety of reasons, and each requires fine tuning to meet those needs. But the devil is in the details, in knowing *precisely* what you want the VPN to do. Right now, the process has been rather piecemeal; we only find out what you need when something doesn't work as expected.

P.S. Sometimes using separate routers might be the answer. Just depends. But the router is designed to support selective routing (aka, split tunneling), and so that *might* NOT be necessary. Again, it's knowing *exactly* what you want that will determine what's possible and the best solution.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 3:53    Post subject: Reply with quote
There is no real definite reason to use the VPN here, Stateside other than ... because I already have NordVPN and because I would like to simply obfuscate my connection to the internet for privacy... because I can. ( Great minds think alike Very Happy )

When I'm traveling, using public WiFi, sharing private WiFi or plugging into a network at a hotel or AirBnB, this is why I have NordVPN but I have only been using the NordVPN app on each device. I'll take what I've learned today to make a "travel router" ... specifically on hardware that I can tether to my cell phone to have a secondary internet connection.

Where I typically travel, electricity can drop out unexpected, water can shut off while you are taking a sun warmed water shower, the CATV / internet can go poof in an instant... the one service that is typically resilient is cellular / cellular data but that too could be shut off if the government wanted to do so. Last resort is to tether to my satellite phone if the shizzle really hit the fan but at that point I'd probably be on the move and using the VPN as a mobile app.

With all that said...

It sounds like from what you are saying, I can use this router ( Netgear R7000P ) with the VPN set up on it, but yet have non-VPN connections. I doubt I'm using the appropriate terminology. I remember seeing certain features in the WiFi settings and in the routing or NAT or something... while playing with DD-WRT.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Tue Jul 19, 2022 4:27    Post subject: Reply with quote
It's called PBR (policy based routing), aka split tunneling.

By default, when you connect to a commercial OpenVPN provider, ALL your devices, router and WLAN/LAN, are then routed over the VPN. And in many cases, such as on the road, that makes the most sense.

However, sometimes you don't want ALL your devices routed over the VPN, only some. The others should continue to be routed over the WAN, exactly as it was before the VPN was running. Sometimes it's just a preference, other times it's a necessity (e.g., your Amazon Prime is complaining because it KNOWS you're using a VPN and refuses to stream).

The OpenVPN client is a powerful tool that is more than just a simple "route it all over the VPN" solution. You can control precisely what uses the VPN vs. the WAN. You can even split DNS, so those devices bound to the WAN use a DNS server likewise bound to the WAN, while those bound to the VPN use a DNS server likewise bound to the VPN.

You can even chose the default behavior of split tunneling, i.e., what is the default routing to the internet, VPN or WAN, and what are the exceptions to that default.

There's also a killswitch to block access to the WAN for those bound to the VPN (should the VPN fail for any reason), and a watchdog to restart failed connections.

So there's a LOT going on w/ the OpenVPN client in terms of features and capabilities. Each user brings to the table their own unique requirements, and we're more than happy to explain what it takes to achieve them provided we have sufficient details.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
n9nlu
DD-WRT Novice


Joined: 27 Apr 2012
Posts: 14

PostPosted: Tue Jul 19, 2022 4:56    Post subject: Reply with quote
I'm reading on Split Tunneling right now... if I have a question that I cannot figure out, I'll use the search feature of the forum... if I'm still stumped, I'll start a new thread.

Thanks again for all your help.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Tue Jul 19, 2022 6:40    Post subject: Reply with quote
A lot of @eibgrad's wisdom is condensed in our documentation.

For all OpenVPN (a sticky in this forum):
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398

In your case you need the "OpenVPN Client setup guide"

It also has a paragraph detailing settings specifically for NordVPN (and lots of other providers)

And it also has detailed information about PBR Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum