Wireguard VPN and instacart.com

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sat Nov 26, 2022 20:43    Post subject: Wireguard VPN and instacart.com Reply with quote
Running Netgear R9000 build 50474 Wireguard VPN to Windscribe.

When I try to access instacart.com or fredmeyer.com, I get blocked with an access denied message.

I've corresponded with instacart support, and they tell me that they do not allow access through VPNs. As stupid as that is, it's clearly not a DD-WRT problem.

Where DD-WRT comes in is that I have attempted to add "Route Selected Destinations via WAN" to my Wireguard tunnel configuration, and tried specifying both www.instacart.com and the IP address I get by pinging www.instacart.com as destinations for PBR.

Routing the destinations via WAN did not allow me to access instacart. I am curious as to why that might be. For now, I am just taking down the VPN when I want to use instacart, but that's a bit of a pain.[/img]
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Nov 26, 2022 22:28    Post subject: Reply with quote
I will move your thread to the more appropriate Advanced Networking forum, see the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

WireGuard documentation is a sticky in this forum:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397

For you the Client setup guide is the most interesting.

I quote:
Quote:
Route selected destinations via WAN

Sometimes you are using the VPN but have some destinations you always want to use the WAN in that case you can enter that destination here.

It is often asked of this can also be done for e.g. Amazon, Netflix, BBC etc.
Unfortunately Amazon (and Netflix, BBC, Youtube etc) have multiple rapidly changing servers and multiple domains which you have to catch all and the domain name is only resolved when the tunnel is started so in reality this probably will not work.
IPSET might be able to mitigate this (for an example see:
https://www.linksysinfo.org/index.php?threads/using-ipset-to-bypass-a-vpn.73136/page-2
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327102&highlight=youtube )


So maybe that is just not possible with instacart.

Another thing to look at is the DNS, sites which block VPN also check if the DNS query is coming from the same origin and probably your DNS is going through VPN.
To test if this is the problem remove the DNS from the WireGuard client or use Split DNS (see the guide)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 5:57    Post subject: Reply with quote
Thank you for the pointers. I missed that it was covered in the Wireguard config document.

I did some reading about ipset, and it sounds easier to just take my VPN down every now and then. Most of the time the VPN causes me no issues.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Nov 27, 2022 7:33    Post subject: Reply with quote
Did you try with enabling "Split DNS" in the GUI to see if the problem is the DNS?

Ipset integration might be coming, I already have it running in an experimental build but it will not be before the holidays

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 10:56    Post subject: Reply with quote
I did not try Split DNS. I read about it and doubt I really understand it.

The forum document says this:

-----------
Both OpenVPN and WireGuard can use Split DNS meaning that the Policy Based Routing (PBR) sources
will use the DNS server which is using their route e.g. if the selected sources are route via the VPN they will use the VPN DNS server and other sources which are routed via the WAN will use the WAN DNS servers.
-----------

I may be reading that wrong, but what it says to me is that I have to identify some of my hosts through PBR to use the WAN instead of the VPN. But I want all hosts on my network to use the VPN all the time except that causes problems with (a very few) websites. I'm not understanding how to use Split DNS to tell my local hosts to use the WAN only for certain websites.

Or are you suggesting that I just temporarily set a PBR entry for one host and try a problem website to see if I can access it to try and isolate the problem? If that's the case, I just tried it, and yes, with computer I'm typing on now listed in the PBR as route to WAN I can now access the problem websites.

Afraid I am not enough of a networking guru to know what I'm doing here.

Thank you for your help.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Nov 27, 2022 11:09    Post subject: Reply with quote
You have added instacart to the Destination for PBR field and choose Selected Destinations via the WAN, as said that does not always work if the domain resolves to many changing ip addresses or uses other subdomains.

But another problem could be that when you resolve instacart the DNS server of the VPN is used to do that and instacart might be checking this and thus concludes that you are still using the VPN for instacart.
So for the resolving of instacart.com you should use a DNS server which is routed via the WAN and not the VPN DNS server.

To see if that is the problem, in the WireGuard GUI for Destination for PBR besides instacart.com, add 9.9.9.9

On the services page under DNSMasq additional options add:
server=/instacart.com/9.9.9.9

Now instacart.com will be resolved by DNS server 9.9.9.9 and that server is routed via the WAN

Maybe this does the trick, maybe not but worth a try Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun Nov 27, 2022 13:13; edited 2 times in total
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Nov 27, 2022 12:10    Post subject: Reply with quote
Note: You need a Destination Routing, not a PBR which is based on Source.

The Wireguard GUI appears to be wrong with some of it's labels.
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 12:13    Post subject: Reply with quote
Did you mean to say I should put instacart.com in the route selected *destinations* field?

It didn't make sense to me to put instacart.com in the *source* field.

Regardless, I tried it both ways with Split DNS enabled. It didn't work. Was worth a try. Very Happy
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 12:18    Post subject: Reply with quote
Per Yngve Berg wrote:
Note: You need a Destination Routing, not a PBR which is based on Source.

The Wireguard GUI appears to be wrong with some of it's labels.


Okay, I'm definitely out of my depth now. If the Wireguard labels are wrong, I don't know where to put a destination routing.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Nov 27, 2022 12:38    Post subject: Reply with quote
Destination Routing=Route Selected Destinations via WAN

A new line comes up which says "Destination for PBR"

I would have checked the routing tables to see if the settings are entered correctly.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Nov 27, 2022 13:13    Post subject: Reply with quote
My bad not really awake when I wrote that.

Thanks PYB for waking me up Smile

I have corrected my post which now should have the correct instructions to resolve instacart.com via the WAN using an alternate DNS server which is also routed via the WAN

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 22:48    Post subject: Reply with quote
egc wrote:

On the services page under DNSMasq additional options add:
server=/instacart.com/9.9.9.9

Now instacart.com will be resolved by DNS server 9.9.9.9 and that server is routed via the WAN



If I add 9.9.9.9 to Destinations for PBR, then ping 9.9.9.9 reports destination port unreachable. So attempts to reach instacart.com fail when the DNSMasq additional option is set because instacart.com won't resolve.

Without the PBR destination entry, ping 9.9.9.9 works.

I tried 8.8.8.8 in case there was something weird about 9.9.9.9, but same results.
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 22:55    Post subject: Reply with quote
Per Yngve Berg wrote:


I would have checked the routing tables to see if the settings are entered correctly.


I just looked at the routing table, and I do see a route for 9.9.9.9 to vlan2 with a gateway of my ISP's IP.
howard@sci1.com
DD-WRT Novice


Joined: 11 Jul 2022
Posts: 44

PostPosted: Sun Nov 27, 2022 23:02    Post subject: Reply with quote
Even stranger...

With 9.9.9.9 in PBR destinations to WAN, if I ping 9.9.9.9 from a putty SSH session to the DD-WRT router, the ping works. Ping only reports destination unreachable if I ping from the computer on which I'm typing this.

Tried ipconfig /renew but it didn't help. ipconfig /flushdns was also no help.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum