Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Tue Dec 06, 2022 4:06 Post subject: [SOLVED]OpenVPN Server IP and DNS Leaks
I have used OpenVPN Servers with ddwrt clients for a few years, but wanted to try ddwrt as OpenVPN server.
I have IP and DNS Leaks when using ddwrt as OpenVPN Server, I can connect to my other self setup OpenVPN servers I have with all clients with no issues, but for some reason with ddwrt as OpenVPN Server get these leaks:
1) On S10 cell client it reports correct VPN server IP as expected, but DNS leaks to client ISP
2) Win laptop client, it does not report VPN Server IP, but instead the client IP, and DNS leaks to client ISP.
Everything seems to connect fine on both Client and OpenVPN server end via Android and Win OpenVPN Connect.
It’s odd that both clients are using the same config file but yet the S10 cell reports the correct VPN IP, whereas the win laptop does not, but both have DNS Leaks.
I can switch the clients to my other OpenVPN servers I have (mainly ASUS-Merlin routers) and all is good.
Here is my setup, same on both the ddwrt and other OpenVPN Servers I have:
Client (OpenVPN connect) -> Internet -> Main Router-> OpenVPN Server (ddwrt and ASUS Merlin)
The ddwrt OpenVPN server is Netgear R7000, with r50927 std (11/21/22), I have followed the DDWRT OpenVPN Server Setup guide v28 (Great guide, thank you egc!) for the OpenVPN Server setup with the same settings as in the guide.
When I look at the client files for the ddwrt and Merlin OpenVPN setups, almost identical config, but for some reason have IP leaks with ddwrt.
It just seems like am I missing some setting on ddwrt?
Thank you for any advice anyone may have.
Sample ASUS-Merlin client config:
client
dev tun
proto udp
remote XXXXXXXXXXXXXX
resolv-retry infinite
nobind
float
ncp-ciphers CHACHA20-POLY1305:AES-128-GCM:AES-256-GCM:AES-128-CBC:AES-256-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server
Sample ddwrt client config:
client
dev tun
#windows-driver wintun # only for Windows 10 OpenVPN 2.5.x
proto udp4
remote XXXXXXXXXXXXXXXXXX
nobind
persist-key
persist-tun
remote-cert-tls server
auth-nocache
verb 4
float
#tun-mtu 1400 # lowered default can be commented to let OpenVPN decide
auth none #For use with GCM or Chacha ciphers and not using tls-auth otherwise remove
#cipher AES-256-CBC #use AES-256-CBC for older (android) clients
data-ciphers CHACHA20-POLY1305:AES-256-GCM:AES-128-GCM:AES-256-CBC
Edit: I noticed both Android and the win OpenVPN Connect Client do show the correct Server Public IP displayed, but on laptop when do IP check it incorrectly reports the Clients ISP, and both DNS Leak to Client ISP.
tracert 8.8.8.8 indicates it is going through VPN Server. When I disconnect the internet from Server to test kill switch, the win laptop can still access the internet so am thinking this is how it might be leaking. The s10 cell has no internet access so kill switch seems to be working on s10.
IPv6 is disabled
Thank you again _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Tue Dec 06, 2022 8:29 Post subject:
In the server setup guide on page 20 is described how you can push DNS servers to your clients.
It is assuming that you have enabled on the OpenVPN Server "Push Client Route: Default Gateway"!
It is up to your clients to use those pushed DNS servers, see also page 25, Windows needs an extra setting otherwise you will have DNS leaks on Windows.
A kill switch is something the Client has to set and is not related to the Server.
On my Android phone (you need at least Android 8 ) it is under Settings > Network & Internet > Advanced > VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN
Testing for DNS leaks via a website does not always give you the actual result, tracert is more reliable.
I use ipleak.net and dnsleaktest.com, when you test clear browser cache (CTRL+F5)
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Wed Dec 07, 2022 2:47 Post subject:
egc wrote:
In the server setup guide on page 20 is described how you can push DNS servers to your clients.
It is assuming that you have enabled on the OpenVPN Server "Push Client Route: Default Gateway"!
Yes, that was checked in initial setup.
egc wrote:
It is up to your clients to use those pushed DNS servers, see also page 25, Windows needs an extra setting otherwise you will have DNS leaks on Windows.
Since windows is working fine with my other OpenVPN servers (ASUS-Merlin), with similar looking client config files, I was thinking I was missing a setting on server side. I am new and just learning, I added "block-outside-dns" to windows client config, as on p.24 of guide, but no change, I do see where the guide says "This option should of course be used in conjunction with the dhcp-option DNS command described earlier" but I am confused on that part, not sure how to do that?
egc wrote:
A kill switch is something the Client has to set and is not related to the Server.
Yes, I should have know that, newbie I am, but hope to get my skill level up soon so I can help contribute back in near future.
egc wrote:
On my Android phone (you need at least Android 8 ) it is under Settings > Network & Internet > Advanced > VPN > OpenVPN for Android > Enable Always ON VPN, Enable Block Connections without VPN
Since Android, like windows, is working fine with all my other OpenVPN servers with no additional settings wonder why have to do this with ddwt? I did try it but same result, no change. I am on Android 12.
egc wrote:
Testing for DNS leaks via a website does not always give you the actual result, tracert is more reliable.
I use ipleak.net and dnsleaktest.com, when you test clear browser cache (CTRL+F5)
Yes, I have been using nordvpn.com/ip-lookup/ and dnsleaktest.com. I tried ipleak.net it is giving same results.
egc wrote:
P.S. You can also consider using WireGuard, three times as fast as OpenVPN and easy to setup, documentation is also a sticky in this forum, there are also clients for all major platforms.
Yes, I love Wireguard! Especially after all this time on OpenVPN with slower speeds. I actually set wg up on my router first. I did see your note in wg server setup guide v45, p.22, about running concurrent with OpenVPN, about adding OpenVPN Server Additional Config:"redirect-private local", but when I did that, it did not work so I took it out of server config. I have been sure to keep the wg tunnels disabled as I work on OpenVPN setup.
I was hoping to get OpenVPN running as a backup to wg, in case I mess something up on one of the remote servers in wireguard, I could come in through OpenVPN to repair. It seems like so close to getting OpenVPN server working, any other ideas?
Thank you again so much for your advice!
SSP _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Wed Dec 07, 2022 7:33 Post subject:
You can run an OpenVPN Server and a WireGuard server just fine side by side as long as you give them a different subnet, I am actually doing that right now.
The Redirect private-local is sometimes necessary if you are running an OpenVPN Client not for an OpenVPN server.
DDWRT uses the same OpenVPN server as other third party firmware so perhaps you are overcomplicating things.
Pushing a DNS server to your clients is as simple as adding the following to the OpenVPN Servers Additional configuration:
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Thu Dec 08, 2022 5:33 Post subject:
Here is the server info attached. _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Thu Dec 08, 2022 12:58 Post subject:
First you do not seem to push a DNS server yet, I highly recommend you do
Regarding your phone, it looks like your phone is using IPv6 only.
The latest OpenVPN update seems to break things regarding NAT64 which is used to translate IPv6 into IPv4.
Because of that we decided already to go back to OpenVPN 2.5.7 (I am certain other third party firmwares are not using OpenVPN 2.5.8 yet so those are not affected.)
As a test can you add to the openvpn config file on your phone: block-ipv6
I do not think it will work but worth a try.
Your windows setup seems to use IPv4 but you are using the OpenVPN Connect V3 app which is a bit buggy regarding DNS (the older OpenVPN Client as referenced in the OpenVPN Server setup guide is more mature)
For the connect app, to stop DNS leaks you really have to push a DNS server.
The Connect app has advanced settings to tweak your DNS and it also supports a kind of a kill switch which is called Seamless Tunnel . _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Fri Dec 09, 2022 5:10 Post subject:
egc wrote:
I will look at it into more detail but are you connecting via cellular T-Mobile?
(you can check if you only have an IPv6 address on your phone/laptop)
T-Mobile is an IPv6 provider only, the latest version of OpenVPN 2.5.8 (we recently upgraded to that) does not work with IPv6 only providers and we actually are downgrading OpenVPN in the next public build
yes, T-Mobile and also as hotspot to test windows. Oddly, on phone IP shows as both ipv4 and ipv6.
egc wrote:
First you do not seem to push a DNS server yet, I highly recommend you do
Summary of OpenVPN Server tests:
Reference Baseline: OpenVPN 2.5.7 Servers on ASUS-Merlin v386.7
All clients connect perfect: windows, android T-mobile, via OpenVPN Connect v.3.3.0 android, v3.3.6 win; including Win via TM hotspot; AND multiple ddwrt OpenVPN client routers with 2022 versions of ddwrt; kill switch works, clients use VPN DNS Servers, no additional config needed on either Server or Client side
Test Case1 (previous): OpenVPN 2.5.8 Server on DDWRT r50927 std (11/21/22)
Android Clients: via T-Mobile, OpenVPN Connect v.3.3.0, VPN IP is shown correct, but DNS Leaks, kill switch works
Windows Clients: testing via Android Hotspot TM, OpenVPN Connect v.3.3.6, exposes client IP, DNS Leaks and kill switch not working
Test Case2: adding "dhcp-option DNS 8.8.8.8" to ddwrt server config results:
With android Success! I added "dhcp-option DNS 8.8.8.8" now no DNS leaks on Android cell. However, on ipleak.net it shows “Your IP addresses WebRTC detection 10.8.0.2, Private use [RFC-1918]”, is this something I need to worry about?
With Win also Success! Unexpectedly now Win is working fine, both in identifying correct VPN Server IP, and no DNS leaks–all google. How is pushing the DNS server fixing the identifying IP address in Win case? I thought it would just affect the DNS requests? Interesting, on win client, there is no WebRTC detection.
I am still a little nervous, but at least according to ipleak.net and dnsleaktest.com it appears all well with the clients (except the WebRTC detection on Android as mentioned above).
But is it possible to use the VPN Servers DNS? And not have to push "dhcp-option DNS 8.8.8.8"? I say this b/c it has given me an added sense of security over the years as another check the VPN is working when I see the VPNs DNS servers instead of the clients.
egc wrote:
As a test can you add to the openvpn config file on your phone: block-ipv6
I do not think it will work but worth a try.
I then added block-ipv6 on cell client, no difference, it still works as in test results above, except on client OVPN Connect screen, the Server Public IP is identified with ipv6 (unexpected since we just asked to block it) and says UDPv6, whereas without it, Server Public IP is shown as ipv4 and says UDPv4 (it seems to do the opposite of what I would expect, odd).
egc wrote:
Your windows setup seems to use IPv4 but you are using the OpenVPN Connect V3 app which is a bit buggy regarding DNS (the older OpenVPN Client as referenced in the OpenVPN Server setup guide is more mature)
For the connect app, to stop DNS leaks you really have to push a DNS server.
I originally downloaded OpenVPN 2.5, but it conflicted with existing OpenVPN Connect 3, and ended up having to uninstall both, I just reinstalled Connect 3 since that is what have been using up to now with no issues, will try to test 2.5 when get a chance.
egc wrote:
The Connect app has advanced settings to tweak your DNS and it also supports a kind of a kill switch which is called Seamless Tunnel.
Tested OpenVPN Connect kill switch with Test Case2, adding "dhcp-option DNS 8.8.8.8" now kill switch works on Windows! (Android was already working in first case). However, after about 2 minutes OpenVPN Connect disconnects then client falls back to its ISP after about another few minutes on both android and win. Since the final goal is running ddwrt as client and server, in my experience the ddwrt client kill switch stays on indefinitely--which is critical for safety--hopefully this will always be the case, otherwise danger will robinson. Why does pushing DNS server correct Win kill switch (as well as IP, and DNS leaks, it seemed to fix everything with Win)?
Will the Seamless Tunnel kill switch in OpenVPN 2.5 protect indefinitely, i.e. block local ISP access as long as VPN client turned on?
Thank you so much egc for all your help and guidance for this novice!
_________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Fri Dec 09, 2022 11:26 Post subject:
Progress
About WebRTC that is a serious and underestimated problem actually not related to the VPN.
It is caused by your webbrowser and if you are prudent you should disable it on your browser:
https://dataprot.net/guides/webrtc-leak/
About Killswitch, most are poorly implemented also the ones on Merlin (multiple reports about that)
You should really test the killswitch thoroughly. The DDWRT killswitch is designed by @eibgrad so I am certain it will work (if you have the Client enabled!)
The DDWRT OpenVPN Client setup guide has a paragraph about it and how to test.
The Windows OpenVPN connect app is not using the newer wintun driver as opposed to the community app, you should be able to use them both if you enable the wintun driver for the community app.
Remove the # at the beginning in the community app configuration file:
Quote:
#windows-driver wintun # Use for Windows 10/11 and OpenVPN 2.5.x
To be honest, both OpenVPN for Windows apps can use an overhaul.
The WireGuard app is better, but that is just my personal opinion
For Android I use Arne Schwabs app far superior to the Connect app.
About pushing your own router as DNS server that is certainly possible, if your routers IP address is 192.168.1.1 do the following (it is explained also in the OpenVPN server setup guide on page 20):
If you want to resolve DNS names over the VPN you will need to add the below lines to "Additional Configuration of the OpenVPN server."
Code:
push "dhcp-option DNS 192.168.1.1"
The next thing is to tell DNSMasq to listen to your OpenVPN servers interface which usually is tun2.
Navigate to "Services" > "Services." Scroll down to "Additional DNSMasq Options" and enter there:
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Sun Dec 18, 2022 5:20 Post subject:
Thank egc for all your help!
Now have OpenVPN and WG up and running on several Netgear R7000’s as both server and clients. But the more I learn, the more I realize I don’t know, still a novice, thank you again for your wisdom and patience!
Was able to get clients to use Server DNS per your guidance above (push "dhcp-option DNS 192.168.1.1" and interface=tun2). I think Merlin has this option as the equivalent: “Advertise DNS to clients”. I also think I read you might be considering user/password auth for OpenVPN I think that would be a great idea, it seems like one more layer of protection.
Also got all the clients to work, even over TM hotspot, for Win clients just needed to add “block-ipv6” to prevent ipv6 leak from TM. Thanks for sharing ipleak.net, I am now using that along with dnsleaktest.com for testing.
On Chromebook with Android app OpenVPN Connect v3.3.0 (8367) via TM hotspot, all good with or without “block-ipv6” but either case TM introduces an ipv6 DNS hit but it is from the VPN Server so it is okay. OpenVPN Connect will report Server Public IP and VPN protocol as ipv4/UDPv4 regardless whether block-ipv6 is included or not on Chromebook.
When use OpenVPN Connect v3.3.0 (8367) via s10 Android 12, on TM, block-ipv6, like Chromebook, does not seem to do anything. On cell s10, it seems like it is a 50/50 chance when connecting that OpenVPN Connect will report Server Public IP and VPN protocol as either ipv4/UDPv4 or ipv6/UDPv6. Could not ascertain any pattern. But it passes ipleak.net and dnsleaktest.com either case so all good.
Only Android via S10 Cell had the WebRTC detection, but just the private connecting IP to OpenVPN like 10.8.0.2, so that seems okay, no location data given out.
The primary configuration I will be running is ddwrt router Client OpenVPN / WG to ddwrt router Server OpenVPN / WG over non-hotspot internet connection. Both Client and Server routers are in 2nd position behind a main router. The other clients above for testing.
Yes, kill switch is in my opinion the most important thing, it is like brakes in a car. I am not going to be comfortable riding in or trusting a car with the safety of my friends and family if the brakes are unreliable. Early on found in testing that the ASUS-Merlin kill switch was not dependable, thus only use ddwrt routers as clients. I remember discussing the ASUS-Merlin KS with @eibgrad and he had some ideas on how to make it better but I did not have the time to test and just stuck with ddwrt router as clients. So far all ddwrt kill switches have been fully reliable through all testing and in service, safety depends on it! I would not trust anything else at this point. Thank you again @eibgrad if you're out there somewhere for a safe and dependable kill switch!
Summary OpenVPN all good, even over TM ipv6 only hotspot when using ddwrt r50927 std (11/21/22) as server and client with OpenVPN 2.5.8.
Question regarding firewall setting on OpenVPN Server: I am using ddwrt OpenVPN/WG server as 2nd router behind main router, main router port forward to ddwrt router. Don’t I still need to have some sort of firewall for protection and safety? Currently “Inbound Firewall on TUN” is Off per guide. I do want clients to have access to outside/internet to the Servers ISP, as that is the primary use, so I do have “Allow Clients WAN Access”. I think I should be okay per the guide on step 8a below, but just want to make sure.
OpenVPN Server Setup guide v28, p.8, Step 8a, Setting up the Firewall says:
“A lot of guides have redundant firewall rules, in case of firewall rules less is more.
Actually you do not need any rules to make a connection, but if you want to have an outside/internet connection for
your client when "Redirect Default Gateway" is enabled then you have to add the rule described below, the rule is
necessary to NAT the traffic from the VPN out onto the internet via the WAN interface.
Note: builds from 46681 have a GUI button which does that for you, just Enable: Allow Clients WAN access (internet)
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE
Click on the "Administration" tab in the DD-WRT GUI, and then on the "Commands" tab. Copy the above code, and
paste the contents into the "Commands" window.
Then click "Save Firewall".
Sometimes the $(get_wanface) does not always identifies the name of your WAN interface correctly (on older
Broadcom routers the WAN interface is vlan0, on newer Broadcom it is vlan2, on Atheros it is eth0 or sometimes also
vlan2) this has been reported for Marvell based routers, in this case try this rule:
WAN_IF="$(route -n | awk '/^0.0.0.0/{wif=$NF} END {print wif}')"
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $WAN_IF -j MASQUERADE”
Question regarding safest firewall setting on WG client:
Similar question on WG clients firewall I have:
NAT via Tunnel = Enabled
Firewall Inbond = Enabled
Are these the best settings for maximum safety and firewall protection for WG?
I know for WG Server your guide says:
10. Firewall Inbound: Disabled (unchecked), as this is the server the tunnel has to accept incoming (new)
connections.
Thank you again for all your help!
SSP
_________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 16 Nov 2015 Posts: 6436 Location: UK, London, just across the river..
Posted: Sun Dec 18, 2022 7:28 Post subject:
Yep egc/eibgrad kill-switch is working as it should...either on policy-based routing or single source...you can add your iptables lines instead, but it not advisable...and yes the
kill-switch is using WAN name detection so nothing to bother with...
and yes as you noticed on server you don't need the inbound firewall as it doesn't make sense...
To be honest, i still don't use policy based routing...and prefer VPN client to be on a separate router /subnet(vlan), not very rational..but it works...
for VPN DNS leak's concerns or IPv6
-use your DNSmasq inside the VPN (it goes by default)
-use DNS encryption...(SmartDNS has this easy option) for smart dns there is a messy thread, but you can ask me
to prevent DNS or any router ipv6 offered by the VPN provider...
add those lines to advance VPN box
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Sun Dec 18, 2022 8:57 Post subject:
The Kill switch in AsusWRT-Merlin is not reliable as you already noted.
There are threads about with comment from @eibgrad.
@eibgrad was involved in overhauling and redesigning OpenVPN for DDWRT, he actually was my consultant/mentor when I started working on it
It is a pity he is no longer active, I miss him.
About your question regarding "firewall setting on OpenVPN Server: I am using ddwrt OpenVPN/WG server as 2nd router behind main router": the main router will take care of the normal firewalling so no sweat about that but even if it was an internet connected router it is no problem.
About your question regarding safest firewall setting on WG client: if you just follow the guide and have the Inbound firewall enabled you have the normal protection so you should be safe there also.
Rule of thumb, for the Client you have the Inbound Firewall on TUN/Firewall Inbound enabled for the Server you have it Disabled.
For the Server it does not mean it has no firewall only that it opens specific ports and settings for having inbound traffic on the tun/wg interface, and that interface is protected by your keys so not a big problem either (btw keys are far,far safer than username/password, with OpenVPN you can use them both but that is a bit redundant in my opinion).
The code for adding OpenVPN username/password is feature complete and tested, the problem is it really is adding a lot of code and the head honcho wants everything to fit into 8 MB builds, I have attached the patch for the interested reader.
So the jury is still out on it and I can give no ETA on it, I have it running ).
About IPv6, although we always specify UDP4 as protocol, which should mean use only IPv4, but OpenVPN is buggy and depending on the client it still wants IPv6 unless you add:
# to block IPv6, necessary on newer clients which otherwise default to IPv6
The newer guides have this already standard, the import utility already adds this (I think, as that was one of the things @eibgrad and I have been discussing), and I recently added it to the client config utility.
OpenVPN is unfortunately not free from bugs and has a myriad of poorly documented and overlapping settings that is the reason (and the fact it is lacking in kernel executing but that will come) that WireGuard has taken the VPN community by storm, WireGuard is very fast and very simple and very easy to setup.
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Fri Dec 30, 2022 4:05 Post subject:
Thank you @alozaros and @egc!
@alozaros
Yes, I prefer using 2nd VPN router behind main for all VPN vs. PBR, especially since I am still learning, one complexity at a time.
@egc
Re: <8MB builds, can understand that since I primarily use E2500s and E3000s as OVPN clients (and hopefully soon WG Clients). They are small and easy to transport, have been dependable and boot up fast and so far seem almost bulletproof.
I wonder if ddwrt could consider a larger build that would be used for bigger routers that would be more likely be used as server, just an idea.
One thing that is nice about OVPN is no need to get to Server to add more clients vs WG where need to access server to add new Peer, not a big deal just another step.
WG is fast and hope to slowly transition family and friends clients to WG, but still need to do more testing since safety is paramount. And even though OVPN slow, it is plenty fast for basic communication.
Thanks to all ddwrt team!
Help making the world a little safer one connection at a time! _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.
Joined: 14 Sep 2021 Posts: 21 Location: Western Hemisphere
Posted: Sat Dec 31, 2022 1:56 Post subject:
An observation in doing the OpenVPN testing just to pass on if anyone else runs into this. My setup is:
Main Router -> OVPN Server router repeater
I noted if you try to connect an OVPN client also served by main router, like laptop, on same band as the Server was running as repeater it would not work. As long on different bands, worked fine, ie have server on 2.4 GHz and Client on 5GHz. _________________ ASUS 7xAC68U
Linksys 3200ACM, 1900ACSv2, 3x1900AC, E3000, 5xE2500
Netgear 3xR7000, R6700, R6400
If able, give more than you take. Make the world better.