Understanding Hybrid VPN

[Netduma Fraser]

It literally says in the link: "Click here to see a list of ExpressVPN Server Locations, including instructions for adding our TCP configuration files." I think you were unfortunate in that you got someone who didn't know what they were talking about. May be worth raising a ticket rather than using live chat. Haha well they are but lets try to get this sorted if possible!

[Wolfie]

46 minutes ago, Netduma Fraser said:

It literally says in the link: "Click here to see a list of ExpressVPN Server Locations, including instructions for adding our TCP configuration files." I think you were unfortunate in that you got someone who didn't know what they were talking about. May be worth raising a ticket rather than using live chat. Haha well they are but lets try to get this sorted if possible!

Alright. Manual configurations don't really have the options with changing its protocol, because these are manual setups. Manual setups would either be OpenVPN, L2TP or PPTP. And it can only work on that specific protocol it was set up.

Got this response. apparently only the desktop app etc let you change protocols. 

[Netduma Fraser]

28 minutes ago, Wolfie said:

Alright. Manual configurations don't really have the options with changing its protocol, because these are manual setups. Manual setups would either be OpenVPN, L2TP or PPTP. And it can only work on that specific protocol it was set up.

Got this response. apparently only the desktop app etc let you change protocols. 

That's ridiculous. Here for example, you can download PureVPN config files, like the Windows recommended ones. Download and open, it's split into UDP and TCP immediately and it's still OpenVPN https://support.purevpn.com/openvpn-files so I don't understand how what they're saying is correct.

[Wolfie]

1 minute ago, Netduma Fraser said:

That's ridiculous. Here for example, you can download PureVPN config files, like the Windows recommended ones. Download and open, it's split into UDP and TCP immediately and it's still OpenVPN https://support.purevpn.com/openvpn-files

Yeah, guess I'll deal with it or get a refund and try another VPN service. Appreciate you helping out though

[Netduma Fraser]

Okay keep us updated, meanwhile I'll let a colleague know this may be something to look into (DNS leak with VPN)

[xr500user]

already notified about the DNS and RTC leak.

TCP isn't going to help. It's problematic for all VPN providers.  It needs a modification to tunnel VPN DNS into the tun0 device

ExpressVPN does push preferred 10.x.x.x DNS server upon connection - Duma ignores - uses preferred or automatic WAN DNS for resolution.  speed can be increased by setting the processor to performance mode which netgear doesn't do (ondemand)  -- you can do it yourself.

ExpressVPN doesn't give tcp configs for download apparently, but just for the curious:

6 hours ago, Wolfie said:

dev tun
fast-io
persist-key
persist-tun
nobind
remote usa-dallas-ca-version-2.expressnetw.com 1195

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

Here is the top part
the rest of it is just all the begin certificate etc.

mods to config in BOLD (make sure to uncomment with a # where needed):

proto tcp-client
dev tun
#fast-io
persist-key
persist-tun
nobind
remote (vpn server you want to use.com) 443

remote-random
pull
comp-lzo no
tls-client
verify-x509-name Server name-prefix
ns-cert-type server
key-direction 1
route-method exe
route-delay 2
tun-mtu 1500
#fragment 1300
mssfix 1450
verb 3
cipher AES-256-CBC
keysize 256
auth SHA512
sndbuf 524288
rcvbuf 524288
auth-user-pass

<<add your cert, etc >>

if you get an error on any line in logs, comment it out.

if it connects, tcp connection is successful

[Netduma Fraser]

Thanks for the modified file! I have passed it onto the team for further diagnosis so hopefully they can confirm and resolve it.

[Wolfie]

16 hours ago, xr500user said:

  speed can be increased by setting the processor to performance mode which netgear doesn't do (ondemand)  -- you can do it yourself.

2

Is this a setting or did you mean in like a custom firmware?

[xr500user]

it is not a setting you can change with the admin interface.

as most know the router is running on linux, so you would have to have at least a pretty good understanding of linux and make changes to certain startup scripts to change the cpu setting on the current firmware during boot.  i would not recommend doing this unless you really know what you are doing and ok with the possibility of messing something up badly so i am not going to give the instructions but only these hints that is can be done and you will have to do the research and learning part.  that is not the only modification that can be done to boost performance - from reading all the voxel posts available i learned a lot, and after that study in addition you could change some compiler settings when building the base router kernel from the ones netgear uses and it will speed it up even more.. but keep in mind this would have to be done by netgear, and netgear plays it safe and conservative with their kernel it appears.  setting the performance mode raises the cpu temp by about 7 degrees -- so it is not a hardware limitation..its a risk they don't want to take - although people are using these settings without any issue (as 3-4c more isn't that much, and its not in the realm of overclocking yet as its forcing the cpu's to use its full spec - all the time, if you start pushing it to 2.0ghz+ now running into danger zone)  but as they say .. no risk ... no glory

(some are getting 80/85+mbps/sec over the router based VPN on the R7800)

[Netduma Jack]

On 1/25/2019 at 6:28 PM, Wolfie said:

Is this a setting or did you mean in like a custom firmware?

As XR500user said above - don't try this unless you absolutely know what you're doing. It's quite possible that modifying the startup script could void your warranty if you brick the router (I'm not 100% on that though). It's very risky business!

[Keks]

Bumping this topic as I'm encountering the same issue on my XR500, having DNS leaks. I've tried with both an ExpressVPN account and NordVPN account (both TCP & UDP configs for Nordvpn tested). Has there been any news on this front by any chance (as implied by xr500user this might be a fix needed on Duma side)? Happy to help out do any kind of tests if required.

 

 

 

 

[Coluni]

Hello, i have an issue with Hybrid VPN, when i want to chosing services it wont let me do anything, but its only when i add PlayStation on VPN Traffic.

Can you help me?

Thanx

[Netduma Fraser]

8 hours ago, Keks said:

Bumping this topic as I'm encountering the same issue on my XR500, having DNS leaks. I've tried with both an ExpressVPN account and NordVPN account (both TCP & UDP configs for Nordvpn tested). Has there been any news on this front by any chance (as implied by xr500user this might be a fix needed on Duma side)? Happy to help out do any kind of tests if required.

Hey, welcome to the forum! The team are looking into it and they should be able to reproduce it themselves but we'll let people know if we need help with diagnosis.

1 hour ago, Coluni said:

Hello, i have an issue with Hybrid VPN, when i want to chosing services it wont let me do anything, but its only when i add PlayStation on VPN Traffic.

Can you help me?

Thanx

It VPN's the whole console as there are no specific services on the console that we'd be able to detect due to the way the consoles work. So the options are greyed out, you either VPN the console or remove it to return to your normal connection.

[Coluni]

But if i leave as it is with VPN traffic, my PS4 connection fails. 

[Netduma Fraser]

Then it's likely the VPN you're using that is restricting the ports necessary for PSN connections, so I'd contact them and see what you can do, perhaps changes to the config can be done or go with a gaming VPN provider instead

[Coluni]

Ok. Thanks

[soccerjean17]

On 2/10/2019 at 11:36 AM, Netduma Fraser said:

Then it's likely the VPN you're using that is restricting the ports necessary for PSN connections, so I'd contact them and see what you can do, perhaps changes to the config can be done or go with a gaming VPN provider instead

I just have a question. I wanna know when it come to vpn is it better to choose the server closer to the games I'm playing or the server closest to my location?

[Netduma Admin]

Good question. Ultimately it doesn't really matter - either way you are directing your traffic through a different server. But I would go for the server that is closest to your home in case you change game and the dedicated servers are in a different place.

[darrecky]

Hi all,

 

For some time I'm trying to figure it out how to setup an Hybrid VPN on my router. So far my achievements are close to zero. There is absolutely no good guides for it available.

My provider is https://vpnsecure.me, downloaded openvpn config files from them and that would be it. Doesn't matter what I put into advanced settings all I got is one or the other critical error.

I assume, that ca/key and cert need to be copied along with config to the advanced/configuration filed. Correct?

So I copied config, added <ca>, <key>, <cert> headers, pasted appropriate content there

client
proto udp
dev tun
dh dh2048.pem
remote (server address)
cipher DES-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

<cr>
my cr goes here
</cr>

<key>
my hey goes here
</key>

<cert>
my cert goes here
</cert>

 

tried to connect and all I have is this:

Fri Oct 30 09:59:41 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 8 2020 Fri Oct 30 09:59:41 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06 Fri Oct 30 09:59:41 2020 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache. Fri Oct 30 09:59:41 2020 Exiting due to fatal error.

 

any help please?

 

 

[Netduma Fraser]

Remove the dh pem line and add auth-user-pass instead and see if that works please.

[darrecky]

I've changed entries as requested: (no changes to certs)

client
proto udp
dev tun
auth-user-pass
remote proxy-pl1.vpnsecure.me 8080
cipher DES-CBC
verb 2
mute 20
keepalive 10 120
comp-lzo
persist-key
persist-tun
float
resolv-retry infinite
nobind

 

That is the outcome:

Fri Oct 30 21:59:37 2020 OpenVPN 2.4.3 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Sep 8 2020 Fri Oct 30 21:59:37 2020 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.06 Fri Oct 30 21:59:37 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Oct 30 21:59:37 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Fri Oct 30 21:59:37 2020 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Private Key Password:'. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache. Fri Oct 30 21:59:37 2020 Exiting due to fatal error

went to: http://openvpn.net/howto.html#mitm and added nsCertType=server as well.

now after pressing connect, logs shows nothing, but on information: 

Provider	N/A
Username	darrecky
Country	N/A
City	N/A
Protocol	N/A
Status     Failed

[Netduma Fraser]

Okay thanks, I've passed it along to the dev to take a look and see what needs to be adjusted.

[darrecky]

any update?

[Netduma Fraser]

Not yet unfortunately but I've actually noticed something, it isn't cr its ca so change that and hopefully it will connect.

[darrecky]

3 minutes ago, Netduma Fraser said:

it isn't cr its ca so change that and hopefully it will connect.

Unfortunately my knowledge here is tiny and i have no idea what cr and ca are.

All I've found on ca is: master Certificate Authority (CA) certificate and key which is used to sign each of the server and client certificates.

Can't find anything about cr though