Hybrid VPN on Router vs Windows Client - Destiny 2 PC

[acanadian]

I've been doing some experimenting with Hybrid VPN using Vypr VPN.  For those that don't know you can disable the NAT on vyprs service so you can play D2 with an open NAT.  When I use the windows client Destiny 2 reports that I have an open nat.  When I configure Duma OS on the XR500 to use Hybrid VPN and add my PC (defined as a xbox)  I get a moderate NAT. I've also tried defining my pc as a computer and adding the service "Game Consoles" to the list of services to VPN. Curious what I can do on the Hybrid VPN settings page to try and get the same results from the windows client.  The XR500 is doing a great job of off loading the VPNs CPU load from my PC, just wish I could achieve an open NAT using hybrid vpn.

[Netduma Alex]

So is the Open NAT feature of the VPN something that must be enabled in the desktop client? If so, I don't know if that's an option that will be available to Hybrid-VPN... Unless the desktop client just toggles something in an OpenVPN config that we could copy.

[acanadian]

2 hours ago, Netduma Alex said:

So is the Open NAT feature of the VPN something that must be enabled in the desktop client? If so, I don't know if that's an option that will be available to Hybrid-VPN... Unless the desktop client just toggles something in an OpenVPN config that we could copy.

No, the open NAT feature is a setting on their website to control how incoming VPN connections are handled.  When I use the windows client it works correctly, and doesn't work when connecting from the Hybrid VPN.   

[acanadian]

I've emailed Vypr's support as well to see if these open vpn configs are setup differently that their windows client.

Here is the open vpn config that I am using.

client
dev tun
proto udp
remote us6.vyprvpn.com 443
resolv-retry infinite
nobind
persist-key
persist-tun
persist-remote-ip
verify-x509-name us6.vyprvpn.com name
auth-user-pass
comp-lzo
keepalive 10 60
verb 3
auth SHA256
cipher AES-256-CBC
tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA

<ca>
-----BEGIN CERTIFICATE-----redacted-----END CERTIFICATE-----
</ca>
 

[acanadian]

20 hours ago, acanadian said:

I've emailed Vypr's support as well to see if these open vpn configs are setup differently that their windows client.

 

The response I got from Vypr is that the open vpn configuration used in the windows client is exactly the same as that used in the vpn router config files.

I know the Duma OS is just implementing open vpn protocols so if anyone has ideas as to why I seeing different behavior on xr500 vs the windows client I'd like to hear them.

[Netduma Alex]

Okay well that's really interesting info from Vypr. Sounds like this might in fact be a DumaOS issue.

As another test, could you download the OpenVPN Connect Client to your PC, load in the config file you're using in DumaOS, and see if ports are open then?

You can get OpenVPN Connect Client here: https://openvpn.net/client-connect-vpn-for-windows/

By doing this, we'd be able to tell if it's a DumaOS specific problem or a config file problem. Process of elimination!

[acanadian]

1 hour ago, Netduma Alex said:

Okay well that's really interesting info from Vypr. Sounds like this might in fact be a DumaOS issue.

As another test, could you download the OpenVPN Connect Client to your PC, load in the config file you're using in DumaOS, and see if ports are open then?

You can get OpenVPN Connect Client here: https://openvpn.net/client-connect-vpn-for-windows/

By doing this, we'd be able to tell if it's a DumaOS specific problem or a config file problem. Process of elimination!

Well I tried to use the OpenVPN Connect client and could not get past the error: Missing External PKI Alias.   Spent sometime trying to resolve but no joy.  Seems to be a common issue people are having but there was no clear resolution that I could find.  Will try again later, and if you are anyone on the this forum knows how to resolve I would like to know.

[acanadian]

Found this article from Vypr, bu tthey refer to a config folder that doesn't exist.

https://support.goldenfrog.com/hc/en-us/articles/360004606172-VyprVPN-OpenVPN-GUI-Setup-for-Windows-10

[Netduma Fraser]

I think if you're able to get this using the client and there is an option you tick/untick then even when using the same config is must be sending a command to disable NAT and so if they don't have a command available to add to the config itself then I don't think this will be possible through the router.

[acanadian]

1 hour ago, Netduma Fraser said:

I think if you're able to get this using the client and there is an option you tick/untick then even when using the same config is must be sending a command to disable NAT and so if they don't have a command available to add to the config itself then I don't think this will be possible through the router.

Well, I still haven't been able to test the Open VPN client to confirm this.

[acanadian]

26 minutes ago, acanadian said:

Well, I still haven't been able to test the Open VPN client to confirm this.

Alright, so the link you gave me for Open VPN connect was something that I could not get working.

I found this link: https://openvpn.net/community-downloads/ for their community version and I was able to connect immediately using OpenVPN GUI.

Results: Destiny 2 does report having an open nat after connecting to Vypr VPN using the OpenVPN GUI Client.

[Netduma Fraser]

I think that's down to the option you can toggle in the client then rather than anything you can do in the config - with that VPN provider anyway. Perhaps you through your user details they can disable that option permanently. Either way it looks like Alex will take it to the team and investigate but generally the onus on NAT is with the provider, if there is a way we could allow an option like that then we'll definitely look into it.

[acanadian]

18 minutes ago, Netduma Fraser said:

I think that's down to the option you can toggle in the client then rather than anything you can do in the config - with that VPN provider anyway. Perhaps you through your user details they can disable that option permanently. Either way it looks like Alex will take it to the team and investigate but generally the onus on NAT is with the provider, if there is a way we could allow an option like that then we'll definitely look into it.

Just want to make sure you are understanding where the setting is located.  It is not in the client software or open vpn config, it is on their website portal.  Since the effect of the setting works in the generic open vpn software I am thinking that the Duma OS on the xr500 is altering things somehow.

 

 

[Netduma Fraser]

Okay understood, Alex will look into that then and see if the developers could work on something to ensure we're not blocking that from working correctly.

[acanadian]

10 minutes ago, Netduma Fraser said:

Okay understood, Alex will look into that then and see if the developers could work on something to ensure we're not blocking that from working correctly.

Thanks!  I appreciate you guys being willing to take a look.  Would really love to be able to use the Hybrid VPN feature in my particular use case.

[Netduma Alex]

Ah it's a shame the desktop version of OpenVPN didn't work. I wanted to figure out if the results between the XR500 and the OpenVPN Client would be consistent. I might have to do a little research of my own to figure this one out.

[acanadian]

6 hours ago, Netduma Alex said:

Ah it's a shame the desktop version of OpenVPN didn't work. I wanted to figure out if the results between the XR500 and the OpenVPN Client would be consistent. I might have to do a little research of my own to figure this one out.

Just to provide some additional information about the whole test procedure.

I found the OpenVPN Client Connect to a very unpolished and muddled experience.  It has the most minimal UI a developer could have put into it.

On the other hand, the OpenVPN GUI found in their community downloads is a slick implementation.  It supports the config folder to load up pre configured connections and the app has enough UI to make the user experience stream lined. 

Using OpenVPN GUI, I was able to establish a connection from windows 10 and determine that the results were different from what the XR500 was providing.   

RESULTS

Device - VPN Client - Open VPN Config -  VPN Scope -  NAT State

XR500 - Hybrid VPN - Vypr 256 Open VPN config - Entire device VPN'd - Destiny 2 Moderate NAT

Windows 10 PC - OpenVPN GUI Client  - Vypr 256 Open VPN config -  Entire device VPN'd - Destiny 2 Open NAT

Windows 10 PC - Vypr VPN Client - Vypr 256 Open VPN config - Entire device VPN'd - Destiny 2 Open NAT

Each test I confirmed that the device was VPN'd by using: https://www.iplocation.net/find-ip-address

[Netduma Fraser]

Thanks for the additional information! I wonder if you don't have the PC set to a console and then switch to Only VPN these services and make custom rules that use the game ports whether that would help at all, depends if the NAT server uses one of the game ports or something else.

[acanadian]

39 minutes ago, Netduma Fraser said:

Thanks for the additional information! I wonder if you don't have the PC set to a console and then switch to Only VPN these services and make custom rules that use the game ports whether that would help at all, depends if the NAT server uses one of the game ports or something else.

I tried setting my PC as a console and as a computer.  Both yield the same results.  

Have not tried only VPN specific services.  When I dug into the ports used by D2 it was a pretty long list. Though maybe there are only a handful of key ports.  

[Netduma Fraser]

24 minutes ago, acanadian said:

I tried setting my PC as a console and as a computer.  Both yield the same results.  

Have not tried only VPN specific services.  When I dug into the ports used by D2 it was a pretty long list. Though maybe there are only a handful of key ports.  

Usually you should be able to narrow down those ports into just a few rules if you use ranges, try that and see if it works properly that way.