Hybrid VPN non-functional through AP

[mwbuss8]

I was pretty excited about getting an XR500. I thought Hybrid VPN would be a great way to manage my VPN connection for my entire house. This is where I'm having trouble. My house is concrete, so multiple APs are required to cover the house. Unfortunately, unless devices are connected directly to to the XR500, this doesn't work. They receive an IP address from the XR500 and connect to the internet, but device manager in DumaOS shows them all as being offline. Assigning static IPs doesn't make a difference. If I'm connected directory to the XR500 everything works as it should. 

Before anyone asks, yes, these are actually access points. There are no DHCP servers or firewalls other than the XR500. Everything is on a shared subnet, and network shares are visible throughout the house.

I'm hoping I'm missing something in the configuration. After these issues, I tried DD-WRT, but after a boot loop, a serial connection confirmed mine is one of the many XR500s affected by bad blocks on the flash storage.

 

[Netduma Fraser]

Hey, welcome to the forum!

It is hard for the router to know whether the individual devices are online as they're going through the AP, this is something we're working on and should be improved on the .120 3.0 beta firmware, see if that helps: https://community.netgear.com/t5/Nighthawk-Pro-Gaming-DumaOS-3-0/New-Firmware-v2-3-2-120-XR500/td-p/2071196

[mwbuss8]

I'm currently on .120 beta. On an AP, clients are initiated through the router itself. On most platforms, these devices appear as LAN clients, as the AP they go through is connected to the router by wire. 

DumaOS sees these devices on some level. If I go to "device manager" I can try to delete devices that are supposedly offline and it says I can't delete it because it is online.

[Netduma Fraser]

Yes that's correct. What exactly occurs regarding the VPN, does it apply it to them but they don't register it's behind it? Can you provide a screenshot of how you have it set up please?

[mwbuss8]

I don't think a screenshot will help a whole lot. The device manager is just a blur of overlapping bubbles, mostly showing as offline, even though they're connected. If an actual client list is available anywhere, please point me in that direction, but I don't see it anywhere. 

I can add devices to hybrid VPN, but it only actually works if I'm connected to the router, rather than one of my APs

[Netduma Fraser]

I meant a screenshot of how they're added to HybridVPN. Regardless of whether they appear online or not on the Geo-Filter that device traffic is going through the router so it should definitely be covered by the VPN when added

[mwbuss8]

I currently live in Vietnam. No settings changed between screenshots. I walked from my bedroom (AP) to my living room (xr500). My phone still has the same local IP address and randomized MAC is disabled.  I have not added anything to "do not VPN these services".

[Netduma Fraser]

Could you set the DNS on the router to the VPN server IP address please and see if that resolves it? There has been some cases where it's leaking, this scenario may be one of them

[mwbuss8]

DNS was set for NordVPN prior to enabling hybrid VPN.

[mwbuss8]

After roaming back to an AP (as I can see in an actual client list on the AP's GUI) I'm still connected to the vpn. I tried disabling & re-enabling wifi on my phone. I even tried switching the hybrid VPN to "only VPN these services" and back, and everything behaved as it should. It doesn't survive a reboot though. Once a device has direct connection, it behaves properly until the XR reboots, whether for a power outage, update (hopefully), or just someone in the house not realizing what they're unplugging for access to an outlet. This is fairly manageable for portable devices, but is pretty useless for desktops, TVs, etc.

[Netduma Fraser]

I know you set up static/reserved IPs but does the devices that are easily switched between AP/direct showing as multiple devices on the Device Manager? That's the only way I can see that might be causing the issue if it isn't a bug

[mwbuss8]

Device manager hasn't shown any duplicates. It took close to 30 minutes after the reboot, but it looks like my phone is back on the VPN, even though I've been on an AP the entire time. I'll keep a close eye on it over the next few days and report if I come across further issues.

[mwbuss8]

After a few days, the hybrid VPN is still functioning as it should. The device manager issues are annoying, but there are other ways to see what's on my network. I prefer simple "Clients" and "Active Clients" lists anyway. Those "offline" clients from device manager do show when adding devices in hybrid VPN, so it's meeting my needs at this point. Support for ext4 is no longer an issue (for me), as I gave in and set up a dedicated OpenMediaVault box.

[Netduma Fraser]

Ah glad to hear VPN is working, thanks for the update!

[mwbuss8]

After running this setup for about a week, I've found that every time I add a new device to the VPN, I go through the same struggles I did with my phone. It's a challenge to get new devices working correctly through the VPN, but once they are, it seems to stick. I can then remove and re add the devices and everything still functions as it should.

[Netduma Liam]

2 hours ago, mwbuss8 said:

After running this setup for about a week, I've found that every time I add a new device to the VPN, I go through the same struggles I did with my phone. It's a challenge to get new devices working correctly through the VPN, but once they are, it seems to stick. I can then remove and re add the devices and everything still functions as it should.

OK, thanks for feeding back with this update. Out of interest, what kinds of devices are these that you're having trouble with? Are they Apple devices?

[mwbuss8]

Most devices don't and never will run through the VPN. I dual boot my laptop between Windows & Linux. I got it up and going for Windows shortly after my phone connection started working properly. Usually my laptop shows up on networks as the same device, regardless of OS, as it has the same name & MAC address. In Linux I was issued the set static IP (I set it on the router while running Windows, but disabled MAC randomization in both OSes), but no VPN. I tried adding it again in the Hybrid VPN menu, but still no VPN. After about 2 hours I had to switch back to Windows and everything worked as it should. Last I checked, it still won't run through the VPN when running Linux. I haven't tried with Apple devices, as I don't have any & my wife hasn't needed the VPN. 

[Netduma Liam]

2 hours ago, mwbuss8 said:

Most devices don't and never will run through the VPN. I dual boot my laptop between Windows & Linux. I got it up and going for Windows shortly after my phone connection started working properly. Usually my laptop shows up on networks as the same device, regardless of OS, as it has the same name & MAC address. In Linux I was issued the set static IP (I set it on the router while running Windows, but disabled MAC randomization in both OSes), but no VPN. I tried adding it again in the Hybrid VPN menu, but still no VPN. After about 2 hours I had to switch back to Windows and everything worked as it should. Last I checked, it still won't run through the VPN when running Linux. I haven't tried with Apple devices, as I don't have any & my wife hasn't needed the VPN. 

That's interesting, thanks for that. I only wondered about the Apple devices as they have a 'private address' feature enabled by default for Wi-Fi, I've seen this cause several strange issues so I wondered if that could be related.

So is the Laptop not running through the VPN even when it's connected directly to the XR500?

[mwbuss8]

It is connected via Ethernet to an unmanaged gigabit switch, since I need more than 4 LAN ports. On both OSes I get the static IP address I assigned on the XR500. Traffic just doesn't go through the VPN when running Linux. 

[Netduma Fraser]

I don't really use Linux so I could be incorrect here but it's possible iptables is blocking the VPN, in which case this guide may help https://arashmilani.com/post?id=53

[mwbuss8]

The linked guide is for running an OpenVPN client on a Linux machine.  These or similar rules are (or at least should be) in place behind the scenes on the XR500, as it is the device running the OpenVPN client. 

[Netduma Liam]

7 hours ago, mwbuss8 said:

The linked guide is for running an OpenVPN client on a Linux machine.  These or similar rules are (or at least should be) in place behind the scenes on the XR500, as it is the device running the OpenVPN client. 

Let me pass this on to a team member to see if we can replicate the problem internally. Which version of Linux are you using specifically?

[mwbuss8]

After losing the VPN on Windows as well, I think I've identified the issue. As far as I can tell, DumaOS might not be using MAC addresses to identify devices in Hybrid VPN, which is problematic for devices (such as a laptop) with multiple network adapters, as the adapters have different MAC addresses and get different IP addresses, but share the same device name on the network. I deleted my laptop in device manager and added it again, both on LAN & WIFI. I renamed the wifi connection and set a static IP for that as well. I added both names in Hybrid VPN. After rebooting the XR500, both OSes are running properly through the VPN on LAN & WIFI. 

[mwbuss8]

6 hours ago, Netduma Liam said:

Let me pass this on to a team member to see if we can replicate the problem internally. Which version of Linux are you using specifically?

I I'm on the latest Windows 11 preview build & Linux Mint 20.2.