xr500 Hybrid VPN on XR500

[jarrid]

I was interested in using the Hybrid VPN to segregate some traffic on my network but I've ran into a few issues.

Router: XR 500 v2.3.2.130
VPN: HMA

After signing up for HMA, I tried to connect but it looks like they may have change their encryption method or something
Error connecting over TCP:
WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
It looks like this should be an easy enough fix to change the flag in the OpenVPN config, but I'm no expert.  

UDP connects, but all traffic goes through the VPN (seems like all or nothing), not using the IP ranges I entered for services (easy test was setting ports 80 and 443 and asking google what my IP was). I saw another post where it suggested using TCP but again that never connects.

Any suggestions would be appreciated.  

[Netduma Fraser]

Hey, welcome to the forum!

To double check are you using the basic setup or advanced with a config? Can you provide a screenshot of how you have added the device to the VPN please?

[jarrid]

Hi Fraser,

I was using the basic setup.  I just tried advanced by downloading the HMA setup files:
https://support.hidemyass.com/hc/en-us/articles/202721966-I-need-the-config-files-ovpn-for-setting-up-HMA-VPN-on-my-router-smartphone-etc-Where-can-I-get-them-
 

I used the closest regional server (just for testing).   Entered HMA credentials and copy/pasted the content from the OpenVPN TCP file.  It connects, without error, but still not filtering traffic correctly.  Here's an example with Plex:

 

 

Still seems to be all or nothing.  

[jarrid]

Not sure if this matter, but I did see some mention of DNS... I'm using Google's DNS servers:

[Netduma Fraser]

Thank you for that, so just to clarify, is your aim here to put Plex through the VPN or exclude Plex from the VPN? Yes it would likely be better to disable the custom DNS so it doesn't try to overwrite the VPN

[jarrid]

I'll give that a try later today, but yes that was the goal of this test.  I want all BUT certain traffic sent through the VPN.  

[Netduma Fraser]

Gotcha, well assuming they're using the same port for source/destination then I suspect the only issue preventing it working would be the DNS at this point

[jarrid]

Ok so I've tried with HMA's DNS but same thing (doesn't appear to be an issue resolving oh.us.hma.rocks but maybe I'm not understanding what's required here).  I even tried switching it to "Only VPN these services" and it's still "all or nothing" since no traffic is being passed through the VPN.  I tried turning on uPnP but that just seemed to allow it to work through the VPN.

I have an account with PIA so I tried using their OpenVPN file but experienced the same issue.

Is there any way to force a route in the manual config file?  I tried going through the OpenVPN documentation but there's a lot there.  

[Netduma Fraser]

Can you expand what you mean by no traffic is passing through the VPN? To detect your IP address there they probably won't be using that port so that does make sense.

[jarrid]

Let's say I create a VPN Traffic rule for TCP ports 80 and 443 and say only route that traffic through the VPN, it routes ALL traffic.  If I say "Do not VPN" 80 or 443, it still uses the VPN for all traffic.  It seems like it's just ignoring what's under "VPN Traffic" -> "Services".  I only have 1 device listed in there right now and it's only sending VPN traffic for that device so that's a plus, but if that's the case I could just install VPN software directly on the device instead of handling it via the router.  

 

If there isn't an easy fix I'm going to see if HMA will just refund me since this what the only reason I subscribed (I personally like PIA better).  It would be a nice feature to have, but if it's not user friendly I'm not going to worry about it.    Maybe if I get some more time I'll try to connect PIA via the advanced configuration and keep troubleshooting it. 

I appreciate your time, thanks for your responses!

[jarrid]

4 hours ago, Netduma Fraser said:

Gotcha, well assuming they're using the same port for source/destination then I suspect the only issue preventing it working would be the DNS at this point

 

[Netduma Fraser]

The IP can cache so are you clearing the cache every time you check to see if the IP has changed? PIA should work fine, any provider that can give you OpenVPN configuration files should work fine. Yeah thats the IP for remote access but unlikely to be the one for checking the actual IP, could be wrong!