I am an OpenWRT newbie, not understanding much about SSH, protocols, port forwarding, etc.
I have the following issue:
I am setting WireGuard for my VPN on an OpenWRT routeur. My config is:
Internet Provider Optic router (not configurable/settings blocked by ISP, IP: 192.168.1.1)
==>
My Home Router LinkSys WRT32X with OpenWRT installed (Luci openwrt-21.02)
and WireGuard installed as well. IP: 192.168.2.1
Home Router is connected to the optic router with a LAN cable.
==>
Now I want to connect other devices (mobile, laptop, etc.) to my Home Router by Wifi.
For info, I do not have Linux system, I am working under Win 10.
I configured the VPN using private key, public key, etc.
It's almost working, but the speed is quite slow (is must faster when I use the VPN connection software on my PC). But there is a more annoying issue: when I try to open Google search page or other websites, I often get a warning: "your connection is not private" (and the webpage won't open), or "the page cannot be reached". I suppose there is an issue with port 443 or secure connection, since when I try to update my Chrome based browser (Vivaldi), I get the following error: "Cannot connect to update.vivaldi.com:443"
Hello and thank you for your help.
Your questions are more than welcome!
Who is your VPN provider?
My VPN provider is 12VPN.
I am using WireGuard on OpenWRT to install 12VPN diretcly in my router.
Please, note that the VPN windows software of 12vpn is working perfectly. WireGuard on my phone and on my PC are also both working flawlessly.
Can your get the serial number/etc. of the HTTPS certificate being presented?
Where can I get this info?
For example, most https search engine have issue: google.com, yahoo, etc. But I can access non https websites, i.e. support.google.com
What DNS server are you using?
The VPN provider suggest to use the internal DNS of the router, so in the LAN interface ==> Advanced Settings ==> Use custom DNS servers, I have entered: 10.255.0.1
and
LAN interface ==> [DHCP Server] ==> Advanced Settings ==> DHCP-Options, I have entered the value: 6,10.255.0.1
That's all.
If I check the VPN server info, I can notice 2 values are indicated:
DNS = 10.255.0.1, 9.9.9.9
From the browser when you see the warning. It will show you the certificate like any other HTTPS site. The point is to verify the Public Certificate that you see is identical to the one we all see globally.
Who is that, the VPN provider?
I wanted to be clear, this may be security related, not just annoying.
It will be slower than your router does line speed - it had to encrypt packets. That takes CPUs; and your computer has more.
From the browser when you see the warning. It will show you the certificate like any other HTTPS site. The point is to verify the Public Certificate that you see is identical to the one we all see globally.
I can find this, does it answer your question?
# Your connection is not private
Attackers might be trying to steal your information from **www.google.com** (for example, passwords, messages, or credit cards). [Learn more](chrome-error://chromewebdata/#)
NET::ERR_CERT_COMMON_NAME_INVALID
Subject: *.facebook.com
Issuer: ESET SSL Filter CA
Expires on: Feb 12, 2022
Current date: Feb 4, 2022
PEM encoded chain:-----BEGIN CERTIFICATE-----
MIIDqDCCApCgAwIBAgIQZWwrOcgxaqikij6XOnErxjANBgkqhkiG9w0BAQsFADBI
MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw
b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTIxMTExMzAwMDAwMFoXDTIyMDIx
MTIzNTk1OVowaTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzAR
BgNVBAcTCk1lbmxvIFBhcmsxFzAVBgNVBAoTDkZhY2Vib29rLCBJbmMuMRcwFQYD
VQQDDA4qLmZhY2Vib29rLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABOM5
iFPnC2dkUzDwE18LJ57dot9AYHYTfW4KWpj/8KXB+Uta/R8yyaHmmUs8ifoyG2C3
iC1v4aPTOzBL3+ETtNujggE2MIIBMjALBgNVHQ8EBAMCA4gwHQYDVR0OBBYEFMEc
DY+4vfiHumxwZhGpZgWNZk8MMB8GA1UdIwQYMBaAFHLVME3cccnNbjXpvipQU6Ur
vK/iMIG1BgNVHREEga0wgaqCDiouZmFjZWJvb2suY29tgg4qLmZhY2Vib29rLm5l
dIILKi5mYmNkbi5uZXSCCyouZmJzYnguY29tghAqLm0uZmFjZWJvb2suY29tgg8q
Lm1lc3Nlbmdlci5jb22CDioueHguZmJjZG4ubmV0gg4qLnh5LmZiY2RuLm5ldIIO
Ki54ei5mYmNkbi5uZXSCDGZhY2Vib29rLmNvbYINbWVzc2VuZ2VyLmNvbTAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADANBgkqhkiG
9w0BAQsFAAOCAQEAQ96lFFCSCV43n99k8Hk9yJQCUaJNEi58drQ6IupEfW5qly2s
TOAVg4dUqc6Ddy9IP31YZxJPKvio9D3FXST4ixs3YnGjm0AcjXQyYz2Re9nGIMwC
BK8LTe0wBJeGb8R9Rzg6XyKXtjwkng+OLvlP7c3xRUqNqg+35NtPCBX7I79kYxhp
xRAHtVge+gM/wUZuWAukY4mUUnYSrv/lq+LB7N+TwLqbVEUAUjz3GaNfoRVxTjdY
E5PN6BakBhTptAT8IXIUlZLw66dDrvEtnEtQGLiBaDTPHK8GilrwN25D06Pwq2G5
YhkGTmkasxzhCuL266WpFwtTEhbEi9xd36a5gg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIQUzWNnSENnIxGq8kdKbcHBzANBgkqhkiG9w0BAQsFADBI
MRswGQYDVQQDExJFU0VUIFNTTCBGaWx0ZXIgQ0ExHDAaBgNVBAoTE0VTRVQsIHNw
b2wuIHMgci4gby4xCzAJBgNVBAYTAlNLMB4XDTIwMTIwNTEzMTY1OVoXDTMwMTIw
MzEzMTY1OVowSDEbMBkGA1UEAxMSRVNFVCBTU0wgRmlsdGVyIENBMRwwGgYDVQQK
ExNFU0VULCBzcG9sLiBzIHIuIG8uMQswCQYDVQQGEwJTSzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMZ43UY9XvipXnMFWZtAdqNz0voIOrEl+7dZU2TO
7onBB9QcczTxuDdhKfJ0lsEsoxMlAB47lljVdTWKIvyWJLsucHuzVKz/z1yyxo/L
ZhDRnReJbGHgpHJztzKsPx8gkssC2DIaJ7fL/+977t/e7BxSJ4j4wwXVo2Q/XK4Z
z2WCxm8QYhwvRMI9q0OtGuTH4IcH4eRIdZUrbXmtVzhO2TLk0azNoOv6Xc4usLby
qY2CObs4DeoRoxkCKxcSio79mGFdefX/RtrdilhM2qJJ8P+ukipgTjyDYDfpxF2m
oRn/pci/UQODLIMM4tkRUyV48sNq9ix8e0G0XKdyZgQIXVkCAwEAAaNCMEAwHQYD
VR0OBBYEFHLVME3cccnNbjXpvipQU6UrvK/iMA8GA1UdEwQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4IBAQCGaeB0WKhu+ReV2ljPUzOs
3uYgZEpQVfc64P3Z/SuLotvJxwn5eTdwK9rwdaGdz1zMTCkVgpiPZbUJHcOtKmj7
FTl6BkD7+ikFC5BEy7cjgCmiMsFIRk402l5MJNHacMcI04HRHfvK+AmtR/cRFfjI
f8g555yW6NBtv0Q8nwUxc+zrwTO0aNaAa+iZCOI/OWdUVMnemxFHEJ1I/rQhXhlJ
s9cQ+EjIcDY3rx7xa4UlbtjHbGqq3Va0v0WAvrT4VgQBTZPwkTBmJ/jI49SiqfbT
8G6TfRrTFP+UJQ1qBlRATNccNS0nLswO2OEBcCpmX+N2iSreS5i3VikqMAL+uyks
-----END CERTIFICATE-----
Who is that, the VPN provider?
I am not sure, it's the DNS given by the VPN provider. Their tutorial says only:
At Use custom DNS servers enter 10.255.0.1 . This will cause the router to use the VPN's internal DNS.
I wanted to be clear, this may be security related, not just annoying.
I understand, thank you.
It will be slower than your router does line speed - it had to encrypt packets. That takes CPUs; and your computer has more.
But the speed is much much slower... I can reach 50 to 90 Mbps with the windows VPN client, with OpenWRT+WireGuard my speed is 1-2Mbps... I have lowered the MTU to 1300 and checked "Packet Steering" as many suggested, but there is no major change (a bit better with Packet Steering enabled though!).
More tests showed there is problem with IPv6. When I disable IPv6 service on the LAN interface, I can open websites normally. It is still very slow, but most website & search engines respond.
Before that, I tried to change the DNS address with Google DNS, but it failed, it was not working.
Something is wrong.
Yes, I noticed, that's strange...
You didn't mention IPv6 in your VPN config.
I did not touch IPv6 in the settings (and does not understand what it does...).
I've contacted the VPN support, they helped to watch the log, they say there is something wrong with IPV6. I am quoting: "Your router thinks it should do IPv6, but it has no public IPv6 gateway. This may cause websites that support IPv6 (like Google) to fail.".
They suggested disabling IPv6 to see, I disabled it, now it seems to work better.
But I still have issues and very very slow connection.
Are you running software on your computer that opens the HTTPS traffic for inspection?
It should be ESET Internet Security, my antivirus/firewall software. Usually I do not have this kind of warning (when not using WireGuard VPN).
If your VPN provider does not offer IPV6 too, then you are leaking traffic. IPv6 is a new way of IP addressing that works parallel to the old ARPANET/IPv4 addressing...but that means you may be connected/routing on IPv6 thru your ISP. Disabling it was good.
You allow a company/software to open your encrypted web traffic!?!?
Interesting...but since this is unrelated to OpenWrt, I'm not sure how to assist you.
I can only suggest using a known/reputable DNS server for your clients (perhaps switch them over to Quad 9 since you already prefer them...maybe Cloudflare or Google)...or maybe there's some DNS setting ESET requires...
I'm not too familiar because HTTPS inspection technology basically allows a Man-in-the-Middle Attack to be performed on yourself - in order to see whats inside the encrypted HTTPS traffic. https://en.wikipedia.org/wiki/Man-in-the-middle_attack
but that means you may be connected/routing on IPv6 thru your ISP. Disabling it was good.
Ok, thank you for confirming, was not sure if it has to be kept this way.
If your VPN provider does not offer IPV6
Frankly speaking, the provider apparently offers IPV6 for most VPN server, but there is an issue in my configuration, I don't see where and how to fix it.
You allow a company/software to open your encrypted web traffic!?!?
Huh? No, I do not allow anything... I do not understand why it appears there... I never had this kind of message previously.
The VPN support also asked: "Do the HTTP website use the VPN? Perhaps they simply bypass it..."
I don't know how the VPN can bypass or not the VPN. I did not set any special values in the settings, I heroically installed OpenWRT + WireGuard VPN on my router, created the new interface with all the server keys... That's already a true obstacle course for a newbie!
I can only suggest using a known/reputable DNS server for your clients
Thank you, I am going to try different DNS (ESET does not require any specific DNS settings).
HTTPS inspection technology basically allows a Man-in-the-Middle Attack to be performed on yourself
I do not understand much about internet security, I barely understand the difference between HTTP and HTTPS... that's all. Thank you for the warnings and advices, will try to check if everything is all right.
ESET is configuring your machine so it opens the HTTPS traffic after it leaves your browser, inspects it, and then forwards it onward. This means you trust that the software is genuine and that ESET is not doing anything with your secure traffic (i.e. your filing tax information online, bank logins, teleDoctor visits....work emails, personal email, visits to nasty websites...etc...).
Then I'll have to check this carefully, the software has HTTPS related options, for example it includes a HTTPS protocol content filtering option enabled by default. Will disable it for now!
Thank you!!!
Enabled nordvpn wireguard on my router. but when vpn is activated i have a lot of ads on youtube and I can not block them with adguard. When vpn is not active, adguard works properly and I have no ads on youtube.
Is anything i can do to fix this issue?
