HI, I'm using openvpn package as client with Nordvpn (they have a guide on how to setup online) and while i can connect with no issues Amazon Prime detects the connections as being from VPN service. While, if I use the openvpn softwore on windows or even the browser extension, it doesn't detect VPN usage. Is it because the protocol is different, meaning, on the extension or windows client it is using the nordlynx protocol and not openvpn(udp)?
Do you use pbr or smth to prevent leaks?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
I use PBR indeed, and https dns proxy for wan
1.0.0.1 as DNS for the 2 vpn tunnels, though only one of them tun0 gets this DNS, the other one tun1 defaults to the wan dns anyway
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "Xiaomi Redmi Router AX6S",
"board_name": "xiaomi,redmi-router-ax6s",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mediatek/mt7622",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd12....::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'wan'
option macaddr 'd4...5e'
config interface 'wan'
option device 'wan'
option proto 'pppoe'
option username '.....'
option password '.....'
option ipv6 'auto'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'modem'
option proto 'static'
option device 'wan'
option ipaddr '192.168.100.2'
option netmask '255.255.255.0'
config interface 'nordvpntun'
option proto 'none'
option device 'tun0'
config interface 'tailscale'
option proto 'none'
option device 'tailscale0'
config interface 'nord_us'
option proto 'none'
option device 'tun1'
DHCP
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option ednspacket_max '1232'
option noresolv '1'
option confdir '/tmp/dnsmasq.d'
list addnhosts '/var/run/adblock-fast/dnsmasq.addnhosts'
list server '127.0.0.1#5053'
list server '/....................../1.0.0.1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option ra 'server'
option dhcpv6 'server'
option force '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '3'
Firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone 'lan'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option mtu_fix '1'
list device 'tun+'
list network 'lan'
config zone 'wan'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'modem'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
list network 'nord_us'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config zone
option name 'tailscale'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'tailscale'
config forwarding
option src 'tailscale'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'tailscale'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'tailscale-ssh'
list proto 'tcp'
option src 'tailscale'
option src_dport '22'
option dest_ip '192.168.1.1'
option dest_port '22'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/firewall.include'
You probably have a dns leak.
That is the most likely reason.
Even if you use 1.0.0.1 the route this takes could still be via the wan as it originates from the router.
See my notes:
There is a paragraph about DNS and routing per domain at the bottom
2 Likes
Yeah it was probably a DNS leak. I changed 1.0.0.1 to 8.8.4.4 in PBR rules and Forwards windows, and instead of connecting with Cloudfalre DNS, for some reason now the DNS Server appears as NordVPN dns server and the streaming service is ok.