OpenVPN UK Server but content is incorrectly blocked

Hi all,

Before I start with my question I think there maybe an issue with the password reminder email not being received. I'm unable to access my old OpenWrt account, I tried the reminder feature but didn't receive an email, of course have checked spam. So had to register with a new account.

Anyway my question is, I'm runing OpenWrt 21.02 with OpenVN connecting to a paid for 3rd party VPN. I'm using a UDP UK sever, I can connect and confirm a UK IP via whatismyip.com - so far so good.

However when I try iPlayer I receiv e amessage that the content is not available in my region. I've tried Channel 4 which works, but ITV's player similar seems to not work (albeit minus a message about my region). The VPN does provide a browser extension which when connected allows me to access iPlayer but I'd prefer to have this working at the router.

So I'm beginnig t suspect that some openwrt config is causing the issue, perhaps a firewall setting? Are there any tests I can run to confirm,

I keep seeing this in the systme log which I'm not sure if it is significant:

Mon May 8 17:05:58 2023 user.notice firewall: Reloading firewall due to ifup of tun0 (tun0)

Thanks in advance.

We can review your configuration, but keep in mind that the streaming services have various criteria that may result in the restrcition of content even when using a VPN. For example, your computer (and phone/tablet) may have location services that use methods other than VPN (for example, location services based on Wifi SSIDs is common, albeit not always accurate, for computers, while phones and tablets might use that plus GPS data). Some services may also restrict content when the IP is known to belong to a VPN service.

Anyway, if you want to have a review of your config...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/openvpn

(and for the OpenVPN config, the above may reference another file -- possibly in /etc/openvpn -- please post that if relevant).

On this, send a message to the moderators -- we can send a password reset email to the email address that was registered with the previous username.

It can be argued that the BBC is not incorrectly blocking your access. The BBC, if you search, do block VPN traffic using various means.

Please see in my original post - "The VPN does provide a browser extension which when connected allows me to access iPlayer but I'd prefer to have this working at the router."

I actually read that statement and was confused too.

Are you saying that the browser is using a different Interent connection than one accessed thru your OpenWrt router with VPN connectivity?

Or a better way to ask this question - if you've verifying that that you can connect with the extension - and it uses the OpenWrt for Internet:

• I'm guessing you meant "at the browser" instead?
• Is this client using another Internet connection?

I'm just asking for clarity.

{
        "kernel": "5.4.179",
        "hostname": "OpenWrt",
        "system": "xRX200 rev 1.2",
        "model": "BT Home Hub 5A",
        "board_name": "bt,homehub-v5a",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.2",
                "revision": "r16495-bf0c965af0",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 21.02.2 r16495-bf0c965af0"
        }
}

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '*****'
        option encryption 'psk2'
        option key '*****'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key '*****'
        option wpa_disable_eapol_key_retries '1'
        option disabled '1'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option network 'tun0'
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'VPN_zone'

config forwarding
        option dest 'VPN_zone'
        option src 'lan'

client
explicit-exit-notify
proto udp
remote **** 53
dev tun
auth-user-pass /etc/openvpn/userpass.txt
persist-key
persist-tun
nobind
;block-outside-dns
<ca>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
*****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
*****
-----END PRIVATE KEY-----
</key>
<tls-auth>
*****
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
route-method exe
route-delay 0
route 0.0.0.0 0.0.0.0
script-security 2

In all cases I am connected to the openwrt router. But the vpn suggested I try their chrome extension, it provides a country list and I enter the same credentials used in my userpass.txt. When it is enabled iplayer works. Hope that makes sense?

Config posted as requested, thanks in advance.

Something significant I should probably add, my real actual IP is in the UK, so the provider can't be reading a real IP which it determines I am trying to mask, I would guess?

This is related to the server you're using with the VPN provider vs the one used in the browser plugin.

It's not an issue related to openwrt, rather something you'd need to discuss with your VPN provider. The ones I've used in the past have dedicated UK streaming servers to connect to which are used to bypass region restrictions.

The BBC is actively trying to block VPN connections so it is a Cat and Mouse game with VPN providers.

One thing to pay attention to is DNS leak, one way to track you is to see where the DNS request is coming from so make sure your DNS request is also routed via the the VPN tunnel.
ipleak.net and dnsleaktest.com will show you if the DNS is not leaking.

Hi guys - an interesting update.

I went back to the VPN provider and explained that the -iplayer was only working when I used their browser extension, suggesting that it uses a different server to that which I have configured in my openvpn router config.

I then thought to try the openvpn standalone windows app. I installed it and used the same config file as used in openwrt, with the suspected blocked server and the i-player does work. This would lead to the conclusion that it is in fact the router config which is the issue and not the server?

Every time you connect to the VPN provider you'll get a different IP address, even with the same config. It could be that the IP address you got when you connected to the desktop was not blocked by the BBC.

Are you able to connect to iPlayer consistently after reconnecting to the VPN multiple times on the desktop?

I've just tried 3 different times connecting with the windows app, giving me 3 different IP's and on each occasion I was able to view i-player content. I've never once manaaged to view content when connected to the openwrt router.

Could this be significant, my openwrt is plugged via the red wan port into a lan router which is wireless connected to my main router. I could rip it ut and plug it direct to the main router but I'd rather not if we can rule this out?

That should not matter. The outside of the tunnel (encrypted packets) only needs some connection through the Internet to reach the VPN server. It does not matter if they are NATd multiple times.

Does my firewall look correct?

Unfortunately the thread has gone dead, so I'll leave my concluding findings:

VPN tested with:

• OpenWrt
• 3rd Party VPN Browser Extension
• OpenVPN Windows App.

For my tests all 3

• same VPN server and settings used
• connecting from the UK to a UK VPN
• confirmed that IP is UK based from the same range

In all scenarios but OpenWrt I was able me to stream from i-player on every occasion without fail. The common denominator at all points of failure is OpenWrt which is leaking my IP or otherwise triggering i-player that my connection is suspicious and denying me access.

An aside, this appears to be a bug in the OpenWrt firmware, steps to reproduce:

Connect to a working openvpn configured server
Stop server
Upload a misocnfigured server config file
Try to connect, fails
Delete mis-cnfigured server and re-upload the correct working server
Connection does not work

The only way to resolve this is to reboot the router. The error logs I see when this happens:

Tue May 16 15:56:31 2023 daemon.err openvpn(54654565)[9427]: RESOLVE: Cannot resolve host address: ************.com:80 (Try again)
Tue May 16 15:56:36 2023 daemon.err openvpn(54654565)[9427]: RESOLVE: Cannot resolve host address: ************.com:80 (Try again)
Tue May 16 15:56:36 2023 daemon.warn openvpn(54654565)[9427]: Could not determine IPv4/IPv6 protocol
Tue May 16 15:56:36 2023 daemon.notice openvpn(54654565)[9427]: SIGUSR1[soft,init_instance] received, process restarting
Tue May 16 15:56:41 2023 daemon.warn openvpn(54654565)[9427]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue May 16 15:56:46 2023 daemon.err openvpn(54654565)[9427]: RESOLVE: Cannot resolve host address: ************.com:80 (Try again)

It makes debugging practically impossible because each new config upload required a reboot of router

Does it work if you put the server IP instead of the hostname?

When I use the IP instead of the hostname the logs say the IP can't be resolved - go figure!

What happens if you try to do nslookup?

Can you post your openvpn config file?

if i run nslookup from command line I get:

server: unknown
address: *******

OpenVPN file:

client
;explicit-exit-notify
proto tcp
remote ****** 80
dev tun
auth-user-pass /etc/openvpn/userpass.txt
persist-key
persist-tun
nobind
;block-outside-dns
<ca>
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
****
-----END PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
****
-----END OpenVPN Static key V1-----
</tls-auth>
key-direction 1
remote-cert-tls server
cipher AES-256-CBC
route-method exe
route-delay 0
route 0.0.0.0 0.0.0.0
script-security 2