OpenWrt Streaming - leak?

I posted about this issue a while back and I am wondering if anything might have been changed or become known since I last enquired without managing to resolve the issue.

I am in the UK but I'm trying to connect to a UK TV Channel's streaming service via OpenVPN running on my OpenWrt router v21.02. If I connect the router to my VPN's UK server I see the UK location when I lookup my ip. So far so good. However when I try to stream the content provider's content via a browser it says I am not in the UK.

However note the following tested in the same location.

  • using a firestick and the VPN's app for that device, connected to my regular router streaming of said provider's content works fine.

  • using the browser extension provided by the VPN on my PC, connected to my regular route, using the browser I can stream content

  • With the above browser extension that worked above, if I connect to my OpenWRT router (connected to UK server) the content won't stream.

The common denominator is OpenWRT which must be leaking my real IP. But since my real IP is in the UK it doesn't make sense that the streaming would be based on a bad IP.

Something must be happening to the traffic making the provider flag it as suspicious.

Any suggestions? Thanks in advance!

Depending on your device, there are other methods by which a streaming service could obtain your approximate location, including polling the location services from your operating system (especially with a phone which has a GPS).

The most common thing, though, is DNS leaks. You can read through the forums to find solutions for that issue.

In the meantime, given that you are in the UK and streaming content that is geo-locked to the UK, what happens if you disable your VPN? Why do you need the VPN (wrt the streaming service) if you're already in the UK?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
cat /etc/config/openvpn

I've tried this when I am not in the UK and the behaviour is the same. I'm just trying to fix it now for future journeys outside of the UK.

config as requested:

{
        "kernel": "5.4.179",
        "hostname": "OpenWrt",
        "system": "xRX200 rev 1.2",
        "model": "BT Home Hub 5A",
        "board_name": "bt,homehub-v5a",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.2",
                "revision": "r16495-bf0c965af0",
                "target": "lantiq/xrx200",
                "description": "OpenWrt 21.02.2 r16495-bf0c965af0"
        }
}

Network:


config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fdf1:fc79:bf15::/48'

config atm-bridge 'atm'
        option vpi '1'
        option vci '32'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option tone 'av'
        option ds_snr_offset '0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option device 'br-lan'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr '****'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option peerdns '0'

config device 'wan_dsl0_dev'
        option name 'dsl0'
        option macaddr '****'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 4 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '5 6t'

config interface 'tun0'
        option proto 'none'
        option device 'tun0'

config device
        list ports 'eth0.1'
        option type 'bridge'
        option name 'br-lan'

Wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:01/0000:01:00.0/0000:02:00.0'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '****'
        option encryption 'psk2'
        option key ****'
        option wpa_disable_eapol_key_retries '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:0e.0'
        option htmode 'HT20'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option key ****'
        option wpa_disable_eapol_key_retries '1'
        option disabled '1'

DHCP

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        list dhcp_option '6,8.8.8.8,8.8.4.4'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

Firewall:

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option mtu_fix '1'
        option masq '1'
        option output 'ACCEPT'
        option input 'REJECT'
        option forward 'REJECT'
        option name 'VPN_zone'
        list network 'tun0'

config forwarding
        option dest 'VPN_zone'
        option src 'lan'

config redirect
        option src 'lan'
        option name 'test'
        option dest 'lan'
        option target 'DNAT'
        option src_dport '15021'

OpenVPN

config openvpn 'PureVPN_Uk_UDP'
        option dev 'tun'
        option ifconfig '10.0.0.2 10.0.0.1'
        option nobind '1'
        option verb '1'
        option persist_tun '1'
        option client '1'
        option auth 'SHA1'
        option cipher 'AES-256-CBC'
        option mute_replay_warnings '1'
        option tls_client '1'
        option ca '/etc/openvpn/ca2.crt'
        option tls_auth '/etc/openvpn/tls-auth.key'
        option auth_nocache '1'
        option remote_cert_tls 'server'
        option key_direction '1'
        option auth_user_pass '/etc/openvpn/userpass.txt'
        option proto 'udp'
        option resolv_retry 'infinite'
        option enabled '1'
        option comp_lzo 'no'
        list remote '****'
        option port '15021'

This version is old, EOL, and unsupported. You should upgrade to 23.05.

Your client devices are all using Google DNS servers based on the DHCP option 6. This should still go through the tunnel, but you may want to see if you should be using the DNS servers from the VPN service.

Also, unless it is pushed from the server side, I don't see a gateawy redirect through the tunnel. You might want to add that (redirect gateway def1) to the openvpn config.

1 Like

Read the warnings at https://openwrt.org/toh/bt/homehub_v5a 1st

2 Likes

It is all because your provider knows vpn exits IP blocks......

2 Likes

Is the message you are getting specifying that you are using a non-UK-IP? Because depending on your VPN provider, their IPs might be on blocklists the streaming service uses. We have this case in Germany with streaming services like Netflix. If you just get a default message "this content is not available in your country" or "it seems you are using a proxY or VPN", etc., it points to this common issue.

1 Like

The message I get is:

"only works in the UK."

It can't be that the that the provider know the VPN's IP range otherwise it would not work on the firestick and the browser extension? The problem only occurs when connecting via OpenVPN on the OpenWrt router.

Would you rephrase that?
Because it reads to say " If I use a Firestick with my OpenWrt router using OpenVPN it works so it must be OpenWrt and OpenVPN."
And you cannot be saying that because it would mean you know it is not an OpenWrt issue or an OpenVPN issue since it works with both using a Firestick.

Yes it can.
Phrased differently 'the provider' knows known VPN servers' addresses. So, they deny service to those ip addresses.
"Must be in UK" is just another way of saying "we are not sure where you are because you are hiding your country and our content MUST be in UK"; as in assuredly in the UK.

Some VPNs are better at rotating ip addresses than others. Some browsers leak less location information than others.
You can try using a private window but, depending on your browser, the amount of information leaked varies.

^^ Is in the top ten most annoying phrases from people asking for help.

3 Likes

And the providers are very fast to search and find the new ones. In practical terms it work like this, if two customers connect from the same server the server are burned for ever.

So if anyone ask me, don’t buy a VPN for the purpose to get non licensed streaming TV because it doesn’t work or comes bundled with a never ending headache.

But it will work when traveling around if you instead make your own vpn with your router as a server and watch UK TV “from home” when travelling. But that requires a public ip address to your router a home.

3 Likes

You Europeans are so adorable annoying with your upload speeds that could actually handle streaming through a VPN from home. :unamused:

3 Likes

A VPN with port forwarding would work as well.

If you get the ISP to cooperate with the idea. But we have a lot of forum treads here where it fails.

You sure you meant that for me? Leaking what?
I'm not knowingly using WebRTC.
I don't use IPv6 and I don't leak DNS unless something has changed I don't know about.

That is a cool website though, so I bookmarked it.

You might be leaking via WebRTC or IPv6.

Use ipleak.net to see what is leaking, disable WebRTC and IPv6 on the client

You can try another UK VPN server to see if that is not block if that is the problem.

1 Like

What I meant is a VPN provider (or own VPN "server") which has an open port that gets forwarded to OP's router VPN "client". Then OP can setup on their router a VPN "server" listening on this port. In the end they will be able to connect to their own router VPN "server" as if they would have proper public IP with port forwarding. Performance might be good enough for streaming.

2 Likes

Perhaps I have not explained my setup clearly enough.

I have OpenWrt running on a router and that router connects to my main ISP via the WAN interface.

Firestick by-passing openwrt connecting directly to main router using vpn's app to uk server - all works fine.

Browser with device connecting directly to the main router using vpn's browser extension to uk server - all works fine.

Brwoser with device connecting to openwrt router which then uses the main isp router - does not work.

If the provider knows the IP is a VPN why does it nor block firestick or browser extension? The provider only 'knows' the IP is suspicious when connecting via OpenWRT.

Lets refer to this as Router to Gateway

OpenVPN app?
Call that OpenVPN APP works.

What device?
Change that to 'device' with Browser and no other VPN, using gateway, works.

Same device?
Change that to device with browser and no VPN app does not work with OpenWrt router. BBC.
If your are using more than one VPN (I.E. OpenVPN) across devices this is critical information you have left out for some reason.

Okay, lets sort this out:
If you connect any device directly to your gateway, using either an extension or app VPN, it fools the BBC.
If you use a device that has no VPN app or extension and connect them to the OpenWrt router with OpenVPN it does not fool BBC.
All that correct?

We will know soon enough.
Other than last last bit are we on the same page?

Yes exactly - any traffic going through OpenWrt router without any VPN app fails. But note that even when I use the browser extension AND use the OpenWRT router it also fails (same browser extension going to main router works).

When I say 'device' I am referring to a PC. The firestick and app and browser extension are provided by my VPN provider and are pre-configured - I just add my credntials and they work.

The only OpenVPN config I have setup is within the OpenWRT router itself.

You are asking me/us why the VPN we suggest (so we offer support for) and a VPN we don't and you won't name, but I'll assume we don't suggest (so we don't support because we are not familiar with) have different results after I typed:

?