Device vpn and router bypass

[jrbmw]

If a device is connected to a vpn then connected to the routers vpn bypass, is the data encrypted just from the device to the router or encrypted through the router to the location.So is it the same as if the vpn on the router
is enabled and not the device.If not does it mean the traffic comes and go through the isp servers unencrpted before the vpns?

 

[R. Gerrits]

Assuming you use a VPN connection with encryption:
The encryption applies to the traffic between VPN client and VPN server.

I don't fully understand your question, but these are options:
laptop without vpn <-unencrypted over lan-> router with vpn client <-encrypted over ISP+internet-> vpn server <-unecrypted over internet-> to destination

if you add the laptop to the VPN bypass list (in kamoj addon) or disable VPN on router:
laptop without vpn <-unencrypted over lan-> router <-unencrypted over ISP+internet-> to destination

if you then install a VPN client on that laptop:
laptop with vpn <-encrypted over lan-> router <-encrypted over ISP+internet-> vpn server <-unecrypted over internet-> to destination

Note, even in the cases above where unencrypted is written, if for instance the traffic is HTTPS, then still the traffic is encrypted. (but the headers aren't, so your ISP can see where you are connecting).

Note2, even with VPN encryption, depending on how you configure DNS, it could still be the case that your ISP is receiving the DNS requests, and thus can see where you are connecting.

 

[HELLO_wORLD]

I will add to the excellent answer from @R. Gerrits that on this part: vpn server <-unencrypted over internet-> to destination, the IP that the destination sees is the one from the VPN server, and not your public IP (provided by your ISP), nor the IP of your laptop on the LAN.
of course, the content of what is sent by your laptop to the destination being unencrypted is fully visible by it, but that is the goal.

Unless the packets contain in the data the IP from your ISP or other personal piece of information, the destination has no clue from the headers of your ISP or anything that happened between the VPN client and server, and in both cases (VPN with encryption used either on the router or your laptop), all your ISP sees is encrypted packets exchanged between you and the IP of the VPN server, without any clue of what is in the packets.

Any traffic sent outside of the VPN tunnel is visible though, and the most common leak/mistake is to use a DNS server outside of the VPN tunnel to resolve domain names to be used in the tunnel.

 

[jrbmw]

Thanks for both of your very interesting replies.The vpn has its own private encrypted dns servers.I assume that whatever dns servers are set in the router the vpn redirects the traffic to theirs. I have set the dns to use cloudfares in the router for when the vpn is off.I have found the vpn works differently on the router to the vpn app on a device.That is when using the same location just on the router or device.When the vpn is set on the router some locations detect its being used but doesent when set on the laptop app.That is the reason for my question . From your answers it seems the vpn is at fault.

 

[HELLO_wORLD]

Thanks for both of your very interesting replies.The vpn has its own private encrypted dns servers.I assume that whatever dns servers are set in the router the vpn redirects the traffic to theirs. I have set the dns to use cloudfares in the router for when the vpn is off.I have found the vpn works differently on the router to the vpn app on a device.That is when using the same location just on the router or device.When the vpn is set on the router some locations detect its being used but doesent when set on the laptop app.That is the reason for my question . From your answers it seems the vpn is at fault.

Very likely, the VPN app on your laptop is forcing to use the VPN DNS, but this it is not the case on the router! All DNS requests are still using the default DNS outside of the VPN!
You would need to either set up the router DNS to the VPN one or force all DNS traffic to use the VPN one with some iptables rules.

 

[R. Gerrits]

Very likely, the VPN app on your laptop is forcing to use the VPN DNS, but this it is not the case on the router! All DNS requests are still using the default DNS outside of the VPN!
You would need to either set up the router DNS to the VPN one or force all DNS traffic to use the VPN one with some iptables rules.

Issue is if you do this statically, DNS stops working if you stop the VPN tunnel on the router.

So you'd have to automate it.
If you have the Kamoj add-on, then there are already scripts /etc/openvpn/ovpnclient-up.sh and /etc/openvpn/ovpnclient-down.sh

Then in /etc/openvpn/ovpnclient-up.sh put the logic that needs to be performed if the VPN is started. (for instance change the router DNS-servers (in resolv.conf) to the VPN DNS servers.
Alternatively, make it integrate in kamoj-addon, from there extract the devices that would use the VPN tunnel, and add iptables rules to redirect all DNS queries from those devices to 1 of the VPN DNS servers (so you lose a bit of redundancy).
All other devices that bypass VPN would then still use the normal DNS servers.

(to make it more dynamic, parse the vpn connection log to find the newest "PUSH: Received control message: 'PUSH_REPLY,.....,dhcp-option DNS x.y.z.1,dhcp-option DNS x.y.z.2", and extract the VPN DNS servers from that.)

(challenge of this approach: existing processes on the router could rewrite resolv.conf or reload the firewall, again undoing the changes of this script.
For the iptables approach, the solution would be to generate an additional /opt/scripts/firewall-start-xxx.sh to create the redirect rules. (this way they are recreated if something restarts the firewall)
For the resolv.conf approach, perhaps the new VPN DNS servers must also be written to specific nvram variables. (so that if something recreates the resolv.conf that it then uses those DNS servers from nvram.)

In /etc/openvpn/ovpnclient-down.sh you would have to put the logic to restore the original DNS in resolv.conf or remove the iptables redirect rules.

(but if VPN crashes, then probably ovpnclient-down.sh won't be run. So then DNS is also (partially) broken until someone restarts VPN)

 

[jrbmw]

I am using Kamoj addon on my r7800 but the vpns dns servers are private so I dont know the adresses.Although I understand what your saying @R.Gerrits doing it is beyond my knowledge.However I will try changing the dns servers.