One website cannot be accessed when VPN is on

[systematic]

Got an interesting one.

So I am using OPENVPN feature of the Merlin Router.

I have downloaded 5 x OVPN files from different countries and loaded them onto the router. All good.

All devices are going through VPN and up until an hour or so ago one site stopped working whilst the VPN is on. When the VPN is turned off and the devices are routing through the ISP all works fine. So to recap

- Surfshark OVPN files used for India, France, UK, Germany and USA
- VPN enabled on the router and all sites working fine on all devices via every country bar one site
- VPN disabled and site starts working again via ISP.

Error that comes up when VPN is on for this site is:

403 ERROR​

The request could not be satisfied.​

---

Request blocked. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

---

Generated by cloudfront (CloudFront)

Now this is where it gets mad - I have asked someone else to connect to the site from their house using the same VPN files and they can get the site up and working as normal. Its obvious the remote site has done something where they have been able to block me from accessing the site. But how?

 

[degrub]

some sites block known VPN exit IP addresses.

 

[Tech9]

Indeed and this practice will become more wide spread for a good reason.

 

[systematic]

some sites block known VPN exit IP addresses.

Sorry for sounding dense. What is an VPN exit IP address?

Example,

I am based in the UK and connect to a VPN in Poland. My exit IP is 1.1.1.1

My friend is based in Germany and connects to the exact same VPN in Poland. His exit IP is 2.2.2.2

Is that correct?

The exit IP will change depending on which country you are connecting to the VPN from?

Again, looking to learn so apologies for the dense question(s)

 

[eibgrad]

Exit IP simply means the public IP as seen from the site you're connecting to. There are NO GUARANTEES about what public IP that might be when it comes to the VPN. VPN providers often use the same public IP for a given server for both efficiency and privacy reasons. But they may also internally route users to different servers, if only for load balancing purposes. IOW, the server may actually be just a proxy. So two different users connected to the same server may in fact end up w/ different public IPs on the VPN. And if a remote site happens to be filtering access on that basis, then each user will likely have a different experience w/ that site, be it different content, or the complete denial of service.

All that said, you *might* be assured of a specific public IP w/ a VPN provided it's offering and you're using its port forwarding service. But even then, there's no guarantee than any other user will be given the same public IP under the same circumstances.

 

[systematic]

Ok newb alert here. I have never used DNSMASQ or anything on the merlin router. i am a complete newb on scripts too. But this is what i wanted:

- Enable a VPN in X country
- All traffic from Device A to be pushed that VPN except ONE website, which goes through WAN

I think i can do all this in the VPN Director Rules but the issue is the ONE website I want has an IP address that is a load balancer IP address therefore it cannot resolve the webpage if I specify that laod balancer IP as a REMOTE IP value in the VPN director rules.

Can anyone please help in providing steps on how I am able to achieve this? I think I read that DNSMASQ could do something with that load balancer IP address and have it map to the host name. However, I have ZERO clue how to enable DNSMASQ and what to write, enable scripts etc. Not even sure if it will work but basing this on some research I was doing.

 

[eibgrad]

If I understand your intentions correctly, you want to use DNSMasq to force a given website's domain name to always resolve to the same public IP, then use the VPN Director to force that remote IP through the WAN.

You can force a domain-name to a specific IP address by adding the following directive to DNSMasq using a dnsmasq.conf.add file.

address=/domain-name/1.2.3.4

The following link describes how to create such a file and install it.

Asus Merlin - OpenVPN Policy Rules to direct Roku to another gateway

Hi Guys, I have been using the RT-AC87U router on the latest merlin firmware and am trying to policy rules to redirect the Roku Express through another default gateway 10.27.43.20 (Synology NAS) which is setup as a VPN Server on OpenVPN. I have a particular device Roku Express which does not...

www.snbforums.com

Of course, you need to replace the DNSMasq directives in that link w/ the above address directive.

P.S. If the client is Windows or Linux, you could alternatively do the mapping of the domain name to a specific public IP use the local hosts file, since that is always referenced first for the purposes of name resolution.

 

[sfx2000]

Generated by cloudfront (CloudFront)

Key take-a-way is the CloudFront response from AWS...

HTTP Error 403 can be a lot of things, all on the service side...

Troubleshoot 403 errors in CloudFront

I'm using Amazon CloudFront to serve content. My users are receiving an HTTP 403 errors with the messages "The request could not be satisfied” or "Access Denied."

repost.aws

The big one for many VPN users that are trying to Geo-Unlock content - CloudFront can do specific filters to break that one...

Restrict the geographic distribution of your content - Amazon CloudFront

Prevent users in specific geographic locations from accessing content in CloudFront distributions.

docs.aws.amazon.com

Enjoy!