PPTP and Open VPN - observations - why?

[martinr]

I'd like to understand vpns better. I have both the PPTP server and one OpenVPN server (set to TUN) running on my RT-AC68U. When I connect to my home network via these vpns using cellular data on my iPhone, I see differences. In a nutshell, with PPTP, it feels as if my iPhone is part of my home network; with Open VPN, it doesn't. I'd be very gratefull to understand why.

PPTP

The vpn iPhone address is 192.168.10.2 (255.255.255.0)
Default Gateway is N/A
DNS Server is 192.168.1.1
External IP is 92.xxx.xxx.56

With traceroute to say, the BBC, the first hop is to 192.168.1.1

FTP on my iPhone to the local address of a device on the home network brings up all its files as if I were back home, wirelessly connected to the network.

Also, if at home and my iPhone is wirelessly connected to my router, i can connect via the PPTP vpn.


OpenVPN


The vpn iPhone address is 10.8.0.8 (255.255.255.252)
Default Gateway is 10.149.86.1 (Cellular IP address)
DNS Server is 37.26.147.100
External IP is 92.xxx.xxx.56

With traceroute to say, the BBC, the first hop is to ?. Second hop to 10.192.192.25, and nowhere do I see a hop either to the internal IP or the external IP address of my router.

FTP on my iPhone to the local address of a device on the home network fails to connect.

Also, in contrast to PPTP, if I'm at home and my iPhone is wirelessly connected to my network, Openvpn won't connect to the network.



To someone who understands vpn technology, I'm sure the above is perfectly understandable and entirely expected. I'd really be grateful to know the reasons for the differences; a good tutorial would suffice, but, so far, I haven't found anything that helps.


Martin

 

[RMerlin]

Probably a limitation of your iPhone. OpenVPN on an actual computer will also be able to route traffic through the tunnel, giving you full LAN access. The client requires the ability to add a new route, something I suspect is not possible with the iPhone since it's a third-party app rather than built by Apple.

 

[amigohd]

OpenVPN connect on my iPhone does work without any issues. I can access local hosts inside my network, event ftp shares.
But as DNS server and as default gateway I am using my internal ones on the router, not the ones from the cell phone provider. I am pushing these routes to my open vpn clients within the openvpn gui as added commands.

 

[AdvHomeServer]

A TUN connection on OpenVPN using a router as a server appears to have its highest and best use as a secure passthrough from a public internet site through your home router and into the internet from there. OpenVPN encrypts the traffic on the first hop to your home network.

I'm curious. Using OpenVPN on your ASUS router, when you use tracert while connected to OpenVPN, do you see your local IP address or the IP address of your OpenVPN server. For example, do you see 192.168.10.1, the local coffeeshop IP address for your connection, or do you see 10.0.0.1, the server address for OpenVPN?

When browsing via your OpenVPN from public wi-fi, do you see your home IP address or the IP address of your coffeeshop?

The reason I'm asking is that OpenVPN via DD-WRT is very fussy about being set up. It may look like it works but you are provided no encryption. Most commonly available instruction sets leave out the bits that make it secure. The ones with the security bits often get it wrong. I figured it out with a fair amount of effort. It made me wonder what the mainstream routers offer using their default configurations.

Re PPTP: I avoid it because it's not secure.

 

[RMerlin]

When browsing via your OpenVPN from public wi-fi, do you see your home IP address or the IP address of your coffeeshop?

The reason I'm asking is that OpenVPN via DD-WRT is very fussy about being set up. It may look like it works but you are provided no encryption. Most commonly available instruction sets leave out the bits that make it secure. The ones with the security bits often get it wrong. I figured it out with a fair amount of effort. It made me wonder what the mainstream routers offer using their default configurations.

Asuswrt-merlin has a simple option called "Redirect Internet traffic" that will determine if all your traffic will be routed through the tunnel or not. This requires the client to run with sufficient privileges however to add the necessary route configuration. With Windows, this means running the OpenVPN client as Administrator.

 

[AdvHomeServer]

Asuswrt-merlin has a simple option called "Redirect Internet traffic" that will determine if all your traffic will be routed through the tunnel or not. This requires the client to run with sufficient privileges however to add the necessary route configuration. With Windows, this means running the OpenVPN client as Administrator.

Agree about privilege level. Without actually selecting 'run as administrator' it will only look like it works.

Re the redirect option; I saw that on DD-WRT but it didn't work without a proper DNS option and a proper firewall statement. Again, it only looked like it worked (or didn't work at all if you got it half right). Do you know if stock asus or the netgear r7000 covers these bases behind the scene?

I was shocked to see it only looked like it worked. Then I was shocked to see the bad instructional advice available on the internet. Since there is so much instructional material that is lacking, it made me wonder how many people actually have secure router pass through connections. If all they know is what they found easily on the internet, they probably don't as I had to struggle to figure out the correct options for OpenVPN and DD-WRT. Most of the time it ran OK ... but wasn't secure.

 

[Deleted member 27741]

I think you are correct in that lots of people that run a VPN are not really getting what they want out of it due to misconfiguration. The people that want access to their LAN resources get better feedback if things are working... but if you want secure coffeeshop access there is not an easy way to test that your internet data is encrypted. At least not easy for the average user.

 

[AdvHomeServer]

I think you are correct in that lots of people that run a VPN are not really getting what they want out of it due to misconfiguration. The people that want access to their LAN resources get better feedback if things are working... but if you want secure coffeeshop access there is not an easy way to test that your internet data is encrypted. At least not easy for the average user.

whatismyip.com told me that the VPN worked because the connection from public wi-fi used my home ip. tracert implied a good connection by telling me that my top point was my VPN server's address.

 

[RMerlin]

Agree about privilege level. Without actually selecting 'run as administrator' it will only look like it works.

Re the redirect option; I saw that on DD-WRT but it didn't work without a proper DNS option and a proper firewall statement. Again, it only looked like it worked (or didn't work at all if you got it half right). Do you know if stock asus or the netgear r7000 covers these bases behind the scene?

I was shocked to see it only looked like it worked. Then I was shocked to see the bad instructional advice available on the internet. Since there is so much instructional material that is lacking, it made me wonder how many people actually have secure router pass through connections. If all they know is what they found easily on the internet, they probably don't as I had to struggle to figure out the correct options for OpenVPN and DD-WRT. Most of the time it ran OK ... but wasn't secure.

Asuswrt and Asuswrt-Merlin doesn't require any manual firewall/dns configuration, it's all manageable either automatically (in the case of the firewall) or through the webui (DNS can be set to strict, exclusive, etc...).

No idea about Netgear, as it's running their own code, and I've never looked at it.

 

[RMerlin]

whatismyip.com told me that the VPN worked because the connection from public wi-fi used my home ip. tracert implied a good connection by telling me that my top point was my VPN server's address.

This will indeed tell you for sure if your tunnel is properly working. Also, some providers will force you to use their DNS servers to prevent any information leak through your DNS queries. In Asuswrt(-merlin), you just need to set the DNS option to either "Strict" or ideally "Exclusive" to handle that. It will properly configure dnsmasq accordingly.

 

[watusi]

Asuswrt-merlin has a simple option called "Redirect Internet traffic" that will determine if all your traffic will be routed through the tunnel or not.

This works for me on openWrt on iPhone. With the VPN connected, I can shut off wifi and connect over LTE, and my Internet traffic goes through the VPN and out to my Cox cable connection.

You may have some issues accessing local services because the VPN is on a different subnet. Apple services don't usually cross subnet boundries, though I think there are setting and/or some kind of reflector you can set up.

I think it's possible in Merlin to move the VPN addresses into the same subnet as your home network. Pretty sure I came across some docs on that, but haven't tried it. That's how i had my IPSec VPN set-up on my previous router. I just reserved a small block of addresses on my subnet for VPN.

 

[AdvHomeServer]

Asuswrt and Asuswrt-Merlin doesn't require any manual firewall/dns configuration, it's all manageable either automatically (in the case of the firewall) or through the webui (DNS can be set to strict, exclusive, etc...).

No idea about Netgear, as it's running their own code, and I've never looked at it.

Thanks for the insights. The details you thought through ahead of time were the ones I just assumed worked in all cases on all firmwares that used OpenVPN server on a router.

Does Asus stock work as yours? Do you, or anyone, know anything about Padavan's Asus implementation?

 

[martinr]

A TUN connection on OpenVPN using a router as a server appears to have its highest and best use as a secure passthrough from a public internet site through your home router and into the internet from there. OpenVPN encrypts the traffic on the first hop to your home network.

I'm curious. Using OpenVPN on your ASUS router, when you use tracert while connected to OpenVPN, do you see your local IP address or the IP address of your OpenVPN server. For example, do you see 192.168.10.1, the local coffeeshop IP address for your connection, or do you see 10.0.0.1, the server address for OpenVPN?

In contrast to using cellular with my iPhone and the OpenVPN app, this time I used public hotspot wireless, and I found that when using Openvpn, I could now FTP access the files on a home-network device using its internal address. Nevertheless, I still observe differences and wonder why. But here are answers to your questions:


Here is the traceroute when I use Openvpn from a public hotspot

And here is the same thing but using PPTP from a public hotspot

When browsing via your OpenVPN from public wi-fi, do you see your home IP address or the IP address of your coffeeshop?

With OpenVPN connected to the hotspot I see:

And in contrast, using PPTP, I see:

(My public IP seems to have changed in between the 2 tests).

It may look like it works but you are provided no encryption. Most commonly available instruction sets leave out the bits that make it secure.

Is there a simple test (ie not Wireshark) to ensure encryption is taking place; from what you wrote, I presume it's not sufficient to see 192.168.1.1 as the first hop, or its public IP address in Whatsmy address.org etc?

I can't easily try, as Merlin suggested, using OpenVPN on my laptop, and I realise that things might become clearer when I do. But because I've proved I am connected to my home network with both PPTP and OpenVPN, what's the reason that PPTP shows, in tracert for example, the first hop is to the router 192.168.1.1 (as I'd expect) whereas with OpenVPN, it's not at all obvious (unless one types 192.168.1.1 in the browser) that there is a direct connection to the home router? (Clearly, I need to do a lot more reading about the different vpn protocols and methods.)

Martin

 

[martinr]

Back on cellular and OpenVPN from my iPhone:

As suggested, I changed from No to Yes the setting "Direct clients to redirect Internet traffic" on OpenVPN the picture changes:

So 10.8.0.1 - the first tracert hop, will be the local address of my router in the OpenVPN setup, equivalent to 192.168.1.1 in the PPTP setup; this makes more sense to me.

And now when I type Whatsmyip.org, I see the public IP address of my router. So certainly the "Direct clients to redirect Internet traffic" has a significant effect. Which makes me wonder why the default is No? In fact, I wonder under what conditions one would want No rather than Yes for this option?


Martin

 

[ColinTaylor]

And now when I type Whatsmyip.org, I see the public IP address of my router. So certainly the "Direct clients to redirect Internet traffic" has a significant effect. Which makes me wonder why the default is No? In fact, I wonder under what conditions one would want No rather than Yes for this option?

Probably this: http://en.wikipedia.org/wiki/Split_tunneling

 

[RMerlin]

Does Asus stock work as yours? Do you, or anyone, know anything about Padavan's Asus implementation?

Asus's stock took the OpenVPN code from my firmware, so it's nearly identical in its OpenVPN implementation.

Sent from my Nexus 9 using Tapatalk

 

[RMerlin]

Which makes me wonder why the default is No? In fact, I wonder under what conditions one would want No rather than Yes for this option?


Martin

The most common reason why people want to connect back home is to access their LAN. Routing all their internet traffic through it would only significantly slow it down. So it makes sense to default this setting to no.


Sent from my Nexus 9 using Tapatalk

 

[martinr]

Many thanks to everyone for your kind patience and explanations; the picture is starting to take shape. It took me months to develop an understanding of ssh that I was happy with; thankfully, getting my head around vpns is happening a lot faster. It's probably because, compared to doing this on my Linksys with DD-WRT, Merlin's firmware makes childs' play of it all.

I also discovered that there is an interesting logfile in the OpenVPN app on my iPhone:

I look forwards to running OpenVPN remotely on my Windows laptop, and I'm sure the picture will become clearer still.

Many thanks again

Martin

 

[AdvHomeServer]

Asus's stock took the OpenVPN code from my firmware, so it's nearly identical in its OpenVPN implementation.

Sent from my Nexus 9 using Tapatalk

Thanks. Another detail filed away for future reference.

Hopefully, someone with Netgear knowledge will reply, too. Ditto Padavan.

I'm guessing an Edgerouter lite I have set aside for later experimentation will be closer to DD-WRT than Asus with respect To OpenVPN.

I like the idea of putting OpenVPN on a router for pass through from public wi-fi. Everyone should do it. All router mfgrs should make it easy to configure, although I like the idea of certificates. It seems like certificates are somewhat optional on the non-DD-WRT builds.

DD-WRT is an excellent tool to make a old router relevant and add a feature or two that stock firmware doesn't provide for your router model ... assuming you don't mind the risk of getting an unstable release. I got a nice three part series out of my efforts, too.

 

[martinr]

whatismyip.com told me that the VPN worked because the connection from public wi-fi used my home ip. tracert implied a good connection by telling me that my top point was my VPN server's address.

This will indeed tell you for sure if your tunnel is properly working. Also, some providers will force you to use their DNS servers to prevent any information leak through your DNS queries. In Asuswrt(-merlin), you just need to set the DNS option to either "Strict" or ideally "Exclusive" to handle that. It will properly configure dnsmasq accordingly.

When using the OpenVPN Connect app on my iPhone to remotely tunnel home to my router and then back out to the Internet through the OpenVPN server in the firmware, I've used whatsmyip.org together with ad blocking as a test of correct working.

In URL filtering under Firewall, I include the word doubleclick, which blocks any domain with that word in it. The advert at the top of the whatsmyip.org page comes from googleads.g.doubleclick.net, so the ad does not appear when calling up whatsmyip.org from inside my network. However, when away from home and using OpenVPN Connect to remotely access the Internet through my home router, I call up whatsmyip.org and first check that the public IP address is that of my home gateway. Then when I see the doubleclick advert at the of the page, I am reassured that there is encryption between my iPhone and my home router (because the URL filtering doesn't work with encrypted or compressed traffic).

I know that seeing one's home public IP in whatsmyip.org, when tunneling in, is necessary to ensure OpenVPN is working properly but I don't know if it is sufficient. Therefore, rightly or wrongly I take the doubleclick ad at the top as a little extra reassurance that OpenVPN is working.


Martin