Router VPN / Streaming / Daisy Chain Routers / Security

[GoldWing]

Hello,

I use my home network which is connected to broadband internet connection for the purposes such as streaming, financial secured web accounts, insurance secured web accounts, and health secured web accounts. More recently it seems that the streaming services that I've used a VPN are now blocking access when running OpenVPN protocol from the router which required turning the router VPN off when steaming.

After doing some research to solve the steaming non-VPN constraint I've experimented daisy chaining routers with the #1 router (i.e. Asus RT-AX3000) being used for streaming, and the #2 router (RT-AX86U Pro) using a VPN on the router for the secured web accounts. It was achieved by changing the IP address of #2 router to be different than #1, changing the IP pool starting and ending address of router #2 to not overlap router #1, and using Ethernet cable / J45 plug from #2 router WAN port to one of #1 router's LAN ports. This seems to work without not much difference in expected download speeds from either router.

My question is what are your thoughts in regards to security when browsing from a device using router #2 with the router VPN using OpenVPN protocol?

Since I'm not a network expert, I thought that I'd ask the above question to those with more expertise.

Thanks!

Regards,

Goldwing

 

[L&LD]

What VPN are you actually using? OpenVPN is only 'secure' between the two devices it connects, everything before and after isn't 'secure'.

From my quick reading of your network setup, I don't feel your network is any more secure than without all the changes you've made to it.

 

[ColinTaylor]

My question is what are your thoughts in regards to security when browsing from a device using router #2 with the router VPN using OpenVPN protocol?

Your new setup will work mostly as before. Security hasn't really changed at all other than now you have two separate networks where devices on router #1 can't see/connect to devices on router #2.

I was going to point out that using a commercial VPN service doesn't add any security as your banking/health (basically anything that uses HTTPS) is already secure. But then I remembered that you've already had that explained before.

 

[GoldWing]

I'm using NordVPN's OpenVPN TCP file downloaded from https://nordvpn.com/ovpn/ uploaded into Asuswrt-Merlin's 388.2 firmware for a VPN Client. For additional RT-AX86U Pro router settings see the addtional images uploaded per the image file names below.
1) RT-AX86U_Pro_VPN_Client_Settings.JPG
2) RT-AX86U_Pro_WAN_DNS_Setting.JPG

Thank You!

Regards,

Goldwing

 

[ColinTaylor]

There is an error on your first screenshot. "Username / Password Auth. Only" should be set to "No". I'm guessing it already was but you changed it for the screenshot for some reason.

 

[GoldWing]

There is an error on your first screenshot. "Username / Password Auth. Only" should be set to "No". I'm guessing it already was but you changed it for the screenshot for some reason.

Actually I did not change it. After you "Upload" the OVPN file the Router's WUI refreshes, and afterward the default "No" changes automatically to "Yes", so apparently the culprit is either the Asus-Merlin firmware 388.2 on the upload, or possibly NordVPN. I'm thinking there is a possible handshake to NORDVPN's VPN server because the upload will not complete unless their is an Internet connection. Having said that the VPN client will not connect to NordVPN's server without user authentication, and will generate an error stating "Error - Authentication failure". So the setting must be set to "Yes" without regard to who or what changes the "Username / Password Auth. Only" setting.

See the files below.
1) RT-AX86U_Pro_VPN_BlankClientSettings.JPG
2) RT-AX86U_Pro_VPN_ClientSettingsImmediatelyAfterUpload.JPG

Regards,

GoldWing

 

[GoldWing]

I was going to point out that using a commercial VPN service doesn't add any security as your banking/health (basically anything that uses HTTPS) is already secure.

I've opted to use DoT rather than DoH. I'm not trying to start a debate. It is my preference after reading Cloudflare's explanation at https://www.cloudflare.com/learning/dns/dns-over-tls/ AND the use of Cloudflare's malware protection by using DoT.

Regards,

GoldWing

 

[GoldWing]

What VPN are you actually using? OpenVPN is only 'secure' between the two devices it connects, everything before and after isn't 'secure'.

From my quick reading of your network setup, I don't feel your network is any more secure than without all the changes you've made to it.

Sorry for not quoting you in my earlier response. To add to the 2 additional images posted earlier I've added the WAN DNS Setting image below for router #1.

Regards,

GoldWing

 

[ColinTaylor]

Actually I did not change it. After you "Upload" the OVPN file the Router's WUI refreshes, and afterward the default "No" changes automatically to "Yes", so apparently the culprit is either the Asus-Merlin firmware 388.2 on the upload, or possibly NordVPN.

I'm not talking about the "Username/Password Authentication" option (which must be Yes). I'm talking about the "Username / Password Auth. Only" option. I've just uploaded a NordVPN profile to my router and it does change that option for some reason. But regardless of whether it's set to Yes or No it will still connect. In theory it should be more secure connecting to NordVPN with that set to No.

I've opted to use DoT rather than DoH. I'm not trying to start a debate. It is my preference after reading Cloudflare's explanation at https://www.cloudflare.com/learning/dns/dns-over-tls/ AND the use of Cloudflare's malware protection by using DoT.

DNS is a completely different subject to VPN. There are some lengthy posts in the forum discussing the pro's and con's of using DoT or DoH.

 

[L&LD]

@GoldWing, my assessment hasn't changed. Your security isn't substantially different with the changes you've implemented (aside from the 'benefits' of what @ColinTaylor posted in post 3, above).

All you've accomplished with the VPN is trust them, instead. And for the record, I don't trust any 'paid-for' VPN, at all.

 

[CaptainSTX]

Hello,

I use my home network which is connected to broadband internet connection for the purposes such as streaming, financial secured web accounts, insurance secured web accounts, and health secured web accounts. More recently it seems that the streaming services that I've used a VPN are now blocking access when running OpenVPN protocol from the router which required turning the router VPN off when steaming.

After doing some research to solve the steaming non-VPN constraint I've experimented daisy chaining routers with the #1 router (i.e. Asus RT-AX3000) being used for streaming, and the #2 router (RT-AX86U Pro) using a VPN on the router for the secured web accounts. It was achieved by changing the IP address of #2 router to be different than #1, changing the IP pool starting and ending address of router #2 to not overlap router #1, and using Ethernet cable / J45 plug from #2 router WAN port to one of #1 router's LAN ports. This seems to work without not much difference in expected download speeds from either router.

My question is what are your thoughts in regards to security when browsing from a device using router #2 with the router VPN using OpenVPN protocol?

Since I'm not a network expert, I thought that I'd ask the above question to those with more expertise.

Thanks!

Regards,

Goldwing

The more correct description of how your routers is set up is in a double NAT. Normally when you do that each router has its own sub-net for the LAN and the WAN port on the second router is connected to a LAN port on router one.You have the setup as mentioned so that devices on router two are your most secure and can't be seen by devices on router one.

As mentioned how much the security and privacy a commercial VPN offers is not as much as they would like you to believe. Depending on how your VPN is setup on router two you will have a different public IP than the public IP for router one. That may or may not be an useful feature.

Be aware that just as streaming services block the IP blocks of many VPN providers so do some banks and other financial service providers.

 

[GoldWing]

I'm talking about the "Username / Password Auth. Only" option. I've just uploaded a NordVPN profile to my router and it does change that option for some reason. But regardless of whether it's set to Yes or No it will still connect. In theory it should be more secure connecting to NordVPN with that set to No.

DNS is a completely different subject to VPN. There are some lengthy posts in the forum discussing the pro's and con's of using DoT or DoH.

Yes. Agree! I'll have to look into those discussions at a later time. DNS maybe off topic to VPN, but noting L&LD's comments below.

OpenVPN is only 'secure' between the two devices it connects, everything before and after isn't 'secure'.

I brought up DNS because of L&LD's comments above. So apologize if DNS off topic. Maybe I should have brought up this topic in another forum because it seems that the discussion can veer off to related topics which in general all have to do with security / privacy on the Internet.

Regards,

GoldWing

 

[L&LD]

The topic is simple.

Unless you use your own VPN between your own equipment (at both ends) and you also don't use that equipment to go out to the 'net (at all), there is no security or privacy on the internet.

Contrary to any marketing claims to the opposite. Ever.

 

[GoldWing]

All you've accomplished with the VPN is trust them, instead. And for the record, I don't trust any 'paid-for' VPN, at all.

LOL!

To be honest when it comes to the Internet I think TRUST is to powerful of a word. I am no computer expert. I have been a computer USER for a LONG time! From what I've read about the Internet over a LONG time is the Internet is more like Swiss Cheese which has a LOT of holes in it. From a USER's perspective what I try to do is MINIMIZE my security risk while using the Internet which is the MAIN reason I have joined this forum.

Regards,

GoldWing

 

[GoldWing]

I'm talking about the "Username / Password Auth. Only" option. I've just uploaded a NordVPN profile to my router and it does change that option for some reason.

My mistake, and do apologize for the misinterpretation.

Regards,

GoldWing

 

[GoldWing]

Be aware that just as streaming services block the IP blocks of many VPN providers so do some banks and other financial service providers.

From the number of financial service providers including banks that I've used, the service providers which have problems with VPN's are in my experience the minority. I have communicated this with that Institution. Their response was that the problem is due to AI that they implemented last year.

From a computer USER's perpective for a LONG time computers are incredibly FAST, and only as good as their programers. I would think it would be reasonable to assume that a financial institution's material percentage of their customers would use a VPN on the Internet. So in this instance IMHO the programers were NOT REASONABLE.

BTW what got me using a VPN was a professional seminar at a prior employer on security which suggested to use a VPN which was some years ago. As all things in the marketplace things change.

Regards,

GoldWing

 

[ColinTaylor]

BTW what got me using a VPN was a professional seminar at a prior employer on security which suggested to use a VPN which was some years ago. As all things in the marketplace things change.

You mentioned this before in your other thread. Without knowing the specifics of that seminar I suspect the subtleties of that recommendation have been lost on you. For example, connecting from your home to your company's VPN server is secure. Connecting to a public VPN service like NordVPN is no more secure than not using a VPN, unless you're trying to hide information from your ISP. There are exceptions of course, if for example you're a dissident in an oppressive regime that monitors ISP internet activity. But otherwise you're entrusting your data to a commercial organisation based in Panama with no legal oversight. I don't see any "security" in that (and I also have a NordVPN account - for geolocation purposes).

 

[CaptainSTX]

From the number of financial service providers including banks that I've used, the service providers which have problems with VPN's are in my experience the minority. I have communicated this with that Institution. Their response was that the problem is due to AI that they implemented last year.

From a computer USER's perpective for a LONG time computers are incredibly FAST, and only as good as their programers. I would think it would be reasonable to assume that a financial institution's material percentage of their customers would use a VPN on the Internet. So in this instance IMHO the programers were NOT REASONABLE.

BTW what got me using a VPN was a professional seminar at a prior employer on security which suggested to use a VPN which was some years ago. As all things in the marketplace things change.

Regards,

GoldWing

Bank of America blocks VPNs also my bill paying service.

Banks want to know their customers so they think someone using a VPN is hiding.

 

[L&LD]

I'll try to be as clear as possible. If you're on the 'net, you're not secure.

Regardless of any 'x', where 'x' is anything promising security or privacy, even from a 'professional work seminar'.

How you minimize your risk is by using the internet as little as possible, while using a new random device each time you do connect and sharing as little as possible about yourself while you're online.

Using a paid-for VPN service is what makes you less secure, not more. 'They' don't need to look all over the net for you, they know where you can be found (inside the tunnel).

As I said, all you're doing is giving your trust to someone else, and you're happily paying for it. With no real benefits except the imaginary ones if you swallow the hook, line, and sinker and continue to believe their spiel.

A firewall is a security with proven benefits. Using your own router instead of your ISPs is another good step toward more security/privacy. Not clicking on every single link presented may be the bigger security plan you can have. But using a paid-for VPN is not security or privacy related, it is just money down the drain.

 

[GoldWing]

Connecting to a public VPN service like NordVPN is no more secure than not using a VPN, unless you're trying to hide information from your ISP.

I'm not trying to hide information from my ISP. I'm trying to maximize my privacy and security when using the Internet. No more, no less. I feel it reduces my risk. Just that simple.

There are exceptions of course, if for example you're a dissident in an oppressive regime that monitors internet activity.

Yes it is the exceptions that I'm not aware of which concern me most. I don't know what I don't know!

But otherwise you're entrusting your data to a commercial organisation based in Panama with no legal oversight. I don't see any "security" in that (and I also have a NordVPN account - for geolocation purposes).

Yes I'm trusting a Panamanian company more than the general Internet. For me TRUST is earned. See comment above. Just that simple.

Regards,

GoldWing