Posted: Sat Nov 26, 2022 20:43 Post subject: Wireguard VPN and instacart.com
Running Netgear R9000 build 50474 Wireguard VPN to Windscribe.
When I try to access instacart.com or fredmeyer.com, I get blocked with an access denied message.
I've corresponded with instacart support, and they tell me that they do not allow access through VPNs. As stupid as that is, it's clearly not a DD-WRT problem.
Where DD-WRT comes in is that I have attempted to add "Route Selected Destinations via WAN" to my Wireguard tunnel configuration, and tried specifying both www.instacart.com and the IP address I get by pinging www.instacart.com as destinations for PBR.
Routing the destinations via WAN did not allow me to access instacart. I am curious as to why that might be. For now, I am just taking down the VPN when I want to use instacart, but that's a bit of a pain.[/img]
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sat Nov 26, 2022 22:28 Post subject:
I will move your thread to the more appropriate Advanced Networking forum, see the forum guidelines with helpful pointers about how to research your router, where and what firmware to download, where and how to post and many other helpful tips:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
I did not try Split DNS. I read about it and doubt I really understand it.
The forum document says this:
-----------
Both OpenVPN and WireGuard can use Split DNS meaning that the Policy Based Routing (PBR) sources
will use the DNS server which is using their route e.g. if the selected sources are route via the VPN they will use the VPN DNS server and other sources which are routed via the WAN will use the WAN DNS servers.
-----------
I may be reading that wrong, but what it says to me is that I have to identify some of my hosts through PBR to use the WAN instead of the VPN. But I want all hosts on my network to use the VPN all the time except that causes problems with (a very few) websites. I'm not understanding how to use Split DNS to tell my local hosts to use the WAN only for certain websites.
Or are you suggesting that I just temporarily set a PBR entry for one host and try a problem website to see if I can access it to try and isolate the problem? If that's the case, I just tried it, and yes, with computer I'm typing on now listed in the PBR as route to WAN I can now access the problem websites.
Afraid I am not enough of a networking guru to know what I'm doing here.
Joined: 18 Mar 2014 Posts: 12922 Location: Netherlands
Posted: Sun Nov 27, 2022 11:09 Post subject:
You have added instacart to the Destination for PBR field and choose Selected Destinations via the WAN, as said that does not always work if the domain resolves to many changing ip addresses or uses other subdomains.
But another problem could be that when you resolve instacart the DNS server of the VPN is used to do that and instacart might be checking this and thus concludes that you are still using the VPN for instacart.
So for the resolving of instacart.com you should use a DNS server which is routed via the WAN and not the VPN DNS server.
To see if that is the problem, in the WireGuard GUI for Destination for PBR besides instacart.com, add 9.9.9.9
On the services page under DNSMasq additional options add:
server=/instacart.com/9.9.9.9
Now instacart.com will be resolved by DNS server 9.9.9.9 and that server is routed via the WAN
On the services page under DNSMasq additional options add:
server=/instacart.com/9.9.9.9
Now instacart.com will be resolved by DNS server 9.9.9.9 and that server is routed via the WAN
If I add 9.9.9.9 to Destinations for PBR, then ping 9.9.9.9 reports destination port unreachable. So attempts to reach instacart.com fail when the DNSMasq additional option is set because instacart.com won't resolve.
Without the PBR destination entry, ping 9.9.9.9 works.
I tried 8.8.8.8 in case there was something weird about 9.9.9.9, but same results.
With 9.9.9.9 in PBR destinations to WAN, if I ping 9.9.9.9 from a putty SSH session to the DD-WRT router, the ping works. Ping only reports destination unreachable if I ping from the computer on which I'm typing this.
Tried ipconfig /renew but it didn't help. ipconfig /flushdns was also no help.