VPN connects but with no useful data flow

[peter-h]

I have set up two of these, terminated on a Draytek 2960 router. One is PPTP and the other is L2TP/IPSEC.

The PPTP one is especially simple to set up. I have set that up on various different Draytek boxes and all worked straight off. Draytek call them Teleworker VPNs.

Both of them connect i.e. authenticate, and I can see an IP has been allocated, which is from the LAN subnet of the router. From either, I can ping devices on the LAN.

I cannot ping e.g. cisco.com but ping shows the right IP so DNS is presumably working.

And I can run an RDP client but this goes to a fixed IP machine on the LAN, like the pings.

The client (phone, tablet, laptop) has no functioning internet access. A web browser, etc, does nothing... So it looks like the VPN termination cannot get outside the router.

It isn't the firewall; I can disable that.

Does anyone have any ideas? These sorts of issues are all over the internet but with no apparent solutions.

A supposedly identical setup, with identical clients, works fine on several 2955 routers, including one which served in the same place, before being replaced with the 2960. The 2960 is somehow different...

[peter-h]

I have solved it.

The system defaults (for what traffic is monitored by the firewall) are different in the Draytek 2960 from the 2955.

The 2955 connected remote VPN clients to the outside (internet), without any firewall rules being required. AFAICT, from tests, its firewall is totally bypassed by VPN traffic. So if e.g. 123.124.125.126 was constantly hacking your VPN ports, you cannot block him.

The 2960 firewall may process VPN traffic fully, or not, but definitely it blocks the VPN clients' traffic going outside onto the WAN.

To compound the debugging, I was mistakenly "disabling" the firewall by unchecking all its rules, which is ok on the 2955 but is no good on the 2960 because of the different default behaviour. I discovered this when I disabled the fw by changing its default from Block to Accept.

Now I get internet connectivity via PPTP.

Can't get L2TP to work on the 2960, from android, but that doesn't matter. I recall it worked with win10.

AFAICT the security worry with PPTP is that it is possible to intercept the login credentials, on e.g. a compromised wifi AP. The VPN port is not a security issue in itself. The attacker needs the username+pwd. I did a lot of reading on this topic and everybody was just repeating the same stuff they got off the internet...

[peter-h]

I posted a summary on the Draytek site, FWIW, in case somebody finds this on google...

https://forum.draytek.co.uk/viewtopic.php?f=14&t=23384

[Halcyon]

It seems to me that you are not using a good VPN. Try to use the NordVPN and Surfshark.

I think the OP means VPN in the traditional sense, as in connecting two private networks together over the public internet. Not the "consumer" understanding of VPN, which by the way is mostly a stupid idea. How is it you can trust some relatively unknown VPN company to not log or intercept your internet traffic more than your ISP?

[capt bullshot]

I think the OP means VPN in the traditional sense, as in connecting two private networks together over the public internet. Not the "consumer" understanding of VPN, which by the way is mostly a stupid idea. How is it you can trust some relatively unknown VPN company to not log or intercept your internet traffic more than your ISP?

Yep, the OP has to deal with the various nuances of VPN connections (e.g. from your holiday place to your home, or as a home office worker to yer office). This is really depending on how the manufacturer of your equipment has implemented that stuff, and has absolutely nothing to do with NordVPN and others from that breed.

[JoJo]

I think the problem you've described is not a unique one. I guess that it looks like the VPN termination cannot get outside the router. But there is another option. You can set up a new connection network on your computer or laptop and connect it to the VPN service. It may be a chance it won't be blocked because the system won't be able to identify it. I'm not sure to the core, but I think that this https://pinpointvpn.com/nordvpn-review-is-it-any-good-in-2021/ VPN can be an ideal solution in this case. It has very many servers from all over the world and you may find the one that won't be blocked during your operation.

[NiHaoMike]

What VPN can you recommend for everyday use?

Wireguard: https://www.wireguard.com/
Look up PiVPN for an easy way to set it up.