DPI on client connected with openvpn

[Gitsterz]

Hi, Not sure this is an issue but wanted to know how it works. I’ve successfully set up the script to route all my traffic on a subnet to my vpn provider. Looking at whatismyip.com my vpn provider turns up. However if I look at the client in UniFi controller I can still see DPI traffic such as YouTube, Netflix etc. Is this intended behaviour? How can the router do DPI on VPN traffic?

Let me know if I should supply any configuration data.

[peacey]

Hi @Gitsterz,

The router has access to the raw VPN interface (tun0/wg0/etc). Traffic on this interface is not encrypted. It is only encrypted when the VPN traffic is forwarded to the WAN interface. So the router can easily inspect traffic on your unencrypted VPN interface.

A long time ago there was some user who used this script and had the same issue, and he figured out that there was a config file you can modify on the UDM that defines what interfaces DPI is allowed to use. I can't remember where that config file is unfortunately...

[Gitsterz]

Thanks for clarifying. I will look into that custom config to leave Stetson interfaces out of DPI. It’s not a big deal, just wanted to make sure that the traffic leaving my router was encrypted.

[peacey]

No problem. FYI, you can always inspect the traffic on the WAN interface (with tcpdump) to see that VPN traffic is always encrypted. For example, you can ping some obscure IP from a VPN-forced client and then check that that IP doesn't show up on the WAN packets (and that only the VPN server IP is being communicated with).