I’m remote, logged into my home network via a wireguard VPN hosted on my router.
If I check my WAN IP it shows me the IP of my home.
I just attempted to download windows 11 ISO to install and was denied - MS wouldn’t allow it ["Some users, entities and locations are banned from using this service. For this reason, leveraging anonymous or location hiding technologies when connecting to this service is not generally allowed. "]
I’m confused and obviously missing something. I thought since I was connected into my home network via wireguard and my public IP is showing that IP, that as far as any website would know I was physically there at that site. How do they know that I’m using a VPN? Is there any way to fix this?
When you say WAN IP, I assume you mean your router has a wireguard interface, but it MUST also have a route to the internet that is not your wireguard interface. (Ie, you can’t VPN somewhere without an actual internet connection). If your default route is your public internet interface, some traffic may go through your public internet interface.
Easiest way is just to use whatsmyip and that should use the default route set for https traffic.
If whatsmyip is your wireguard, then the microsoft website must be using some other non-ip based smarts to determine it. If it is your non-VPN IP, then its either allowed IP’s or an issue with your default routes on your router.
There are privacy oriented browsers and extensions… but the IP address is not the only thing a website can gain from your browser.
Now that you have wireguard up, check on some privary extensions (eg, privacy badger or uBlock) . . You could also remote desktop into a machine at home to carry out the download, then copy the ISO over.
Hi, very interesting response from Microsoft. Are you able to download it on the exact same computer, same browser, same plugins when directly connected to the LAN?
Would it be possible to take a wireshark capture for both cases?
If you have DNS leakage, a website may learn your real IP address from a specially crafted DNS host that only your browser would query.
This is easy to solve, which is to take extra precautions to avoid DNS leakage (when your traffic goes through the VPN but the DNS requests are sent to the local DNS server).
I’m not sure if you’re doing this but if you stop the vpn at anytime and use the browser again after starting the vpn, the browser holds the information from the time you wasn’t using the vpn. So, when I have the vpn off and start it back up I always close the browser and kill it and restart it again to make sure I am using the vpn traffic. If I don’t use this process I always fail the dns leak test. Not sure if you’re doing this but just something I have seen before where my vpn will fail.
this wireguard VPN server was simply enabled on my router (Firewalla Gold) and then I setup the tunnel. I don’t believe any other changes or exceptions were ever made, but I am not sure exactly how to check that.
My path is laptop->wireguard VPN-> home router VPN server → public internet.
whatismyip shows my home router WAN/ISP public IP address- that’s what I meant in my original post. AFAIK that means the rest of the world thinks I’m actually there at that LAN, but I’m not. And yet somehow Microsoft knows I’m using a VPN when I’m on their website.
Maybe I’m mistaken, but I thought unless I setup split tunneling by default everything going to the WAN will go out through the VPN connection (and thus out my home ISP connection on that IP address since I’m connected).
Edit: just checked my .conf, it has AllowedIPs=0.0.0.0/0 so I think that means no exceptions
But again I’m connecting just from my place of work and my home. I’m not trying to avoid detection of where I’m going like you might using a typical vpn. I’m just using it to connect to my LAN to access things that are not open to the internet
yep so default route is still to non-vpn wan then. Or rather, in context of a router, you will want to add your VPN interface as your default gateway/network.
I apologize for my lack of understanding. Networking is interesting to me but confusing.
My perception was that my connection from my laptop over the vpn was to the subnet created by my router and then the router was connecting that local subnet IP to the WAN (hence seeing my WAN IP as the same as my router public IP).
So I’m not sure what you mean by non-von wan routing.
Just to be clear, I’m not trying to obfuscate my IP to exit somewhere else (I have a separate airVPN route which is running in a docker on a local server and I can connect services to that which I want to appear exiting elsewhere, i.e. overseas). For my current task, I just want anyone I connect to to see my as originating from my home network, as if I was logged in on my local wifi.
Are you saying with what I have setup this is not happening? If so I’m confused since my WAN IP is the same as my router.
Again thank you so much for taking time to teach me, I know just enough to get myself into trouble!
The ISP on your remote location might give you an IPv6 address. Now the site you are trying to reach will be served over IPv6 outside of your VPN. Adding ::/0 to your allowedIPs will route IPv6 through your VPN…due to the lack of IPv6 at your home location IPv6 will no work properly on your VPN client…so sorta disabled