There’s something I don’t quite understand. At my parents’ place, I set up a Brume 2 behind their ISP’s modem/router.
I activated the partial Drop-in Gateway and configured my Amazon Fire TV Stick to route its traffic through the Brume 2 gateway. On the Fire TV, I use an IPTV app (Tivimate) along with Netflix and Prime Video.
On the Brume 2, I enabled NordVPN, but only for a specific list of URLs used by the IPTV service. However, when I launch Prime Video, I get a message saying that a VPN is detected and I must disable it.
If I turn off the VPN on the Brume 2, the message disappears.
What I don’t understand is why Prime Video detects a VPN connection even though the VPN should only apply to a limited set of URLs (used by IPTV).
Because not all domains come from Amazon so you would need to exclude every single domain that is being served. The VPN providers also have assigned IPs that can be flagged by Amazon and other streaming services that they are indeed VPN IPs.
On the Fire TV you should be able to install the Nord VPN app directly and then do what's called split tunneling. This will then allow you bypass the VPN for Amazon etc. As you have found out, trying to “split tunnel” via domain isn't easy, the only way to achieve what you are doing is to keep turning the VPN off when you want to access the features unless you go the app installation route.
Ah okay, so you are saying you have it set to only route traffic to the VPN for the domains you have entered and none of the domains are related to Amazon? Therefore Amazon shouldn't be going via the VPN and being detected as on the VPN?
There are also a few other things which you can verify being the cause:
the dns of the vpn is still used instead of the wan dns, I have seen this on multiple gl firmwares and also suggested for a fix, but they didn't agree with me, you can use a dhcp tag with dhcp options to override the dns, if this issue is still present, I had this with isps iptv very annoying this can be.
since you choose a specific domain list to only route over vpn, maybe one of these sites also host on ip space of amazon aws, the problem with these clouds/cdns is that they keep rotating their ips, which mean vice versa such rotated ip can also be involved in your amazon prime stream and actually the traffic has the firewall mark to follow vpn, vpn policies often decrease the anonmimity of your tunnels and vice versa, this is not so easy to verify but I know they rotate atleast every 15 minutes
in my own setup which is a full different than yours I had some sites using cloudflare which I wanted over wan, but nextdns also uses cloudflare, when I visit test.nextdns.io my src ip keeps changing between wan and vpn, this is simply because of this rotating thing nothing I can do about that leak afaik, your setup is a bit better because you only list a few sites to go over vpn reversed from what I do, but there is still a chance it can happen.
I totally agree with you.
If the VPN is enabled, the client must use the DNS form the VPN.
If the VPN is by-passed, the client must use the DNS from WAN (or AdGuard)
Yes, firmware prior to v4.8 is always used the DNS from VPN.
The v4.8 firmware has been improved this situation, depending on the VPN policy, to use the WAN DNS or VPN DNS.
I had this too. Why would I want my wan clients using the VPN DNS? This can cause detections like @xize11 said. Also if the DNS server is further away then that would also add slight latency too, I don't want to split my DNS. My WAN clients shouldn't even see any VPN DNS when using policy based routing. I have a command that was sent to me that I ran to make the DNS work how i believe it should be (on v4.7.x and older firmware), VPN DNS and WAN DNS depending on what clients is behind the VPN or WAN, it also makes my VPN clients bypass adguard home to achieve what I needed.
I have noted that Bruce mentions the logic has been improved but I have yet to try the newer firmware
