I've decided to give NordVPN a try since they're running a good discount deal at the moment. I'm not greatly familiar with VPN's so please bear with me.

If I set the VPN up on my 2927ax as per the instructions here https://www.draytek.com/support/knowledge-base/5371

(ignoring the "Select Remote Network Mask to "0.0.0.0/24" as that option is not available and instead setting it to 255.255.255.0/24 as is indeed shown in their figure)

it all appears to work and I establish an outgoing VPN connection. However, whilst I can connect to some sites - e.g. Google and this very forum, I cannot connect to others such as Amazon, the BBC, my bank and, perhaps weirdest of all, NordVPN.com

However, if I turn off the VPN on the router and instead run the NordVPN app on the same Windows 10 PC, I can connect to all of those sites without problem.

Is this expected and/or typical behaviour, and can it be altered? As Nord tout the ability to install it on a router as one of the great benefits it would seem a shame if it doesn't actually work...

Another intriguing thing I notice - if I visit e.g. What Is My IP Address.com with the NordVPN tunnel up on the router, they cannot see my IPv4 address but they can see my IPv6 address.

If I turn that off and connect via the NordVPN app on the PC, the site returns a Nord VPN server as my IPv4 address and "not detected" for IPv6.

Piste Basher wrote:
it all appears to work and I establish an outgoing VPN connection. However, whilst I can connect to some sites - e.g. Google and this very forum, I cannot connect to others such as Amazon, the BBC, my bank and, perhaps weirdest of all, NordVPN.com

To my mind, that smacks of an MTU issue...
(decades ago, I tried to replace my brother-in-law's USB Speedtouch modem, with one of these new-fangled consumer Router affairs. It burst into life very easily, but I got very weird results: I could access EBAY.COM, but not EBAY.CO.UK - that sort of thing. I didn't solve it on the day and it's bothered me ever since.)

There is not (AFAIK) an MTU setting for a VPN itself - but I wonder if the main WAN MTU would still have a bearing?

Alternatively, those instructions say

Draytek wrote: Note: In order to accept large packets from NordVPN, Allow pass inbound fragmented large packets (required for certain games and streaming) should be enabled.

Could that be the problem?

(I have no idea what that setting actually does - I've always enabled it).

I think I read somewhere on Nord about MTU not being higher than 1492, which is what I have always had it set as anyway. Discovery detect comes back with that figure.

Like you, I have always had accept large fragmented packets turned on as well.

I'm connecting to a UK server on both setups, so that shouldn't affect any blocking of sites on a regional basis.

I think I've already tried disabling IPv6 on the router but I'll try it again now.

OK IPv6 didn't make any difference.

I notice than when the VPN is up I no longer see the "Remote VDSL2 information from WAN1" information box on the Online Status page.

This makes me wonder if it's something to do with me using a virtual WAN to connect to the Vigor 130, so I can access it easily - but why that should affect some sites and not others is puzzling.

Does "Diagnostics >> Route Policy Diagnosis" give the same results for the sites that work, as for the one that don't :