Why can I access my router despite the VPN being active?

I have the PIA client app installed on my Windows PC. It is connected and websites like whatismyipaddress.com show that I indeed have an IP address from PIA now.

As I understand it, that means the everything my webbrowser sends (including URLs) will be encrypted right here on my PC, then sent to the VPN server, get encrypted there and then be sent on to the destination.

That means: Even my own router should be unable to tell which URLs any requests were sent to, because all it ever gets from my PC is encrypted gibberish.

But when I enter the IP address of my router in my webbrowser, I get the admin login page of my router. That shouldn’t be possible, because:

1. The VPN server couldn’t send the request to that IP, since it’s only accessible from inside my network, right?
2. If that request was encrypted, the router would not have been able to understand that it’s the intended recipient of the request and wouldn’t have known to send a response with the login page.

Does that mean that something recognizes the IP as belonging to the router and sends the request unencrypted? If so, is Windows or the PIA client app responsible for that?

“Allow LAN Traffic” is a setting in the client.

all software recognize local IPs and by design do not send that traffic to the outside world. so when you login to the router (whose address is one of those local IPs) the request never went to PIA in the first place, it goes directly to the router.

IP protocols aren’t encrypted, you bypassed the VPN.

Traffic on your local lan doesn’t go via vpn.

All external traffic, ie, outside of your local lan goes via vpn.

This controlled via the “Allow LAN Traffic” under Network settings in PIA.

Your local LAN is any IP address that has the same first 3 octets as your PC IP address.

Okay, Network explanation time. PIA is a VPN, Virtual Private Network. Your computer recongizes the difference. When you type your login IP, the request does not go outside your router. You probably access it on something like 10.0.0.1 or something and since all internet, including one sent via the VPN gets sent over the router, the router sends it across, except when it is local. When it is local, it says, well this is in the local network, so this means that I do not need to send this out and uses its internal network, which is different from Internet traffic. TL;DR is you are still protected, you can access your router due to how the Internet works.

I’m not quite sure what “IP protocols” means.

Are you telling me that any time the webbrowser sends a request directly to an IP rather than to a domain the request would not go through the VPN?

Because that doesn’t seem to make any sense at all. It would mean a website that wants to know my real IP only needs to include some external resource like an image or a JavaScript file with their server’s IP instead of the domain in the “src” attribute. The webbrowser would then request the resource directly from that IP, bypassing the VPN, and the website would know my own IP.

I highly doubt that such a severe vulnerability would still exist to this day.