Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Road Warrior in China (ugly VPN)

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      I think the solution to your problem is about 500 million of these in the hands of the right people.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • ?
        Guest
        last edited by

        Anything we can do to make connection smoother?

        In any region of China are normal IPSs and those who have specialized on VPNs and also for foreigners,
        like tourists and businessmen! So you might be looking in your region for these VPN specialized ISPs
        and all will be fine for you! Mostly they are also selling pre-payed SIM cards for having a liquid VPN
        connect.

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          Near as I can tell the road warrior VPN is working.  They are not complaining anyway.  Hope their traffic is actually going through the VPN as expected.

          While they are connected though the pfSense VPN server receives a few packets from other China addresses.  Usually a few packets just right after they establish a VPN connection.  Packet capture info filed is: "MessageType: P_CONTROL_HARD_RESET_CLIENT_V2".  So the VPN client is not bouncing around to other IP addresses as previously thought.  That is these packets from other various addresses.

          In the OpenVPN log those packets result in "TLS Error: cannot locate HMAC in incoming packet".

          
          Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]139.170.69.86:29063 
          Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]111.85.179.140:34764 
          
          

          Will they (China) ever learn that they are just wasting their resources?

          I'm still interested in hearing techniques that can improve China VPN experience with US based pfSense OpenVPN server.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • R
            robi
            last edited by

            They do MITM attacks to sniff traffic?

            1 Reply Last reply Reply Quote 0
            • N
              NOYB
              last edited by

              @robi:

              They do MITM attacks to sniff traffic?

              How successful are they at MITM-ing OpenVPN?

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                VPN client in a Shanghai hotel incessantly attempting connections to a bogon (239.255.255.250 : 1900 UDP).
                Also seen this at Vancouver BC airport.

                Have not seen that behavior at other locations.  Is this being caused by the host LAN or something on the client?  Since not seen every place it seems unlikely to be the client.  But…

                Insights on the cause and solutions?  Firewall is already blocking these.

                Thanks

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  That's not a bogon, it's multicast, specifically UPnP or similar.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • N
                    NOYB
                    last edited by

                    Team-Cymru lists it as a bogon in their full bogons IPv4 list.
                    224.0.0.0/4 includes 239.255.255.250

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • N
                        NOYB
                        last edited by

                        @jimp:

                        224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

                        And yet it is in the bogons list.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          @NOYB:

                          And yet it is in the bogons list.

                          Because it's not a routable network from the Internet and you should never see inbound traffic from it. Not because it should never be seen on an interface.

                          It is a valid destination it is not a valid source.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.