Road Warrior in China (ugly VPN)

Derelict

I think the solution to your problem is about 500 million of these in the hands of the right people.

Guest

Anything we can do to make connection smoother?

In any region of China are normal IPSs and those who have specialized on VPNs and also for foreigners,
like tourists and businessmen! So you might be looking in your region for these VPN specialized ISPs
and all will be fine for you! Mostly they are also selling pre-payed SIM cards for having a liquid VPN
connect.

NOYB

Near as I can tell the road warrior VPN is working.  They are not complaining anyway.  Hope their traffic is actually going through the VPN as expected.

While they are connected though the pfSense VPN server receives a few packets from other China addresses.  Usually a few packets just right after they establish a VPN connection.  Packet capture info filed is: "MessageType: P_CONTROL_HARD_RESET_CLIENT_V2".  So the VPN client is not bouncing around to other IP addresses as previously thought.  That is these packets from other various addresses.

In the OpenVPN log those packets result in "TLS Error: cannot locate HMAC in incoming packet".

Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]139.170.69.86:29063 
Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]111.85.179.140:34764 

Will they (China) ever learn that they are just wasting their resources?

I'm still interested in hearing techniques that can improve China VPN experience with US based pfSense OpenVPN server.

Thanks.

robi

They do MITM attacks to sniff traffic?

NOYB

@robi:

They do MITM attacks to sniff traffic?

How successful are they at MITM-ing OpenVPN?

NOYB

VPN client in a Shanghai hotel incessantly attempting connections to a bogon (239.255.255.250 : 1900 UDP).
Also seen this at Vancouver BC airport.

Have not seen that behavior at other locations.  Is this being caused by the host LAN or something on the client?  Since not seen every place it seems unlikely to be the client.  But…

Insights on the cause and solutions?  Firewall is already blocking these.

Thanks

jimp

That's not a bogon, it's multicast, specifically UPnP or similar.

NOYB

Team-Cymru lists it as a bogon in their full bogons IPv4 list.
224.0.0.0/4 includes 239.255.255.250

jimp

224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

NOYB

@jimp:

224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

And yet it is in the bogons list.

jimp

@NOYB:

And yet it is in the bogons list.

Because it's not a routable network from the Internet and you should never see inbound traffic from it. Not because it should never be seen on an interface.

It is a valid destination it is not a valid source.