Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Road Warrior in China (ugly VPN)

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      VPN from there is really ugly.  Incessant reconnecting every few minutes.  Sometimes multiple times a minute.  And bouncing around to different IP addresses.  Same client was fine/stable in US and BC.

      Anything we can do to make connection smoother?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I think the solution to your problem is about 500 million of these in the hands of the right people.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Anything we can do to make connection smoother?

          In any region of China are normal IPSs and those who have specialized on VPNs and also for foreigners,
          like tourists and businessmen! So you might be looking in your region for these VPN specialized ISPs
          and all will be fine for you! Mostly they are also selling pre-payed SIM cards for having a liquid VPN
          connect.

          1 Reply Last reply Reply Quote 0
          • N
            NOYB
            last edited by

            Near as I can tell the road warrior VPN is working.  They are not complaining anyway.  Hope their traffic is actually going through the VPN as expected.

            While they are connected though the pfSense VPN server receives a few packets from other China addresses.  Usually a few packets just right after they establish a VPN connection.  Packet capture info filed is: "MessageType: P_CONTROL_HARD_RESET_CLIENT_V2".  So the VPN client is not bouncing around to other IP addresses as previously thought.  That is these packets from other various addresses.

            In the OpenVPN log those packets result in "TLS Error: cannot locate HMAC in incoming packet".

            
            Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]139.170.69.86:29063 
            Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]111.85.179.140:34764 
            
            

            Will they (China) ever learn that they are just wasting their resources?

            I'm still interested in hearing techniques that can improve China VPN experience with US based pfSense OpenVPN server.

            Thanks.

            1 Reply Last reply Reply Quote 0
            • R
              robi
              last edited by

              They do MITM attacks to sniff traffic?

              1 Reply Last reply Reply Quote 0
              • N
                NOYB
                last edited by

                @robi:

                They do MITM attacks to sniff traffic?

                How successful are they at MITM-ing OpenVPN?

                1 Reply Last reply Reply Quote 0
                • N
                  NOYB
                  last edited by

                  VPN client in a Shanghai hotel incessantly attempting connections to a bogon (239.255.255.250 : 1900 UDP).
                  Also seen this at Vancouver BC airport.

                  Have not seen that behavior at other locations.  Is this being caused by the host LAN or something on the client?  Since not seen every place it seems unlikely to be the client.  But…

                  Insights on the cause and solutions?  Firewall is already blocking these.

                  Thanks

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    That's not a bogon, it's multicast, specifically UPnP or similar.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • N
                      NOYB
                      last edited by

                      Team-Cymru lists it as a bogon in their full bogons IPv4 list.
                      224.0.0.0/4 includes 239.255.255.250

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • N
                          NOYB
                          last edited by

                          @jimp:

                          224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

                          And yet it is in the bogons list.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            @NOYB:

                            And yet it is in the bogons list.

                            Because it's not a routable network from the Internet and you should never see inbound traffic from it. Not because it should never be seen on an interface.

                            It is a valid destination it is not a valid source.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.