Road Warrior in China (ugly VPN)



  • VPN from there is really ugly.  Incessant reconnecting every few minutes.  Sometimes multiple times a minute.  And bouncing around to different IP addresses.  Same client was fine/stable in US and BC.

    Anything we can do to make connection smoother?

    Thanks


  • LAYER 8 Netgate

    I think the solution to your problem is about 500 million of these in the hands of the right people.



  • Anything we can do to make connection smoother?

    In any region of China are normal IPSs and those who have specialized on VPNs and also for foreigners,
    like tourists and businessmen! So you might be looking in your region for these VPN specialized ISPs
    and all will be fine for you! Mostly they are also selling pre-payed SIM cards for having a liquid VPN
    connect.



  • Near as I can tell the road warrior VPN is working.  They are not complaining anyway.  Hope their traffic is actually going through the VPN as expected.

    While they are connected though the pfSense VPN server receives a few packets from other China addresses.  Usually a few packets just right after they establish a VPN connection.  Packet capture info filed is: "MessageType: P_CONTROL_HARD_RESET_CLIENT_V2".  So the VPN client is not bouncing around to other IP addresses as previously thought.  That is these packets from other various addresses.

    In the OpenVPN log those packets result in "TLS Error: cannot locate HMAC in incoming packet".

    
    Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]139.170.69.86:29063 
    Oct 15 03:09:20 openvpn[64392]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]111.85.179.140:34764 
    
    

    Will they (China) ever learn that they are just wasting their resources?

    I'm still interested in hearing techniques that can improve China VPN experience with US based pfSense OpenVPN server.

    Thanks.



  • They do MITM attacks to sniff traffic?



  • @robi:

    They do MITM attacks to sniff traffic?

    How successful are they at MITM-ing OpenVPN?



  • VPN client in a Shanghai hotel incessantly attempting connections to a bogon (239.255.255.250 : 1900 UDP).
    Also seen this at Vancouver BC airport.

    Have not seen that behavior at other locations.  Is this being caused by the host LAN or something on the client?  Since not seen every place it seems unlikely to be the client.  But…

    Insights on the cause and solutions?  Firewall is already blocking these.

    Thanks


  • Rebel Alliance Developer Netgate

    That's not a bogon, it's multicast, specifically UPnP or similar.



  • Team-Cymru lists it as a bogon in their full bogons IPv4 list.
    224.0.0.0/4 includes 239.255.255.250


  • Rebel Alliance Developer Netgate

    224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP



  • @jimp:

    224.0.0.0/4 is all multicast. While you may not expect to see it on WAN, it's not unheard of or uncommon and usually something mundane like IPTV or UPnP

    And yet it is in the bogons list.


  • Rebel Alliance Developer Netgate

    @NOYB:

    And yet it is in the bogons list.

    Because it's not a routable network from the Internet and you should never see inbound traffic from it. Not because it should never be seen on an interface.

    It is a valid destination it is not a valid source.


Log in to reply