Re: How do you tell what kind of VPN when you're in a VPN session?

On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

I will attach both a config file and a log file separately (because there > is probably all that I need to know in those files, if I only knew what > to look for).

Here is a log file of what happens when I download an arbitrary VPN config file from vpngate.net and then I run that file using this: $ sudo openvpn --config that-file.ovpn &

$ sudo openvpn --config vpngate_173.86.200.98_udp_1824.ovpn Sun Dec 13 09:22:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014 Sun Dec 13 09:22:52 2015 WARNING: No server certificate verification method has been enabled. See

formatting link
for more info. Sun Dec 13 09:22:52 2015 Socket Buffers: R=[212992->131072] S=[212992->131072] Sun Dec 13 09:22:52 2015 UDPv4 link local: [undef] Sun Dec 13 09:22:52 2015 UDPv4 link remote: [AF_INET]173.86.200.98:1824 Sun Dec 13 09:22:54 2015 TLS: Initial packet from [AF_INET]173.86.200.98:1824, sid=5985833f 6e69b192 Sun Dec 13 09:22:54 2015 VERIFY OK: depth=0, CN=mxn5ktyvv05mro5.com, O=7cr4ijelgra ktzbwmo8z2, C=US Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Sun Dec 13 09:22:55 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sun Dec 13 09:22:55 2015 [mxn5ktyvv05mro5.com] Peer Connection Initiated with [AF_INET]173.86.200.98:1824 Sun Dec 13 09:22:57 2015 SENT CONTROL [mxn5ktyvv05mro5.com]: 'PUSH_REQUEST' (status=1) Sun Dec 13 09:22:58 2015 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.29 10.211.1.30,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.30,redirect-gateway def1' Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: timers and/or timeouts modified Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ifconfig/up options modified Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route options modified Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route-related options modified Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Sun Dec 13 09:22:58 2015 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:d0:b9:f3:a1:45 Sun Dec 13 09:22:58 2015 TUN/TAP device tun0 opened Sun Dec 13 09:22:58 2015 TUN/TAP TX queue length set to 100 Sun Dec 13 09:22:58 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Sun Dec 13 09:22:58 2015 /sbin/ip link set dev tun0 up mtu 1500 Sun Dec 13 09:22:58 2015 /sbin/ip addr add dev tun0 local 10.211.1.29 peer 10.211.1.30 Sun Dec 13 09:22:58 2015 /sbin/ip route add 173.86.200.98/32 via 192.168.1.1 Sun Dec 13 09:22:58 2015 /sbin/ip route add 0.0.0.0/1 via 10.211.1.30 Sun Dec 13 09:22:58 2015 /sbin/ip route add 128.0.0.0/1 via 10.211.1.30 Sun Dec 13 09:22:58 2015 Initialization Sequence Completed

Reply to
Mark Bannon
Loading thread data ...

Here is the config file that I downloaded from vpngate.net that gave that log file above. I've stripped out the actual encryption keys because my news server thinks they're binary data which it blocks.

############################################################################### # OpenVPN 2.0 Sample Configuration File # for PacketiX VPN / SoftEther VPN Server # # !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!! # # !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!! # # This configuration file is auto-generated. You might use this config file # in order to connect to the PacketiX VPN / SoftEther VPN Server. # However, before you try it, you should review the descriptions of the file # to determine the necessity to modify to suitable for your real environment. # If necessary, you have to modify a little adequately on the file. # For example, the IP address or the hostname as a destination VPN Server # should be confirmed. # # Note that to use OpenVPN 2.0, you have to put the certification file of # the destination VPN Server on the OpenVPN Client computer when you use this # config file. Please refer the below descriptions carefully.

############################################################################### # Specify the type of the layer of the VPN connection. # # To connect to the VPN Server as a "Remote-Access VPN Client PC", # specify 'dev tun'. (Layer-3 IP Routing Mode) # # To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN", # specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun

############################################################################### # Specify the underlying protocol beyond the Internet. # Note that this setting must be correspond with the listening setting on # the VPN Server. # # Specify either 'proto tcp' or 'proto udp'.

proto udp

############################################################################### # The destination hostname / IP address, and port number of # the target VPN Server. # # You have to specify as 'remote '. You can also # specify the IP address instead of the hostname. # # Note that the auto-generated below hostname are a "auto-detected # IP address" of the VPN Server. You have to confirm the correctness # beforehand. # # When you want to connect to the VPN Server by using TCP protocol, # the port number of the destination TCP port should be same as one of # the available TCP listeners on the VPN Server. # # When you use UDP protocol, the port number must same as the configuration # setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 173.86.200.98 1824

############################################################################### # The HTTP/HTTPS proxy setting. # # Only if you have to use the Internet via a proxy, uncomment the below # two lines and specify the proxy address and the port number. # In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry ;http-proxy [proxy server] [proxy port]

############################################################################### # The encryption and authentication algorithm. # # Default setting is good. Modify it as you prefer. # When you specify an unsupported algorithm, the error will occur. # # The supported algorithms are as follows: # cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC # CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC # RC2-40-CBC RC2-64-CBC RC2-CBC # auth: SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC auth SHA1

############################################################################### # Other parameters necessary to connect to the VPN Server. # # It is not recommended to modify it unless you have a particular need.

resolv-retry infinite nobind persist-key persist-tun client verb 3 #auth-user-pass

############################################################################### # The certificate file of the destination VPN Server. # # The CA certificate file is embedded in the inline format. # You can replace this CA contents if necessary. # Please note that if the server certificate is not a self-signed, you have to # specify the signer's root certificate (CA) here.

-----BEGIN CERTIFICATE----- MIIDKT ... stuff removed ...ja/w/ZQ1

-----END CERTIFICATE-----

############################################################################### # The client certificate file (dummy). # # In some implementations of OpenVPN Client software # (for example: OpenVPN Client for iOS), # a pair of client certificate and private key must be included on the # configuration file due to the limitation of the client. # So this sample configuration file has a dummy pair of client certificate # and private key as follows.

-----BEGIN CERTIFICATE----- MIICxjC ... stuff removed ... snplQ7HJpsk

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY----- MIIEp ... stuff removed ... IuGxIF50Vg==

-----END RSA PRIVATE KEY-----

Reply to
Mark Bannon

Here's what I can make out from the config and log files, but, I would like to know if there is a command which will just tell me what kind of VPN it is that I'm running, once I start a VPN session.

  1. The config file is designed for a PacketiX VPN / SoftEther VPN Server
  2. But I'm using it with openvpn (which seems to be working)
  3. The cipher is "AES-128-CBC" & the auth is "SHA1" (whatever that tells me)
  4. The cipher 'AES-128-CBC' was initialized with a 128 bit key (whatever that tells me)
  5. The auth encryption used a 160 bit hash 'SHA1' for HMAC (whatever that tells me)
  6. TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA (whatever that means)

I think this last information tells me I'm using an SSL VPN. Is that correct?

Given the information above, what kind of VPN am I connected to?

  1. Point-to-Point Tunneling Protocol (PPTP)?
  2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec?
  3. SSL VPN (Secure Socket Layer)?
Reply to
Mark Bannon

[snip]

You are running openvpn, which is an SSL VPN, and only an SSL VPN.

From

formatting link
"There are three major families of VPN implementations in wide usage today: SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compat ible with IPSec, L2TP, or PPTP."

But, it's even evident in your logs (posted separately):

14

Note the last bit of info on the second line: "[SSL (OpenSSL)]"

Reply to
Lew Pitcher

BTW, if you go to the page where I get my configuration files, you'll notice a *confusing* set of checkboxes.

formatting link

  1. SoftEther VPN (SSL-VPN)
  2. L2TP/IPsec
  3. OpenVPN
  4. MS-SSTP

Notice that they intimate that #1 is (somehow?) different than #3; but from what you just told me, #1 and #3 are the same thing.

So that's confusing.

Also, if you click on the "SSL-VPN Connect guide" link at that page:

formatting link

There is not a single mention of "openvpn" anywhere in that entire setup. Even Linux isn't mentioned, anywhere (as if it only works with Windows?).

formatting link

So, the main page where I get my ovpn files confusingly seems to make a distinction between SSL-VPN and OpenVPN when, apparently, there is none.

Reply to
Mark Bannon

BTW, to show you how *confusing* most VPN tutorials are, look here: SSL - VPN Tutorial

formatting link

This was a link I had posted in my OP, where you'll notice this confusing sentence verbatim: "So looking at it from an administrator point of view, VPN SSL is all done via a web browser, and is extremely simple to use."

A few times that SSL VPN tutorial kept saying that SSL VPN is *only* done via a web browser. Since I'm clearly using "openvpn" and not a web browser, that made no sense when I had read it.

Clearly it's wrong; but I only know that once I know that I'm using SSL VPN *without* a web browser.

That same article repeats the error when it tries to explain the difference between IPSec and SSL VPNs , when it says verbatim: "SSL VPN is accessed via a web portal front end after a secure https connection has been established between the client and server. From here a user can access the configured enterprise applications. IPSec VPN connectivity happens via the configured client software"

So, it just goes to show you that the VPN web pages suck, and, particularly, the SSL VPN web paqes really suck (because I had searched for SSL VPN tutorials, where that was the *best* I could find!).

Reply to
Mark Bannon

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.