Re: How do you tell what kind of VPN when you're in a VPN session?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

Quoted text here. Click to load it

Here is a log file of what happens when I download an arbitrary VPN
config file from vpngate.net and then I run that file using this:
 $ sudo openvpn --config that-file.ovpn &

$ sudo openvpn --config vpngate_173.86.200.98_udp_1824.ovpn
Sun Dec 13 09:22:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Sun Dec 13 09:22:52 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sun Dec 13 09:22:52 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Dec 13 09:22:52 2015 UDPv4 link local: [undef]
Sun Dec 13 09:22:52 2015 UDPv4 link remote: [AF_INET]173.86.200.98:1824
Sun Dec 13 09:22:54 2015 TLS: Initial packet from [AF_INET]173.86.200.98:1824, sid=5985833f 6e69b192
Sun Dec 13 09:22:54 2015 VERIFY OK: depth=0, CN=mxn5ktyvv05mro5.com, O=7cr4ijelgra ktzbwmo8z2, C=US
Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 13 09:22:55 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec 13 09:22:55 2015 [mxn5ktyvv05mro5.com] Peer Connection Initiated with [AF_INET]173.86.200.98:1824
Sun Dec 13 09:22:57 2015 SENT CONTROL [mxn5ktyvv05mro5.com]: 'PUSH_REQUEST' (status=1)
Sun Dec 13 09:22:58 2015 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.29 10.211.1.30,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.30,redirect-gateway def1'
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route-related options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec 13 09:22:58 2015 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:d0:b9:f3:a1:45
Sun Dec 13 09:22:58 2015 TUN/TAP device tun0 opened
Sun Dec 13 09:22:58 2015 TUN/TAP TX queue length set to 100
Sun Dec 13 09:22:58 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 13 09:22:58 2015 /sbin/ip link set dev tun0 up mtu 1500
Sun Dec 13 09:22:58 2015 /sbin/ip addr add dev tun0 local 10.211.1.29 peer 10.211.1.30
Sun Dec 13 09:22:58 2015 /sbin/ip route add 173.86.200.98/32 via 192.168.1.1
Sun Dec 13 09:22:58 2015 /sbin/ip route add 0.0.0.0/1 via 10.211.1.30
Sun Dec 13 09:22:58 2015 /sbin/ip route add 128.0.0.0/1 via 10.211.1.30
Sun Dec 13 09:22:58 2015 Initialization Sequence Completed


Re: How do you tell what kind of VPN when you're in a VPN session?
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

Quoted text here. Click to load it

Here is the config file that I downloaded from vpngate.net that gave
that log file above. I've stripped out the actual encryption keys
because my news server thinks they're binary data which it blocks.

###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
#  
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
#  
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#  
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#  
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
#  
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
#  specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
#  specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#  
# Specify either 'proto tcp' or 'proto udp'.

proto udp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#  
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
#  
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
#  
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#  
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 173.86.200.98 1824


###############################################################################
# The HTTP/HTTPS proxy setting.
#  
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
#  
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#  
# The supported algorithms are as follows:
#  cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
#          CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
#          RC2-40-CBC RC2-64-CBC RC2-CBC
#  auth:   SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC
auth SHA1


###############################################################################
# Other parameters necessary to connect to the VPN Server.
#  
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
#auth-user-pass


###############################################################################
# The certificate file of the destination VPN Server.
#  
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.

<ca>
-----BEGIN CERTIFICATE-----
MIIDKT ... stuff removed ...ja/w/ZQ1
-----END CERTIFICATE-----

</ca>


###############################################################################
# The client certificate file (dummy).
#  
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.

<cert>
-----BEGIN CERTIFICATE-----
MIICxjC ... stuff removed ...  snplQ7HJpsk
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEp ... stuff removed ... IuGxIF50Vg==
-----END RSA PRIVATE KEY-----

</key>


Re: How do you tell what kind of VPN when you're in a VPN session?
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

Quoted text here. Click to load it

Here's what I can make out from the config and log files, but, I would  
like to know if there is a command which will just tell me what kind of  
VPN it is that I'm running, once I start a VPN session.

1. The config file is designed for a PacketiX VPN / SoftEther VPN Server  
2. But I'm using it with openvpn (which seems to be working)
3. The cipher is "AES-128-CBC" & the auth is "SHA1" (whatever that tells me)
4. The cipher 'AES-128-CBC' was initialized with a 128 bit key (whatever that tells me)
5. The auth encryption used a 160 bit hash 'SHA1' for HMAC (whatever that tells me)
6. TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA (whatever that means)

I think this last information tells me I'm using an SSL VPN.
Is that correct?

Given the information above, what kind of VPN am I connected to?
1. Point-to-Point Tunneling Protocol (PPTP)?
2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec?
3. SSL VPN (Secure Socket Layer)?   <--- I think it's this, but I'm not sure.
4. SOCKS?


Re: How do you tell what kind of VPN when you're in a VPN session?
On Sunday December 13 2015 19:01, in alt.os.linux, "Mark Bannon"

Quoted text here. Click to load it
ovpn)
Quoted text here. Click to load it
PN
[snip]
Quoted text here. Click to load it

You are running openvpn, which is an SSL VPN, and only an SSL VPN.

From https://openvpn.net/index.php/open-source/339-why-ssl-vpn.html
  "There are three major families of VPN implementations in wide usage  
today:
  SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compat
ible
  with IPSec, L2TP, or PPTP."

But, it's even evident in your logs (posted separately):
Quoted text here. Click to load it
SSL)]

14  

Note the last bit of info on the second line: "[SSL (OpenSSL)]"

--  
Lew Pitcher
"In Skills, We Trust"
PGP public key available upon request


Re: How do you tell what kind of VPN when you're in a VPN session?
On Sun, 13 Dec 2015 20:15:40 -0500, Lew Pitcher wrote:

Quoted text here. Click to load it

BTW, if you go to the page where I get my configuration files,  
you'll notice a *confusing* set of checkboxes.
http://www.vpngate.net/en/
1. SoftEther VPN (SSL-VPN)
2. L2TP/IPsec  
3. OpenVPN
4. MS-SSTP

Notice that they intimate that #1 is (somehow?) different than #3;  
but from what you just told me, #1 and #3 are the same thing.

So that's confusing.  

Also, if you click on the "SSL-VPN Connect guide" link at that page:
http://www.vpngate.net/en/howto_softether.aspx

There is not a single mention of "openvpn" anywhere in that entire
setup. Even Linux isn't mentioned, anywhere (as if it only works
with Windows?).
http://www.vpngate.net/en/howto.aspx

So, the main page where I get my ovpn files confusingly seems to  
make a distinction between SSL-VPN and OpenVPN when, apparently,  
there is none.


Re: How do you tell what kind of VPN when you're in a VPN session?
On Sun, 13 Dec 2015 20:15:40 -0500, Lew Pitcher wrote:

Quoted text here. Click to load it

BTW, to show you how *confusing* most VPN tutorials are, look here:
 SSL - VPN Tutorial
 http://www.internet-computer-security.com/VPN-Guide/SSL-VPN.html

This was a link I had posted in my OP, where you'll notice this
confusing sentence verbatim:
 "So looking at it from an administrator point of view, VPN SSL is  
  all done via a web browser, and is extremely simple to use."

A few times that SSL VPN tutorial kept saying that SSL VPN is *only*
done via a web browser. Since I'm clearly using "openvpn" and not
a web browser, that made no sense when I had read it.

Clearly it's wrong; but I only know that once I know that I'm  
using SSL VPN *without* a web browser.

That same article repeats the error when it tries to explain the  
difference between IPSec and SSL VPNs , when it says verbatim:
 "SSL VPN is accessed via a web portal front end after a secure  
  https connection has been established between the client and  
  server. From here a user can access the configured enterprise  
  applications. IPSec VPN connectivity happens via the configured  
  client software"

So, it just goes to show you that the VPN web pages suck, and,  
particularly, the SSL VPN web paqes really suck (because I had
searched for SSL VPN tutorials, where that was the *best* I  
could find!).


Site Timeline