Re: [Openvpn-users] OpenVPN in China

[Michael Deynet]

Hi,

I'm using udp to connect to the vpn. So, I think that your 2nd point is right 
that the "great firewall" tried to gather Information.
Due to the fact that all of these unkown IPs are from the middle China I think 
there is a correlation between my connection and the connection attempts. And: 
Since I was back from China there were no further connection attempts...

Michael

----- Ursprüngliche Nachricht -----
Von: "Jason Haar" <jason_h...@trimble.com>
Gesendet: ‎24.‎10.‎2014 01:51
An: "openvpn-users@lists.sourceforge.net" <openvpn-users@lists.sourceforge.net>
Betreff: Re: [Openvpn-users] OpenVPN in China

On 24/10/14 08:54, Michael Deynet wrote:

Hello,
last week I had a trip to china and I used OpenVPN. OpenVPN worked well but 
looking into the server logs I'm a little bit confused.
After the VPN connection was established from the hotel IP (116.6.x.yy) another 
IP tried to connect to the VPN, too (every time a used vpn, not only once). Can 
anyone tell me what exactly happend? Is there a security problem with the VPN 
server?


Looks to me like something is trying to check out the servers that hotel's 
customers connect to. I can't tell if this is UDP or TCP or even the port, but 
if you were running openvpn on tcp port 443, this could be a SSL intercept 
proxy trying to get your HTTPS public key so it can do man-in-the-middle 
against your "HTTPS" connections

Obviously that wouldn't work. As long as you've got tls-auth in use, I think 
you're good to go :-) 

SSL intercept I could understand as almost "normal" behaviour these days (ie 
ignorable). However, if your clients use UDP, this would smell like a  pretty 
serious effort to gather information about what that hotel's customers connect 
to (or you in particular...). The complete non-relationship between the two IPs 
also means it could be the Great Firewall of China is doing this - it doesn't 
necessarily have anything to do with the hotel. Certainly interesting :-)

PS: of course it could also be a coincidence. Our openvpn routers get hit by 
bots all the time - precisely because we have it running on HTTPS port. So a 
bit of luck in the timing could end with logs implying a correlation between a 
client connect and a bot that really doesn't exist


-- 
Cheers

Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
------------------------------------------------------------------------------

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users