0

I'm currently in China and my VPN connection (the server is not mine, by the way. I'm using a paid service) seems to be interfered with. Usually from within China I could connect to my VPN and I was good to go. This time, however, my connections are still being blocked or interfered with in some manner. I want to try to troubleshoot this.

I have tried connecting to a PPTP type VPN and OpenVPN and both end up with blocked connections. I have also tried tunneling traffic via SSH and this is blocked as well.

Thinking it might be a DNS issue I have tried using DNS servers from Google's to OpenDNS's to Earthlink's (thinking this last might be more "obscure"). I have tried flushing my DNS cache periodically as part of trying all of these things. Still cannot connect to certain sites.

When I ping a site that is not blocked from within China (I'll use serverfault.com for example) I see a normal response. When I run traceroute I also see an expected path. For example:

traceroute to serverfault.com (64.34.119.12), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  1.715 ms  0.735 ms  0.649 ms
 2  218.108.255.120 (218.108.255.120)  1.838 ms  1.601 ms  1.844 ms
 ... more China servers... then on to the US. No problems.

When I connect my VPN I see:

traceroute to serverfault.com (64.34.119.12), 64 hops max, 52 byte packets
 1  192.168.111.100 (192.168.111.100)  236.321 ms  237.770 ms  235.804 ms
 2  * * *
 3  * * *
... and we never get there.

The one thing that stands out to me is that without the VPN my first hop is to 192.168.1.1 (which is indeed the default address for the router... which I do not have the password to, by the way) but using the VPN it is now going to 192.168.1.100. Why would that be? Could this be part of my problem?

What do you think? What can I do to troubleshoot this?

As a side note if anyone is interested in any data generated from within China (traceroutes, pings, or anything else I can generate) just let me know and I'll ping, dig, trace, track, whatever you like.

Lothar_Grimpsenbacher
  • 1,677
  • 3
  • 19
  • 29

2 Answers2

1

If you are using a OpenVPN, you can try to set up it in this ways:

1) You can try to use UDP instead of TCP. UDP cannot be break as simple as TCP (by RST or FIN packets). You can do this via directive:

proto udp

(in both config files - for server and for client too)

2) You can use yours DNS servers, which you can send via DHCP options from OpenVPN server. Please, try this directive:

push "dhcp-option DNS IP.of.your.DNS.server(s)"

(in server's config file)

3) You can try to use for "normal" traffic redirect your default gateway via OpenVPN tunnel by this directive:

push "redirect-gateway"

(in server's config file)

Jan Marek
  • 2,180
  • 1
  • 13
  • 14
  • The server is controlled by a VPN provider so I will not have access to this, unfortunately. – Lothar_Grimpsenbacher Jan 25 '12 at 12:52
  • When you are started the openvpn client, you can try to search some information about 'push' options, which is OpenVPN server gives to you. I think, that 192.168.111.100 can be a new default gateway via tunnel. You can see eventually a reconnect atempts... Try to use in client config a `verb 5` or higher and try to find a log file with client's messages. In Windows client send a messages to the opened window, in Linux you can search in `/var/log/` directory, or you can have a log file in the client's config file. – Jan Marek Jan 25 '12 at 13:41
0

Generally the method used to cut VPN traffic is to forge a FIN or RST packet as coming from the server and asking the connection to be closed.
tcpdump or Wireshark will help you find those, just compare a capture on the host and another on the client.

Shadok
  • 623
  • 5
  • 10
  • I have Wireshark installed but do not know how to capture anything other that the traffic going to and from my machine. How would I capture from a host (assuming I am the client)? – Lothar_Grimpsenbacher Jan 25 '12 at 12:51
  • You can't unless you have root on that server, you may want to specify in your question that the VPN server is not yours. – Shadok Jan 25 '12 at 14:03