Valid HTML 4.01 Transitional

Auditing the VPNs (2016)

James F. Carter <jimc@math.ucla.edu>, 2016-11-04

It's time once again to make sure the VPNs are working. This is a log of what I did, but organized (I hope) so it can be re-played for the next audit.

Machines and Software Versions

Selen (cellphone):

Mica (tablet):

Xena (laptop):

Jacinth (server):

Diamond (another server):

Test Procedure

The first step will be to verify that all hosts have the needed certificates. The ones for this year are:

Firefox functioning is not strictly a VPN issue, but it's an annoyance when Firefox messes up, and Firefox is often used over the VPN, and for efficient troubleshooting I don't want the VPN to be blamed for a Firefox screwup. Firefox does not use the host's trust store (called the Android Keychain); certs must be loaded into its collection separately; see the appendix for the very user-unfriendly procedure on Android.

Certificates in Trust Store

On Android the host trust store is called the Android Keychain. All of these tests are done via the internal WiFi network.

Selen Mica Xena Description
S.OK M.OK X.OK Can Firefox use the CFT root cert when doing HTTPS to an internal host whose cert is signed by that CA? Test by https://diamond.cft.ca.us/~certauth/
S.OK M.OK X.OK Can Firefox present Jimc's user certificate? Test by https://jfcarter.net:1446/roundcube/
S.OK M.OK X.OK Does the host trust store have the CFT root CA certificate? On Xena, test by
openssl s_client -connect diamond.cft.ca.us:443 -CApath /etc/ssl/certs < /dev/null >& $j/errs
On Android, use the Hurricane Electric app (SSL checker).
-- -- X.OK Can OpenSSL present Jimc's user cert (Xena only)?
openssl s_client -connect jacinth.jfcarter.net:1446 -CApath /etc/ssl/certs -cert ~jimc/certs/u-jimc-cft-R2016.usr -key ~jimc/certs/u-jimc-cft-R2016.key |& tee $j/errs
Hurricane Electric app can't present the user cert.

Testing OpenVPN

Jacinth has two OpenVPN services: the normal port 1194/udp, and also 443/tcp. Hotel WiFi services often block all ports except HTTP (80/tcp) and HTTPS (443/tcp), and some countries block VPN ports at the national level. By stealing 443/tcp I work around stupidity and/or hostility. Beware, if a national security service takes an interest in a connection on 443/tcp, they may notice that packet timings and sizes are not typical of HTTPS, and that the peer in the civilized world is not a webserver.

IPv6 has multiple issues and so I seriously tested only IPv4 over the VPNs. This is signified by an outcome of OK4. The servers are supposed to accept transport streams on IPv6, but making clients use IPv6 from the wild side is another story: IPv6 transport streams were not tested.

In the initial round of testing, DNS name resolution on Android was a mess, probably because the DNS Forwarder app was fixated on the internal or the external DNS server and hostnames in the opposite realm could not be resolved. However, after a reboot and with the DNS Forwarder app unused, OpenVPN could use the carrier's DNS servers to resolve the VPN server's address, and could then use the DNS server sent out by the VPN server; apps could resolve hostnames both on the wild side and on the internal net. IPSec was another story; see below.

Selen Mica Xena Description
S.OK M.OK X.OK Can OpenVPN on port 1194 connect from the wild side?
S.OK M.OK X.OK Does DNS resolve names, specifically diamond.cft.ca.us? Internal and external names are resolved and connected to, showing that Jacinth is being used as the DNS server, pushed by the server. But the Hurricane Electric DNS tester can't get records for the same names, hiss, boo! This is on Selen; I think it worked OK on Mica.
S.OK4 M.OK4 X.OK4 Can the client ping diamond.cft.ca.us? The packet loss rate varies, sometimes 0% but sometimes near 100%, but all internal hosts can be pinged (IPv4).
S.OK4 M.fail4 X.OK4 Can diamond ping the client? I can't tell why you couldn't ping4 Mica when you could connect by SSH4. Over-paranoia on KitKat? This happens on both 1194 and 443 and IPSec.
S.OK4 M.OK4 X.OK4 Can the client connect with SSH to diamond?
S.OK4 M.OK4 X.OK4 Can diamond connect with SSH to the client?
S.OK M.OK X.OK Can OpenVPN on port 443 connect from the wild side?
S.OK4 M.OK4 X.OK4 Repeated the above functional tests on OpenVPN port 443 with the same outcomes. IPv4 only. Jacinth one time could ping 2001:470:1f05:844::3:1000 which is the IPv6 address assigned to Mica by OpenVPN-443. Not to Selen.

IPv6 outcomes: The Android clients do not send any packets even though the client and server configurations have IPv6 turned on. After an initial fixup, Diamond's ICMP6 ping packets are sent down the tunnel on Jacinth but there is no reply. TCP activities (TLS tester and SSH) similarly don't connect and time out. On Xena, the OpenVPN plugin for NetworkManager is incapable of specifying an IPv6 configuration to the daemon.

Testing StrongSwan

Selen Mica Xena Description
S.?? M.OK X.OK Can StrongSwan connect from the wild side? On Selen: Adr lookup failed (for jfcarter.net). Turned on DNS forwarder to 8.8.4.4 (Google). Selen: Gateway unreachable (IKE[500] chattered, sends IKE_AUTH packet, peer does not respond, Jacinth does not log receipt of auth packet.) Selen connects over WiFi (??), switch to 4G, still works. I edited and saved the conf; now it can connect! Possibly a database schema issue after the upgrade to Lollipop and StrongSwan-1.5.0.
S.OK M.OK X.OK Does DNS resolve names, specifically diamond.cft.ca.us? OK with a grain of salt. Initially only IP addresses can be used; it is still using the Verizon Wireless DNS servers, but the queries go down the tunnel and come out on Jacinth's wild side, and the VZW servers ignore non-VZW clients. If you turn on DNS Forwarder to Jacinth, then it works. However, the Hurricane Electric DNS tester can get records when nobody else can resolve names.
S.OK4 M.OK4 X.OK4 Can the client ping diamond.cft.ca.us?
S.OK4 M.fail4 X.OK4 Can diamond ping the client? Mica doesn't answer ping4 on any of the VPNs.
S.OK4 M.OK4 X.OK4 Can the client connect with SSH to diamond?
S.OK4 M.OK4 X.OK4 Can diamond connect with SSH to the client?

IPv6 outcomes: When Selen pings Diamond, packets leave Selen, Diamond answers, routed to Jacinth, but the app on Selen does not get the packets. On Mica the packets are not transmitted. When Diamond pings Selen, the replies are produced but sometimes are delayed as long as 7 seconds; the delay varies from one try to the next and sometimes can be normal. When Diamond does SSH to Selen it gets connection refused: Selen's SSH server lacks IPv6 but transport happened.

Mica and Xena had no IPv6 transport at all. There is a vague forum posting alleging that IPv6 dual stack is broken on Android-4.4 KitKat (on Mica). On Xena the issue appears to be that it needs the default next hop router to be SelenAP (this is what's done for IPv4), and SelenAP does not offer IPv6 transport, nor does it announce its nonexistent IPv6 address that could be put in the routing table. The same issue would preclude IPv6 on Mica.

For StrongSwan on Android, the server has the leftdns keyword and should make the DNS server addresses available, but the client has to request them by rightdns=%config4 and/or %config6. The client app likely is not doing this. The symptom is that public hostnames can be resolved but not internal hosts. You need to use the DNS Forwarder app to set the DNS server by hand to Jacinth.

Needs Improvement

These items got improved successfully:

Items that aren't going to improve:

Appendices

How to Install a User Certificate in the Android Keychain

This works almost the same on Selen/Lollipop and Mica/KitKat.

Don't mess with opening the PKCS#12 file in the Download app or with ES File Explorer; the Certificate Installer app will maunder: Couldn't install because the cert file couldn't be read. Message is bogus; ES File Explorer can compute the checksum; likely the problem is writing on the cert storage.

How to Install a User Certificate in Firefox for Android

See jimc's writeup on this topic. Do this in Firefox:

OpenVPN App for Android

On Selen (Lollipop), OpenVPN Settings by Friedrich Shauffelhut had trouble to connect. It did get SU permission from SuperSU, but no error messages in the log file. So I'm trying a different client. Which one?

Using OpenVPN on Android Lollipop by Francois Marier (about 2015-04-05): He's using OpenVPN for Android (de.blinkt.openvpn) and it works for him. He doesn't say if the key is encrypted. Jeremy says, IPv6 dual stack works on Android-5.0; it's broken on 4.4. Georg Sauthoff uses OpenVPN Connect (net.openvpn.openvpn) (on Android-5) and prefers it. His key is unencrypted.

From the product hype on Play Store for OpenVPN Connect:

More points about OpenVPN Connect (by jimc):

How to use OpenVPN Connect:

Testing s_client With Various Defective Keys

When the connection fails,

These error messages are seen for the tested defects:

Android's Native VPN Client

In Lollipop (on Selen), Android has a built-in VPN client. (I didn't try this on KitKat (Mica).) I probably could have gotten it to work if I had changed the server's IPSec configuration, but I didn't want to go that far. Here's the procedure to set up a connection:

Tidbit: http://www.entropykey.co.uk/ sells a USB random number generator, GBP £36 on their store, not available on Amazon (US or UK).

Tidbit: 7 Security Measures to Protect Your Servers by Justin Ellingwood (2015-03-05). This tutorial, with a very cute title graphic, has a basic user-level or boss-level explanation of these security tactics: