Testing Encryption on VPN, and UDP vs TCP

Is there an easy way to test if your VPN connection is truly using encryption? Someone in an older thread mentioned Wireshark, but when I use it, most of it is Spanish to me. I am not looking to totally understand it as much as find an easy way of pushing button A, and it telling me, "Yes or NO, it is encrypted..." The things this other user said to look for in Wireshark to test this, none of it was what I was looking at, one of which is TCP.

That leads me into understanding encryption on UDP. The current VPN I am using, "only" uses UDP for "all" their servers. It is UDPv4 on all their servers. From my limited knowledge, I understand that UDP isn't as safe as TCP for several reasons. Should this be a concern that all the servers are UDP then? Can UDP be truly 128 bit encrypted like TCP can? Is there anything I should be looking at further here?

Hope this makes sense what I am saying...I am just trying to figure it all out as I go.

Thanks

 

The simple answer is that you either trust OpenVPN developers, or you don't. If you trust them, then you're comfortable when the VPN connection works. That is, you trust that they've created something that either works properly, or doesn't work at all. If you don't trust them, then you use something else, such as IPSec.

I'm not aware of security differences in using TCP versus UDP for OpenVPN. Maybe you're thinking of Tor's inability to natively handle UDP (in particular, DNS lookups) over TCP. For OpenVPN, there's just a usability tradeoff. TCP over UDP is faster than TCP over TCP, but firewalls more likely block UDP than TCP.

 

Well it's not the OpenVPN developers I don't trust, it's the VPN's. I thought I have been on encrypted servers all this time, to only find out this wasn't the case at all. There cover site says they are using encryption, but hidden in the back of the site it says they had to release the encryption do to the high amount of torrents some time ago. So if they are selling one story, and saying something completely different buried in the site, I can't surely trust what they are selling me. So what I want to figure out is how do I specifically verify the connection I am on is encrypted or not. Obviously nothing can be trusted, so enough with book covers is my thinking.

As for TCP versus UDP "for" OpenVPN, maybe I don't understand the technology enough to make the connection yet. Didn't know TCP and UDP were different "for" OpenVPN versus everything else from what you are saying. TCP and UDP to me mean the same thing to me, but again, I am on limited knowledge and trying to understand this. From what I understand, there is a drastic difference in security from TCP to UDP.

I am just trying to understand the big picture is all

Back to this, "The simple answer is that you either trust OpenVPN developers, or you don't..."

The simple answer is, "I don't trust anyone, and you shouldn't either"

 

As a user, how do you know that TrueCrypt works? Or PGP? Or SSH? I count on there being people who do know how to tell, and who will brag about finding vulnerabilities.

I use VPN services that are designed mainly for Windows, often with proprietary wrappers for OpenVPN with scripting. But I use then with plain OpenVPN in Linux or Unix. I have considerable experience with connections that don't work. So I look at connection logs, and mess around until they work. I've never seen routable VPN connections with broken encryption (as reported in connection logs). For example, here's the key renegotiation that occurs hourly:

openvpn[25461]: TLS: tls_process: killed expiring key
openvpn[25461]: TLS: soft reset sec=-1 bytes=1500842/0 pkts=4092/0
openvpn[25461]: VERIFY OK: depth=1, /O=k/CN=k_CA/emailAddress=s@m
openvpn[25461]: VERIFY OK: nsCertType=SERVER
openvpn[25461]: VERIFY OK: depth=0, /O=k/CN=server/emailAddress=s@m
openvpn[25461]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 256 bit key
openvpn[25461]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[25461]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 256 bit key
openvpn[25461]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
openvpn[25461]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

 

You could use Wireshark to test if your VPN is really encrypted. Really. Read here for some tips on doing this: https://ask.wireshark.org/questions/1324/vpn-connection

You can also preform a test with Network Miner Which is a great tool. You can get it here: -http://www.netresec.com/?page=NetworkMiner

If you are still using BolehVPN I can confirm the connection is indeed encrypted.

 

Can one tell how well a connection is encrypted? I gather that one can record traffic, and then replay it to test machines, which are running encryption breaking software. What's the learning curve like for that? How available is the software?

 

As far as I know OpenVPN when implemented correctly can not be brute forced because it is dependent on keys which the server has. If the keys were ever stole from the server then the data could be decrypted. Thats the only way though. If Perfect Forward Secrecy is enabled on the VPN that makes it even difficult for them to decrypt the traffic even if they have somehow stole the encryption keys from the VPNs servers.

On the other hand a PPTP is VERY substitutable to a brute force attack. Just watch this video: -http://www.youtube.com/watch?v=IPPHJBp3bXU
Thats why anyone using a PPTP VPN should switch to OpenVPN.

As for being able to capture traffic. Lots of tools do it and its just a matter of clicking buttons and know what settings to set. Wireshark is one of these tools.

 

OK...how come my connection log doesn't show anything about encryption? Why isn't it doing it hourly like yours also? There is only one instance of this in my connection log.

Thu Dec 22 17:52:11 2011 SIGTERM[hard,] received, process exiting
Thu Dec 22 17:57:16 2011 OpenVPN 2.2.1 Win32-MSVC++ [SSL] [LZO2] built on Jul 1 2011
Thu Dec 22 17:57:16 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Thu Dec 22 17:57:18 2011 UDPv4 link local: [undef]
Thu Dec 22 17:57:18 2011 UDPv4 link remote: XX.XX.XXX.XXX:XXX
Thu Dec 22 17:57:18 2011 [server] Peer Connection Initiated with XX.XX.XXX.XXX:XXX
Thu Dec 22 17:57:21 2011 TAP-WIN32 device [Local Area Connection 4] opened: \\.\Global\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.tap
Thu Dec 22 17:57:21 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of XX.XX.XX.XX/xxx.xxx.xxx.xxx on interface {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} [DHCP-serv: xx.xx.xx.xx, lease-time: 31536000]
Thu Dec 22 17:57:21 2011 Successful ARP Flush on interface [20] {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

 

I could be wrong but I believe that this means that his VPN has Perfect Forward Privacy enabled and yours does not have this. This means your keys stay the same the entire time your connected. Meaning if your VPNS servers were hacked or compromised in some fashion and keys stolen that your traffic could essentially be decrypted. In order to do that though someone would have had to have been capturing your traffic.

 

I tried using wireshark following a threads advice from this forum that I can't find now to show you. Everything that was suggested in that thread, didn't correlate to what I was seeing. I am not where you guys are technically, so looking at wireshark data is like looking at Chinese to me. I can't make heads or tails of it. Everything says "UDP" and that thread said look for "TCP". There was no TCP information inside wireshark.

I appreciate your honesty, but to be frank, "I" need to confirm this. I am getting a lot of mixed messages from what folks here are saying, what Boleh is saying, and what I am finding. Hopefully, it is all just a misunderstanding on "my part or lack of education," but I need to be sure for safety reasons.

 

OK...but looking at my connection log, how come I don't see anything at all about encryption?

When you talk about "keys" is there a difference between "server key" and "my key"? If someone was able to access my account on the server, and download "my" keys, could they then decrypt my data? Or do they specifically need a server key to do this?

I have logged on to the site without being protected, and downloaded the keys on my own. Why wouldn't someone just be able to then access my account, download my keys, and decrypt my tunnel I guess is what I am saying here.

 

Just play some with Wireshark. With no VPN connected, run Wireshark and capture while you search with Google, and click on one of the results. Then switch to Wireshark, and play with the options in the Analyze and Statistics menus. In particular, look at "Analyze | Follow ... Stream" and "Statistics | Endpoint List ...".

Then do the same with your VPN connected, capturing only from the VPN interface. The difference will be obvious.

 

I guess it is just something I will have to play with and suck it up and learn. I am being a baby, and don't want to have to put anymore apps on my PC if I don't have to. When I initially tried it, I had some problems with wireshark install. I eventually got it to work, but I am on a clean system now, and I really didn't want to have to put anything else on at this point. I was just trying to see if there was an easier way without installing something new is all.

 

@ The Oracle

You could use the Excellent Calomel for FF https://www.wilderssecurity.com/showthread.php?t=285561&highlight=calomel

See how even though the www shows HTTPS, it is actually broken & therefore untrusted !

 

@Cloneranger

Thanks for the info. However, I don't think this really relates to my major concern at the moment, but something to keep in mind for sure. I looked over the info in the thread you discussed and other reviews. In your threads about this, there still needs to be some concerns that seem to have gone unanswered and the correlating thread to it died leaving it unanswered over a year ago.

The other reviews I have seen "complain" about many about:config changes that it makes that you guys didn't discuss in your thread also. The dev of the app seems to be completely unreachable also by any methods other than his comment section on the app page, and he selectively picks which questions he wants to answer.

Those are enough red flags for me at the moment to not want to add any more problems than I already.

My concern isn't about SSL pages anyway. In fact, it isn't really a concern at all. What I am worrying about is middle men between here and my VPN being able to look in at will and not knowing if I am truly encrypted or not. Then my second concern which I have posted in other threads is VPN disconnecting and leaking information to website because I didn't know my VPN went down https://www.wilderssecurity.com/showthread.php?p=1993048#post1993048

For the most part, SSL isn't really a concern at all since most of my viewing is done on sites that don't offer this anyway. However, I am glad you brought it up because it is something else I should be educated on so thank you

Just to be clear, I am not worried about legal issues or being a target for identity theft in the slightest. My primary concern is giving away location and folks looking at my surfing habits (what I am looking at). Those are the things I am trying to sure up. I understand there is added measure I can take like Tor and nested VPN's, but I need to make sure the first entry point for me is as secure as I can get it. Those other things I will focus on later, but for now I am focused on entry point.

Thanks

 

Encryption is enabled by default in OpenVPN on the client and server side. That is the whole point of OpenVPN. The connection log will not necessarily say anything about encryption. Here is what I recommend you do if you want to prove that your connection is encrypted and this is dead simple. Download Network Miner here: -http://www.netresec.com/?page=NetworkMiner
Run it. (It may give you a warning that you dont have WinPcap installed ignore it and click ok) Monitor your wifi adapter or your wired connection adapter which ever you are using the access the internet. Just click start and let it start monitoring your connection. Browse a few websites. Monitor the connection first without using a VPN and then next with using a VPN. You will notice without using your VPN that it will capture every site you are visiting etc. Then if you use a VPN you will notice the only thing it will capture is the IP of where you are connected to the VPN.

 

From what you are saying then, just because you are using OpenVPN, it is safe to "assume" that it is encrypted. First, I don't make assumptions and question everything, so please forgive me. Second, then why would a VPN use OpenVPN to connect to "all" servers whether encrypted or not if that was the case? For example, I could connect to their proxy servers via OpenVPN, which are not encrypted (yet, to change this weekend), so that would lead one to a false sense of security to assume because they are using OpenVPN, they are encrypted.

Well that answers my question of why I am not seeing what mirmir is seeing then.

Been playing with this program all day now. Ran multiple test on each of the fully-routed and surf-streaming servers.

Here is what it says "while" connected to the VPN on SurfStreaming:
http://i1233.photobucket.com/albums/ff397/WildersOracle/WithVPN.jpg

Here is what it says when it is "not" connected to VPN. It is the same exact thing as the above image, however it has this now under it:
http://i1233.photobucket.com/albums/ff397/WildersOracle/W_O-VPN.jpg

Here is my ipconfig /all while connected to the VPNl:
http://i1233.photobucket.com/albums/ff397/WildersOracle/IPconfig.jpg

I have TCPv6 disabled on all adapters. I don't know what toredo is, but I am starting to look into it now. From what little I know, it is how IPv4 forces the use of IPv6 http://en.wikipedia.org/wiki/Teredo_tunneling I assume I have this because I disabled IPv6 on my adapters, but again, I don't understand enough about it. If anyone can answer this question, I would appreciate it.

What I don't understand is by looking at NetworkMiner, what this third adapter is that is showing up. I circled it in red. Is this the toredo I am seeing in ipconfig? It has a "separate" address from my VPN and my local IP.

Anything else you want to pick apart in my configuration or what I am seeing feel free

Now, here is what I find very interesting using this tool. I didn't grab a screen shot because there is just too much information there. When I am on "fully-routed" servers, then I should see the same exact thing as the above picture when connected correct? However, I don't. I don't see web addresses, but I do see IP address of every hop I take. It will literally show all the IP address from one server to the next that I hop too. Why wouldn't I see the same exact thing as the SS above when surfing, which is the 3 connections above? If that is really the case then, that also means it would be very easy for a man in the middle to track my path correct?

Also, when I am using this tool while connected via VPN, why don't I see my security software and other apps going out over the net, not through the VPN, or not proxied, showing up in the miner? That doesn't make any sense to me, because obviously this traffic is still going out directly through the network card and not the TAPI address. I am not monitoring the TAPI adapter, but the physical network card.

Also, is it safe to leave an application like this or wireshark? I like this application because it doesn't install anything and almost seems like a portable to me, where wireshark wants to install stuff. I probably should learn both apps huh?

BTW, thank you very much for your help. You have no idea how much this has helped me and what other surprises I picked up from this little lesson. Thank you!

I have the image tags on the pics, but it doesn't seem to want to embed it for some reason, sorry for the extra step.

 

Although I don't know NetworkMiner, it seems clear that you're capturing from the physical interface aka socket = Marvell Yukon ... You see traffic between your IP and your VPN provider's IP. Regarding the unknown IP that you flagged, I see:

-http://msdn.microsoft.com/en-us/library/aa922393.aspx

It's probably another device on your network. Yes?

While the VPN is connected, you shouldn't see any other IPs while capturing on the socket Marvell Yukon ... However, if you capture on the socket TAP-Win32 Adapter, you should see all of the IPs that you're actually browsing. That's because you're looking at unencrypted traffic "inside" the encrypted VPN tunnel.

While the VPN is not connected, you shouldn't see traffic between your IP and your VPN provider's IP while capturing on the socket Marvell Yukon ... (because you're not connected to it). You should see all of the IPs that you're actually browsing. You may still see the socket TAP-Win32 Adapter, because it persists in Windows, but there won't be any traffic on it.

The level of detail that you see in OpenVPN connection logs depends on the verbosity setting. I quoted from a client with verb=5. You can specify verb=5 in your OpenVPN config files.

 

@ The Oracle

I understand your concerns, but having Calomel won't do Any harm In fact i wouldn't be without it The about:config changes etc were sorted out a while back in an update, so

Regards

 

VERY DEFINITIVE NO. No other devices on my network.

 

Does the address show up in ipconfig /all?

 

Mullvad Client, Report Log:


Sun Dec 25 13:12:03 2011 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Dec 25 13:12:03 2011 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 25 13:12:03 2011 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Dec 25 13:12:03 2011 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 25 13:12:03 2011 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec 25 14:12:00 2011 TLS: tls_process: killed expiring key
Sun Dec 25 14:12:03 2011 TLS: soft reset sec=0 bytes=13026325/0 pkts=23471/0

Looks like it renegotiates every hour or so. All it is, is a wrapper for OpenVPN with an option to kill the connection on VPN drop.

If you happen to have an old hub lying around, you can plug it into you network before the router, and take a look at your VPN'd computer's traffic with another computer...may be less confusing. (Has to be a hub, and not a switch).

PD

 

Unfortunately, I don't have another piece of equipment around to do this. Thanks for the advice though.

 

Just to quickly chip in, in your OVPN configs there's a option that controls client log verbosity under 'verb'

Our logs are intentionally simple to aid troubleshooting since a lot of the info does not help us or the user to pinpoint the problem. You can always up the verb to see all those encryption messages so one person's logs may appear different than another providers although they may be using the same level of encryption depending on the level of 'verb' set in the client ovpn.

Just before I get misquoted again...THESE ARE CLIENT SIDE STATUS LOGS not logs on our servers (which we do not keep).