Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How do you tell what kind of VPN when you're in a VPN session?

74 views
Skip to first unread message

Mark Bannon

unread,
Dec 13, 2015, 7:01:34 PM12/13/15
to
Maybe this is an obvious question, but how do you tell what kind
of VPN you're running when you're in the middle of a VPN session?

Here's all I did to run a vpn session:
1. Install openvpn ($ sudo apt-get install openvpn)
2. Find a VPN config file on the net ($ firefox http://vpngate.net)
3. Start a VPN session ($ sudo openvpn --config that-file-you-found.ovpn)

Once the vpn session is running, I just want to know *what kind* of VPN
it is that is running. Since I always use the config files from the same
server, you'd think that server web page would tell me, but it doesn't
seem to tell me what kind of vpn session it is that I'm running.

I will attach both a config file and a log file separately (because there
is probably all that I need to know in those files, if I only knew what
to look for).

Googling on what kinds of VPN there are, it seems that absolutely no
web page gives you the information you really need. It's really amazing
how many VPN "tutorials" you can read, none of which give you the
answer to this question.

Based on reading dozens of VPN tutorial web pages, I can summarize:

1. Point-to-Point Tunneling Protocol (PPTP)
2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec
3. SSL VPN (Secure Socket Layer)
4. SOCKS

Since the only thing I do to run the VPN is run a given config file
with openvpn, I'm not sure what kind of VPN it is that I'm running.

All I'm asking in this thread is the most basic of questions, which
is *how* do I know what kind of VPN it is that I'm running, once I
start a VPN session with openvpn?

REF:
http://compnetworking.about.com/od/vpn/a/vpn_tunneling.htm
http://www.internet-computer-security.com/VPN-Guide/VPN-Tutorial-Guide.html
http://www.pcworld.com/article/223044/vpns_for_beginners_to_experts.html


Mark Bannon

unread,
Dec 13, 2015, 7:06:39 PM12/13/15
to
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

> I will attach both a config file and a log file separately (because there
> is probably all that I need to know in those files, if I only knew what
> to look for).

Here is a log file of what happens when I download an arbitrary VPN
config file from vpngate.net and then I run that file using this:
$ sudo openvpn --config that-file.ovpn &

$ sudo openvpn --config vpngate_173.86.200.98_udp_1824.ovpn
Sun Dec 13 09:22:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Sun Dec 13 09:22:52 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Dec 13 09:22:52 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Sun Dec 13 09:22:52 2015 UDPv4 link local: [undef]
Sun Dec 13 09:22:52 2015 UDPv4 link remote: [AF_INET]173.86.200.98:1824
Sun Dec 13 09:22:54 2015 TLS: Initial packet from [AF_INET]173.86.200.98:1824, sid=5985833f 6e69b192
Sun Dec 13 09:22:54 2015 VERIFY OK: depth=0, CN=mxn5ktyvv05mro5.com, O=7cr4ijelgra ktzbwmo8z2, C=US
Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec 13 09:22:55 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Sun Dec 13 09:22:55 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec 13 09:22:55 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Sun Dec 13 09:22:55 2015 [mxn5ktyvv05mro5.com] Peer Connection Initiated with [AF_INET]173.86.200.98:1824
Sun Dec 13 09:22:57 2015 SENT CONTROL [mxn5ktyvv05mro5.com]: 'PUSH_REQUEST' (status=1)
Sun Dec 13 09:22:58 2015 PUSH: Received control message: 'PUSH_REPLY,ping 3,ping-restart 10,ifconfig 10.211.1.29 10.211.1.30,dhcp-option DNS 10.211.254.254,dhcp-option DNS 8.8.8.8,route-gateway 10.211.1.30,redirect-gateway def1'
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: timers and/or timeouts modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ifconfig/up options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: route-related options modified
Sun Dec 13 09:22:58 2015 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Sun Dec 13 09:22:58 2015 ROUTE_GATEWAY 192.168.1.1/255.255.255.0 IFACE=wlan0 HWADDR=00:d0:b9:f3:a1:45
Sun Dec 13 09:22:58 2015 TUN/TAP device tun0 opened
Sun Dec 13 09:22:58 2015 TUN/TAP TX queue length set to 100
Sun Dec 13 09:22:58 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Dec 13 09:22:58 2015 /sbin/ip link set dev tun0 up mtu 1500
Sun Dec 13 09:22:58 2015 /sbin/ip addr add dev tun0 local 10.211.1.29 peer 10.211.1.30
Sun Dec 13 09:22:58 2015 /sbin/ip route add 173.86.200.98/32 via 192.168.1.1
Sun Dec 13 09:22:58 2015 /sbin/ip route add 0.0.0.0/1 via 10.211.1.30
Sun Dec 13 09:22:58 2015 /sbin/ip route add 128.0.0.0/1 via 10.211.1.30
Sun Dec 13 09:22:58 2015 Initialization Sequence Completed

Mark Bannon

unread,
Dec 13, 2015, 7:10:46 PM12/13/15
to
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

>
> I will attach both a config file and a log file separately (because there
> is probably all that I need to know in those files, if I only knew what
> to look for).

Here is the config file that I downloaded from vpngate.net that gave
that log file above. I've stripped out the actual encryption keys
because my news server thinks they're binary data which it blocks.

###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
#
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
#
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.


###############################################################################
# Specify the type of the layer of the VPN connection.
#
# To connect to the VPN Server as a "Remote-Access VPN Client PC",
# specify 'dev tun'. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of "Site-to-Site VPN",
# specify 'dev tap'. (Layer-2 Ethernet Bridgine Mode)

dev tun


###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#
# Specify either 'proto tcp' or 'proto udp'.

proto udp


###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#
# You have to specify as 'remote <HOSTNAME> <PORT>'. You can also
# specify the IP address instead of the hostname.
#
# Note that the auto-generated below hostname are a "auto-detected
# IP address" of the VPN Server. You have to confirm the correctness
# beforehand.
#
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#
# When you use UDP protocol, the port number must same as the configuration
# setting of "OpenVPN Server Compatible Function" on the VPN Server.

remote 173.86.200.98 1824


###############################################################################
# The HTTP/HTTPS proxy setting.
#
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.

;http-proxy-retry
;http-proxy [proxy server] [proxy port]


###############################################################################
# The encryption and authentication algorithm.
#
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#
# The supported algorithms are as follows:
# cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
# CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
# RC2-40-CBC RC2-64-CBC RC2-CBC
# auth: SHA SHA1 MD5 MD4 RMD160

cipher AES-128-CBC
auth SHA1


###############################################################################
# Other parameters necessary to connect to the VPN Server.
#
# It is not recommended to modify it unless you have a particular need.

resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
#auth-user-pass


###############################################################################
# The certificate file of the destination VPN Server.
#
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer's root certificate (CA) here.

<ca>
-----BEGIN CERTIFICATE-----
MIIDKT ... stuff removed ...ja/w/ZQ1
-----END CERTIFICATE-----

</ca>


###############################################################################
# The client certificate file (dummy).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.

<cert>
-----BEGIN CERTIFICATE-----
MIICxjC ... stuff removed ... snplQ7HJpsk
-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEp ... stuff removed ... IuGxIF50Vg==
-----END RSA PRIVATE KEY-----

</key>

Mark Bannon

unread,
Dec 13, 2015, 7:19:20 PM12/13/15
to
On Mon, 14 Dec 2015 00:01:32 +0000, Mark Bannon wrote:

> All I'm asking in this thread is the most basic of questions, which
> is *how* do I know what kind of VPN it is that I'm running, once I
> start a VPN session with openvpn?

Here's what I can make out from the config and log files, but, I would
like to know if there is a command which will just tell me what kind of
VPN it is that I'm running, once I start a VPN session.

1. The config file is designed for a PacketiX VPN / SoftEther VPN Server
2. But I'm using it with openvpn (which seems to be working)
3. The cipher is "AES-128-CBC" & the auth is "SHA1" (whatever that tells me)
4. The cipher 'AES-128-CBC' was initialized with a 128 bit key (whatever that tells me)
5. The auth encryption used a 160 bit hash 'SHA1' for HMAC (whatever that tells me)
6. TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA (whatever that means)

I think this last information tells me I'm using an SSL VPN.
Is that correct?

Given the information above, what kind of VPN am I connected to?
1. Point-to-Point Tunneling Protocol (PPTP)?
2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec?
3. SSL VPN (Secure Socket Layer)? <--- I think it's this, but I'm not sure.
4. SOCKS?

Lew Pitcher

unread,
Dec 13, 2015, 8:15:43 PM12/13/15
to
On Sunday December 13 2015 19:01, in alt.os.linux, "Mark Bannon"
<mba...@spam.invalid> wrote:

> Maybe this is an obvious question, but how do you tell what kind
> of VPN you're running when you're in the middle of a VPN session?
>
> Here's all I did to run a vpn session:
> 1. Install openvpn ($ sudo apt-get install openvpn)
> 2. Find a VPN config file on the net ($ firefox http://vpngate.net)
> 3. Start a VPN session ($ sudo openvpn --config that-file-you-found.ovpn)
>
> Once the vpn session is running, I just want to know *what kind* of VPN
> it is that is running.
[snip]
> Based on reading dozens of VPN tutorial web pages, I can summarize:
>
> 1. Point-to-Point Tunneling Protocol (PPTP)
> 2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec
> 3. SSL VPN (Secure Socket Layer)
> 4. SOCKS

You are running openvpn, which is an SSL VPN, and only an SSL VPN.

From https://openvpn.net/index.php/open-source/339-why-ssl-vpn.html
"There are three major families of VPN implementations in wide usage today:
SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible
with IPSec, L2TP, or PPTP."

But, it's even evident in your logs (posted separately):
> $ sudo openvpn --config vpngate_173.86.200.98_udp_1824.ovpn
> Sun Dec 13 09:22:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)]
> [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014

Note the last bit of info on the second line: "[SSL (OpenSSL)]"

--
Lew Pitcher
"In Skills, We Trust"
PGP public key available upon request

Mark Bannon

unread,
Dec 13, 2015, 9:25:33 PM12/13/15
to
On Sun, 13 Dec 2015 20:15:40 -0500, Lew Pitcher wrote:

> You are running openvpn, which is an SSL VPN, and only an SSL VPN.
>
> From https://openvpn.net/index.php/open-source/339-why-ssl-vpn.html
> "There are three major families of VPN implementations in wide usage today:
> SSL, IPSec, and PPTP. OpenVPN is an SSL VPN and as such is not compatible
> with IPSec, L2TP, or PPTP."
>
> But, it's even evident in your logs (posted separately):
>> $ sudo openvpn --config vpngate_173.86.200.98_udp_1824.ovpn
>> Sun Dec 13 09:22:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)]
>> [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
>
> Note the last bit of info on the second line: "[SSL (OpenSSL)]"

Thank you for that clarification that it's an "ssl" vpn!
And, that openvpn *only* does SSL, and not the other three types!

1. Point-to-Point Tunneling Protocol (PPTP)
2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec
3. SSL VPN (Secure Socket Layer) <=== it is this! (hooray!)
4. SOCKS VPN

I thought the answer might be obvious, but there was so much *other*
stuff which was also in the logs, such as the following, that I wasn't
at all sure:
[SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] [AF_INET]
[TLSv1/SSLv3] [DHE-RSA-AES256-SHA] [2048 bit RSA] [AES-128-CBC]

Now that I know it's an SSL VPN, I can read about VPNs specific
for SSL VPNs and ignore all the other stuff. I must say, that the
web pages on VPN are particularly bad, when it comes to just trying
to understand this stuff.

But now, I can run searches for just understanding SSL-style VPNs.
thanks!

Mark Bannon

unread,
Dec 13, 2015, 9:32:06 PM12/13/15
to
On Sun, 13 Dec 2015 20:15:40 -0500, Lew Pitcher wrote:

> You are running openvpn, which is an SSL VPN, and only an SSL VPN.

BTW, if you go to the page where I get my configuration files,
you'll notice a *confusing* set of checkboxes.
http://www.vpngate.net/en/
1. SoftEther VPN (SSL-VPN)
2. L2TP/IPsec
3. OpenVPN
4. MS-SSTP

Notice that they intimate that #1 is (somehow?) different than #3;
but from what you just told me, #1 and #3 are the same thing.

So that's confusing.

Also, if you click on the "SSL-VPN Connect guide" link at that page:
http://www.vpngate.net/en/howto_softether.aspx

There is not a single mention of "openvpn" anywhere in that entire
setup. Even Linux isn't mentioned, anywhere (as if it only works
with Windows?).
http://www.vpngate.net/en/howto.aspx

So, the main page where I get my ovpn files confusingly seems to
make a distinction between SSL-VPN and OpenVPN when, apparently,
there is none.

Marek Novotny

unread,
Dec 13, 2015, 9:43:11 PM12/13/15
to
On 2015-12-14, Mark Bannon <mba...@spam.invalid> wrote:
> Maybe this is an obvious question, but how do you tell what kind
> of VPN you're running when you're in the middle of a VPN session?
>
> Here's all I did to run a vpn session:
> 1. Install openvpn ($ sudo apt-get install openvpn)
> 2. Find a VPN config file on the net ($ firefox http://vpngate.net)
> 3. Start a VPN session ($ sudo openvpn --config that-file-you-found.ovpn)

So the fact that you had to install OpenVPN is the first tip off.
OpenVPN is one of a few major types of VPN.

> Once the vpn session is running, I just want to know *what kind* of VPN
> it is that is running. Since I always use the config files from the same
> server, you'd think that server web page would tell me, but it doesn't
> seem to tell me what kind of vpn session it is that I'm running.

Typically IPsec will use ipsec0 as its tunnel device. OpenVPN
tends to use tun0 and pptp would most likely use ppp0. The script you're
using to detect your vpn connection is looking for tun0 because I know
you're using OpenVPN. I could write it in such a way as a case statement
would be used looking for ipsec0, ppp0, or tun0 and simply label then
IPsec, PPTP or OpenVPN. Then you'd have a detector that should detect
with any of the three major VPN types.

> I will attach both a config file and a log file separately (because there
> is probably all that I need to know in those files, if I only knew what
> to look for).

You can look up what the config files look like on the internet. But
you're typing in a command like which starts with openvpn as the command
and --config config.ovpn as its option. So right there, you're using
openvpn. The extension can be anything in Linux, but I tend to use ovpn
as my config extension since I'm calling it directly as an option with
the command anyway. That way I know I am looking at an OpenVPN config
file.

> Googling on what kinds of VPN there are, it seems that absolutely no
> web page gives you the information you really need. It's really amazing
> how many VPN "tutorials" you can read, none of which give you the
> answer to this question.
>
> Based on reading dozens of VPN tutorial web pages, I can summarize:
>
> 1. Point-to-Point Tunneling Protocol (PPTP)
> 2. Layer 2 Tunnelling Protocol (L2TP) in conjunction with IPsec
> 3. SSL VPN (Secure Socket Layer)
> 4. SOCKS
>
> Since the only thing I do to run the VPN is run a given config file
> with openvpn, I'm not sure what kind of VPN it is that I'm running.

You're using openvpn command. So you're using OpenVPN. Looking at your
output I see [SSL (OpenSSL)] So open source Secure Sockets Layer.
Compression is LZO and lastly you're using an AES-128-CBC. That's a
encryption method. Here's what those initials mean.

AES means Advanced Encryption Standard
128 means 128 bit key size
CBC means Cipher Block Chaining

And then way down at the end I see the device being created as tun0,
which is what my script uses partially to detect. It basically checks
the device name of the default route based on an external address. What
device is being used. If it is tun0, then you're connected with OpenVPN.
Anything else, and you're not. But in reality you could be using ipsec0
or ppp0 but I didn't add those to the script.

> All I'm asking in this thread is the most basic of questions, which
> is *how* do I know what kind of VPN it is that I'm running, once I
> start a VPN session with openvpn?

The most basic answer is that you are running OpenVPN. The command
you're using is openvpn. The device it creates to tunnel is tun0. Look
at the open standards you're seeing in the connection data from stdout.
SSL and TLS. Look at the device type, tun0. Look at the cipher. Nothing
in there is saying PPTP or L2TP or IPsec.
--
Marek Novotny
https://github.com/marek-novotny

Mark Bannon

unread,
Dec 13, 2015, 9:54:11 PM12/13/15
to
On Sun, 13 Dec 2015 20:15:40 -0500, Lew Pitcher wrote:

> You are running openvpn, which is an SSL VPN, and only an SSL VPN.

BTW, to show you how *confusing* most VPN tutorials are, look here:
SSL - VPN Tutorial
http://www.internet-computer-security.com/VPN-Guide/SSL-VPN.html

This was a link I had posted in my OP, where you'll notice this
confusing sentence verbatim:
"So looking at it from an administrator point of view, VPN SSL is
all done via a web browser, and is extremely simple to use."

A few times that SSL VPN tutorial kept saying that SSL VPN is *only*
done via a web browser. Since I'm clearly using "openvpn" and not
a web browser, that made no sense when I had read it.

Clearly it's wrong; but I only know that once I know that I'm
using SSL VPN *without* a web browser.

That same article repeats the error when it tries to explain the
difference between IPSec and SSL VPNs , when it says verbatim:
"SSL VPN is accessed via a web portal front end after a secure
https connection has been established between the client and
server. From here a user can access the configured enterprise
applications. IPSec VPN connectivity happens via the configured
client software"

So, it just goes to show you that the VPN web pages suck, and,
particularly, the SSL VPN web paqes really suck (because I had
searched for SSL VPN tutorials, where that was the *best* I
could find!).

Mark Bannon

unread,
Dec 13, 2015, 10:03:09 PM12/13/15
to
On Sun, 13 Dec 2015 18:43:13 -0800, Marek Novotny wrote:

> So the fact that you had to install OpenVPN is the first tip off.
> OpenVPN is one of a few major types of VPN.

It's only obvious to me once it's obvious to me!

Consider that the page that I get all my config files (vpngate.net)
repeatedly makes a distinction between what they call
"SoftEther VPN (SSL-VPN)" configuration files and what they call
"OpenVPN" configuration files.

However, I think they're just plain wrong.
I think they're the same thing, because when I download their supposedly
"SoftEther VPN (SSL-VPN)" configuration files, they seem to work just
fine with OpenVPN.

In fact, that page really pushes hard to have me use SoftEther, but
I didn't bite because it's not ported to Linux. So I just "guessed"
at using openvpn even though the site makes a huge distinction by
saying SoftEther "supports OpenVPN, L2TP/IPsec, and SSL-VPN",
as if OpenVPN and SSL-VPN were *different* things.

It's so confusing, that I'm glad you gave me a firm datapoint,
which is that OpenVPN *is* SSL-VPN.

Mark Bannon

unread,
Dec 13, 2015, 10:09:00 PM12/13/15
to
On Sun, 13 Dec 2015 18:43:13 -0800, Marek Novotny wrote:

> Typically IPsec will use ipsec0 as its tunnel device. OpenVPN
> tends to use tun0 and pptp would most likely use ppp0. The script you're
> using to detect your vpn connection is looking for tun0 because I know
> you're using OpenVPN. I could write it in such a way as a case statement
> would be used looking for ipsec0, ppp0, or tun0 and simply label then
> IPsec, PPTP or OpenVPN. Then you'd have a detector that should detect
> with any of the three major VPN types.

Thanks Marek,
I don't need that script because all the files I've found on the net
seem to all be using what I now know to be an "ssl-vpn" connection.

that means they're all tun0.

But, it's very nice to know that a hint of the type of VPN would be
to look at whether it calls for ppp0 or tun0 or ipsec0.

BTW, there also seems to be a confusing thing named "SOCKS VPN".

https://vpnreviewer.com/ssh-socks5-tunnel-howto
http://www.earthvpn.com/linux-ssh-tunnelsocks-proxy-tutorial/
http://www.vpninstructions.com/whats-the-difference-between-pptp-l2tp-openvpn-and-socks-when-talking-about-vpns/

"For VPNs, the 3 main choices are PPTP, L2TP, and OpenVPN.
We also include SOCKS, but that is not really a VPN protocol.
Some people also use SSTP too, but that is not being used so
much these days (yet!). Then you also hear of “IPSec”, but
that is really a marketing brand used by Cisco and other
companies and really refers to L2TP."

Mark Bannon

unread,
Dec 13, 2015, 10:13:36 PM12/13/15
to
On Sun, 13 Dec 2015 18:43:13 -0800, Marek Novotny wrote:

> You're using openvpn command. So you're using OpenVPN. Looking at your
> output I see [SSL (OpenSSL)] So open source Secure Sockets Layer.
> Compression is LZO and lastly you're using an AES-128-CBC. That's a
> encryption method. Here's what those initials mean.
>
> AES means Advanced Encryption Standard
> 128 means 128 bit key size
> CBC means Cipher Block Chaining
>
> And then way down at the end I see the device being created as tun0,
> which is what my script uses partially to detect. It basically checks
> the device name of the default route based on an external address. What
> device is being used. If it is tun0, then you're connected with OpenVPN.
> Anything else, and you're not. But in reality you could be using ipsec0
> or ppp0 but I didn't add those to the script.

Thanks for that further clarification.

Yes, I see tun0, as evidenced by my 'route -n' command:

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.211.1.2 128.0.0.0 UG 0 0 0 tun0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
10.211.1.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
72.203.195.149 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
88.176.244.114 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
128.0.0.0 10.211.1.2 128.0.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0

Mark Bannon

unread,
Dec 13, 2015, 10:26:39 PM12/13/15
to
On Sun, 13 Dec 2015 18:43:13 -0800, Marek Novotny wrote:

> The most basic answer is that you are running OpenVPN. The command
> you're using is openvpn. The device it creates to tunnel is tun0. Look
> at the open standards you're seeing in the connection data from stdout.
> SSL and TLS. Look at the device type, tun0. Look at the cipher. Nothing
> in there is saying PPTP or L2TP or IPsec.

Thanks for clarifying that these three things indicate SSL-VPN:
1. I'm using openvpn
2. The config file specifies tun0
3. The log file doesn't say PPTP or L2TP or IPsec

The scripts you wrote, by the way, work perfectly, as you noted, with
SSL VPN so they work fine for me.

My use model is the following (which uses 3 of your scripts!):

1. I installed the openvpn client long ago on Ubuntu
2. I download a dozen or more of the ovpn config files from vpngate.net
3. I put them in various directories (mail, nntp, web, torrent, etc.)
4. When I want to go on nntp, for example, I cd to the nntp directory
5. I then run the reverse of your vpnchecker.sh script in that directory
6. This vpnchecker.sh kicks out any config file that doesn't work
7. And it starts the VPN session for any config file that does work
8. This gives me consistency (gmail requires it) in the IP address
9. Meanwhile, once I'm on VPN, I run your vpnstatus.sh script
10. This ensures that sensitive apps die immediately when the VPN drops!
11. In addition, I have your tbird.sh script to prevent Thunderbird from
starting up when I'm on VPN,
12. And, I have a reverse of your tbird.sh script to prevent Pan from
running when I'm *not* on VPN

The fact that these vpn servers are flaky is why your scripts are so
useful! The VPN servers come and go over time. What servers worked today,
fail tomorrow, and then the server works again the next day. Suddenly,
while I'm on VPN, there is no notice whatsoever in the openvpn log file,
but your scripts detect the vpn is gone, and your scripts shut everything
down immediately. Other scripts of yours prevent me from accidentally
starting thunderbird when I'm on VPN, or accidentally starting pan when
I'm not on VPN.

Your scripts help immensely!
Thanks!

Marek Novotny

unread,
Dec 13, 2015, 11:32:45 PM12/13/15
to
On 2015-12-14, Mark Bannon <mba...@spam.invalid> wrote:
I modified the script again. I used Ubuntu to test PPTP, IPsec and
OpenVPN. IPsec used tun0 and PPTP used ppp0. So my expected output was
not exactly as I expected it.

So I modified the script so that it should detect properly if you're
using IPsec, PPTP or OpenVPN. It's a small change in the while true loop
at the bottom... However, I changed the name of one variable so better to
copy the whole script because deviceStatus becomes deviceType. So you'll
either need to copy the whole script or do a search and replace for all.

Full script follows:

#!/bin/bash

#############################################################
#
# script: vpnstatus.sh
# written by: Marek Novotny
# version: 2.7
# date: Sun Dec 13 20:18:00 PST 2015
# purpose: test status of live vpn connection
# : kill torrent if vpn disconnects
# licence: GPL v2 (only)
#
#############################################################

condition=""

sendMessage()
{
echo "$1"
}

# apps that should be terminated if VPN fails
processList=("transmission" "firefox" "pan")
# apps that should not be running under vpn
restrictedApps=("thunderbird" "slrn")

# check of a process stored in the variable task is running or not

checkProcess()
{
unset procID
procID="$(ps -e | grep $task | grep -v panel | awk '{print $1}')"
if [ ! -z $procID ] ; then
return 0
else
return 1
fi
}

# terminate the given process stored in the variable task

terminateProcess()
{
kill -9 $procID

}

# routine to test for processes, report their status and kill them if running

processTerminator()
{
checkProcess
if (($? == 0)) ; then
sendMessage "$task is running..."
sendMessage "Terminating $task..."
terminateProcess
if (($? == 0)) ; then
sendMessage "$task terminated..."
else
sendMessage "$task is still running..."
fi
fi
}

# generate a random IP to test ip route against

randomizer()
{
IFS=$' '
ary=()
for x in {1..4} ; do
ary+=($(($RANDOM % 221 + 1)))
done

if [[ ${ary[0]} -eq 10 || ${ary[0]} -eq 100 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 169 ]] && [[ ${ary[1]} -eq 254 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 172 ]] && [[ ${ary[1]} -eq 16 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 192 ]] && [[ ${ary[1]} -eq 168 ]] ; then
randomizer
elif [[ ${ary[0]} -eq 198 ]] && [[ ${ary[1]} -eq 18 ]] ; then
randomizer
else
addr=$(echo "${ary[@]}" | awk '{print $1"."$2"."$3"."$4}')
fi
}

# kill apps that should not be running if VPN is connected.
# kills these apps once, if the script is running and the VPN
# tunnel becomes active

vpnOn()
{
if [[ $condition != "on" ]] ; then
condition="on"
echo "VPN status: $condition - ${devType[0]}: ${devType[1]}"

for x in ${restrictedApps[@]} ; do
task=$x
processTerminator
done
fi
}

# drop apps that should not be running if vpn tunnel fails

vpnOff()
{
if [[ $condition != "off" ]] ; then
condition="off"
echo "VPN status: $condition - ${devType[0]}: ${devType[1]}"
echo "Terminating apps..."

for x in ${processList[@]} ; do
task=$x
processTerminator
done
fi
}

randomizer
while true ; do
devType=($(ip route get $addr | awk 'NR==1 {print $(NF-2),$(NF-0)}'))
if [[ ${devType[0]} == "tun0" || ${devType[0]} == "ppp0" ]] ; then
vpnOn
else
vpnOff
fi
done

#END

Mark Bannon

unread,
Dec 14, 2015, 8:02:43 AM12/14/15
to
On Sun, 13 Dec 2015 20:32:46 -0800, Marek Novotny wrote:

> So I modified the script so that it should detect properly if you're
> using IPsec, PPTP or OpenVPN

Thanks Marek,

I don't know of any free PPTP or IPsec VPNs out there since I only
use the config files from vpngate, but, I can search around for free
config files (they abound on the net) to run against, and this will
tell me what kind of VPN it is, which will be useful.

I've added that modified script as "vpnwatch.sh", until I merge my
changes with yours (I added a few logging commands for example, to
my old vpnstatus.sh script).

I'll let you know if I can find some IPsec and PPTP scripts what
the output is.

Mark Bannon

unread,
Dec 14, 2015, 9:22:07 AM12/14/15
to
On Sun, 13 Dec 2015 20:32:46 -0800, Marek Novotny wrote:

> I modified the script again. I used Ubuntu to test PPTP, IPsec and
> OpenVPN. IPsec used tun0 and PPTP used ppp0.

Hi Marek,
Two (minor) observations and one linux question:

1. Your latest vpnstatus.sh script was almost exactly the same as the
sum total of the prior improvements you made in part to the termination
procedure, so, I used your script almost verbatim (with the minor
exception of the list of apps to terminate):
# processList=("transmission" "firefox" "pan")
processList=("transmission" "transmission-gtk" "firefox" "pan")

2. The output, when I'm on the vpngate SSL-VPN, is, as expected, "tun0"
so there is no visible change in output (so far). Of course, I need
to find a free PPTP or IPsec config file to test against.
$ vpnstatus.sh
VPN status: off - wlan0: 192.168.1.2
Terminating apps...
VPN status: on - tun0: 10.211.1.41

3. My question is something I've always wondered about linux.

1. I was running the old vpnstatus.sh script
2. I then swapped out the old vpnstatus.sh script with the new one
3. But I left the old one running

What does Linux use for the vpnstatus.sh script when I do that?
A. Does linux start using the new script?
B. Does linux have the old script in memory?

Marek Novotny

unread,
Dec 14, 2015, 10:09:59 AM12/14/15
to
On 2015-12-14, Mark Bannon <mba...@spam.invalid> wrote:
> On Sun, 13 Dec 2015 20:32:46 -0800, Marek Novotny wrote:
>
>> So I modified the script so that it should detect properly if you're
>> using IPsec, PPTP or OpenVPN
>
> Thanks Marek,
>
> I don't know of any free PPTP or IPsec VPNs out there since I only
> use the config files from vpngate, but, I can search around for free
> config files (they abound on the net) to run against, and this will
> tell me what kind of VPN it is, which will be useful.

The script won't tell you which of the three you are using. It will tell
you if you are using vpn and it should tell you if your connection is
via ppp0 or tun0. So at least with that you'll know you're on PPTP or
OpenVPN.

You'll know which you are using though. The setup tends to be different
between OpenVPN, PPTP and IPSec. And of course you won't be running the
openvpn command or have an ovpn config file. So it should be painfully
obvious to you which type you're using. Right now you've only used
openvpn so this is all new to you. Once you use the others this all be
more obvious than it is now.

So really what this script does is what it always did. It tells you if
the connection is on or off. As it was originally I just tested it with
OpenVPN. Now it is tested and slightly modified to work against OpenVPN,
PPTP and IPSec.

> I've added that modified script as "vpnwatch.sh", until I merge my
> changes with yours (I added a few logging commands for example, to
> my old vpnstatus.sh script).
>
> I'll let you know if I can find some IPsec and PPTP scripts what
> the output is.


Marek Novotny

unread,
Dec 14, 2015, 10:46:01 AM12/14/15
to
On 2015-12-14, Mark Bannon <mba...@spam.invalid> wrote:
> On Sun, 13 Dec 2015 20:32:46 -0800, Marek Novotny wrote:
>
>> I modified the script again. I used Ubuntu to test PPTP, IPsec and
>> OpenVPN. IPsec used tun0 and PPTP used ppp0.
> 3. My question is something I've always wondered about linux.
>
> 1. I was running the old vpnstatus.sh script
> 2. I then swapped out the old vpnstatus.sh script with the new one
> 3. But I left the old one running

I've seen things go weird when I do things like that. Probably using
memory or a tmp file but if I save changes to a script I am not sure
what will happen.

> What does Linux use for the vpnstatus.sh script when I do that?
> A. Does linux start using the new script?
> B. Does linux have the old script in memory?

Okay, that's probably more of a file system question. I don't know if
you are aware yet of an inode is. Essentially when I create a file like
a script, the file has an inode. Just for kicks, at the command like,
type this up:

$ ls -i

See all those strange numbers in front of the files? Those are inodes.
The script you are running is really a link to that inode. You may have
heard the term soft-link, symbolic link and hard link. This is similar
to that. If I create a hard link of a file in another directory, but on
the same file system. I have two links to the same inode. I can always
delete one and the other is not affected at all. They are in fact
pointing to the exact same file. I'll show you how to do this at the end
cause I think you'll get a kick out of it.

When you run a script, you're using the link to the inode to run it. And
if you leave the script running, you're running that inode. When you
delete the file you're telling the shell to remove the link from the
inode. But the shell is also and already running the script, and the
file name told it what inode to execute. So the inode is still there.
You're running it. If you were to stop the execution and then try to run
it again with the deleted file name, it wouldn't work because you
removed the link (the file name) from the inode. So the shell will fail
to find the inode and you can't run the script.

I believe, and corrections are always welcomed, that some kind of a lock
is placed on the inode while it is executing and it will continue to run
until it is stopped even if the link to the inode is destroyed. Once the
script is finished, it will need th link to the inode again and it will
not exits and thus can't be restarted.

So, let's play with an inode for fun of it. Open a command line and
type this up...

$ touch sample.txt
$ ln sample.txt other.txt

Now, edit sample.txt and type something unique in it, like today's date
or your name or whatever.

Now, type this up:

$ ls -il sample.txt other.txt

Notice the inodes on the left side stacked one on top of the next. See
how they are identical to each other.

Edit again, the file sample.txt add more text to it. When done, close
and save it.

Now, delete the sample.txt file.

$ rm sample.txt

And now, see what's inside of other.txt

$ cat other.txt

Notice all your changes are there. It is exactly the same as sample.txt
was before you deleted it. Neat huh? That's because you have two links
to the same inode. They are the same.

Now, just cause I like cool stuff, type this...

$ ln other.txt sample.txt

Now, delete other.txt

$ rm other.txt

Now, view the sample.txt

$ cat sample.txt

You still have your data and the sample file name and the inode are
identical to what you started with. It never changed. So that's a simple
concept of how files are linked to inodes. So I think that's what's
happening when you delete a script which is currently running. The open
file cannot yet delete its link until it is finished. Once it is
finished the shell acknowledges the updated link status and you can't
run the file again because you deleted the link to the inode.

Mark Bannon

unread,
Dec 14, 2015, 2:16:27 PM12/14/15
to
On Mon, 14 Dec 2015 07:10:00 -0800, Marek Novotny wrote:

> The script won't tell you which of the three you are using. It will tell
> you if you are using vpn and it should tell you if your connection is
> via ppp0 or tun0. So at least with that you'll know you're on PPTP or
> OpenVPN.

Ah. Thanks for clarifying. I will expect to see the following if/when I
find a freely available config file that isn't an OpenVPN/SSL type VPN:
1. PPTP ==> ppp0
2. IPsec (with or without L2TP?) ==> tun0
3. SSL ==> tun0
4. Socks ==> ?

> You'll know which you are using though. The setup tends to be different
> between OpenVPN, PPTP and IPSec. And of course you won't be running the
> openvpn command or have an ovpn config file.

While I completely understand that last sentence above, you have to realize
that when I happened across the vpngate.net site, I didn't realize that
OpenVpn would work. I just guessed. In fact, I was *forced* to guess because
the site clearly says the scripts don't work on Linux!

Since I didn't believe that, I tried a bunch of different vpn implementations
after googling furiously, one of which was openvpn, which worked (thanks
to a hint from you, as I recall, about a year or so ago).

> So it should be painfully obvious to you which type you're using.

This is one of those things that actually takes a bit of a firm foundation,
which I didn't have just a day ago. You have to *know* what types of VPN
exist and then you have to know that openvpn is *only* an SSL vpn and then
you have to know what to *ignore* in the log file and what to look for.

But, thanks to you, I know now that I'm using *only* the SSL VPN type!

> Right now you've only used openvpn so this is all new to you.
> Once you use the others this all be more obvious than it is now.

I agree with you.

Since I believe paying for privacy is the first step in *losing* your
privacy (look what happened in the HMA fiasco, for example), I will
search for a freeware no-registration-needed PPTP and IPSec and SOCKs
VPN, to see if I can test them out with your script.

> So really what this script does is what it always did. It tells you if
> the connection is on or off. As it was originally I just tested it with
> OpenVPN. Now it is tested and slightly modified to work against OpenVPN,
> PPTP and IPSec.

I love this script because I can leave it running all the time!
It simply adapts to whether I'm on VPN or not.

BTW, it could even be used to answer the Yes-or-No question that
vpnchecker.sh asks, but I don't use it for that since a human can
just as easily tell if the VPN worked or not.

However, there have been times (it happened just yesterday) where the
vpnchecker.sh script starts a VPN session which *looks* clean, but
which the vpnstatus.sh script feels is not working.

So, I believe vpnstatus.sh is a *necessary* adjunct to vpnchecker.sh!

0 new messages