vpnserver call home to tsukuba uni when it starts

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

vpnserver call home to tsukuba uni when it starts

Post by coopzone » Sun Feb 23, 2014 8:47 pm

Hello, Can anyone tell me why the vpnserver contacts home every time it starts, and then periodically talks back to the same address's on port 80,443,992 and udp 4005 and 137. What info is it sending back to the university.

I have DDNS disabled and turned off auto-check for updates and keep alive, so I can see no reason for it to talk back home.

I have added these rules to stop it doing it and the functionality seems to be identical.Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:5004
DROP tcp -- anywhere anywhere tcp dpt:https
DROP tcp -- anywhere anywhere tcp dpt:telnets
DROP tcp -- anywhere anywhere tcp dpt:http

What is the info sent back. What is it used for ?

coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

Re: vpnserver call home to tsukuba uni when it starts

Post by coopzone » Mon Feb 24, 2014 9:14 am

More info, this seems to be related to NAT-T. After reviewing the source code I found mention of a function to disable the global nat-t registration; in the config file it's a parameter called:

bool DisableNatTraversal true

So I turned it to true, to disable it. And so far that seems to have stopped at least the traffic going to port 5004 udp.

Ooops. I made a mistake this stops other traffic not port 5004 see bellow.
Last edited by coopzone on Mon Feb 24, 2014 3:47 pm, edited 1 time in total.


coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

Re: vpnserver call home to tsukuba uni when it starts

Post by coopzone » Mon Feb 24, 2014 3:45 pm

Thanks for the info,

I have turned off DDNS, auto update and nat traversal (as above). I have made a mistake in saying that this stopped the traffic on 5004 UDP. I have stopped all the traffic to every other port by turning off these three settings. However traffic to port 5004 continues.

I did a packet sniff of the traffic and it turned out that my server connects in and gets back a single udp reply that says your IP=x.x.x.x, PORT=xxxx. So something to do with NAT traversal. See trace:

3 2.974893 192.168.3.11 -> 130.158.6.112 UDP 43 Source port: safetynetp Destination port: avt-profile-1

0000 00 50 56 3f 37 db 00 50 56 39 c0 e8 08 00 45 00 .PV?7..PV9....E.
0010 00 1d 00 00 40 00 40 11 ee 0e c0 a8 03 0b 82 9e ....@.@.........
0020 06 70 9c 40 13 8c 00 09 c1 4d 42 .p.@.....MB

4 3.250774 130.158.6.112 -> 192.168.3.11 UDP 69 Source port: avt-profile-1 Destination port: safetynetp

0000 00 50 56 39 c0 e8 00 50 56 3f 37 db 08 00 45 80 .PV9...PV?7...E.
0010 00 37 11 e7 00 00 64 11 f7 8d 82 9e 06 70 c0 a8 .7....d......p..
0020 03 0b 13 8c 9c 40 00 23 d9 1c 49 50 3d xx xx 2e .....@.#..IP=xx.
0030 xx xx xx 2e xx xx xx 2e xx xx 2c 50 4f 52 54 3d xxx.xxx.xx,PORT=
0040 36 31 36 34 37 61647

It does this very 2 minutes approximately. This increases when a VPN connection is being made. I suspect it may be a bug and should in fact have been stopped with the disable nat traversal but seems to have been missed. I started to look at the source code but can't quite get my head around it yet.

coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

Re: vpnserver call home to tsukuba uni when it starts

Post by coopzone » Mon Feb 24, 2014 6:28 pm

further info, it also seems that if you don't make any new connections for several hours, the first connection causes several udp 5004, but also attempts to connect to port 137. I have not captured that packet put this iptables show it tries:

pkts bytes target prot opt in out source destination
1 78 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
74 2146 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5004
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:992
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80

to help point you in the right direction, the only code I have found so far to mention port 5004 is in the /src/Mayaqua directory defined in Network.h and used as UDP_NAT_T_PORT in the Network.c file. Not yet worked out what happens with it yet.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: vpnserver call home to tsukuba uni when it starts

Post by dnobori » Tue Feb 25, 2014 1:58 am

Are you using the UDP acceleration function on the VPN client / bridge connection setting? If so, you have to disable it to stop the UDP traffic entirely. These UDP packets are used for UDP hole punching.

coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

Re: vpnserver call home to tsukuba uni when it starts

Post by coopzone » Tue Feb 25, 2014 9:11 am

Thank you that has no stopped all the traffic, of course under "normal" use the traffic is beneficial, but for the particular application I am implementing I don't want any ifno escaping to the web. So to be clear to stop ALL connections out by the vpnserver you have to do:

Step 1 dissable DDNS
change the config file DDNS section to read:

declare DDnsClient
{
bool Disabled true
}

Step 2 dissable UDP acceleration
I did this from the config file by setting:

bool DisableUdpAcceleration true

Step 3, turn off keep alive. This is via the GUI on the server encryption and network button.

Step 4, turn of auto update check. Again this is via the GUI on the server encryption and network button.

Step 5, Disable Nat Traversal
In the config file change the following setting.

bool DisableNatTraversal true

Having done the above (thanks to dnobori, for the ones I missed) and restarted the server, I know don't see any outbound / unexpected traffic.

coopzone
Posts: 7
Joined: Tue Jan 28, 2014 8:07 am

Re: vpnserver call home to tsukuba uni when it starts

Post by coopzone » Fri Feb 28, 2014 2:22 pm

One last packet to trace!

Only when I use l2tp/IPSEC no matter what the client, android phone, windows xp, windows 7. The first time it connects the server sends a NBT pack to the ip address of the device, with a name query of "*". This trace shows the request:

root@vpn:~# tcpdump -n -vvv -r lastone
reading from file lastone, link-type EN10MB (Ethernet)
13:39:10.376661 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 78)
192.168.x.x.37249 > 213.205.x.x.137: [udp sum ok]
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0xD6E5
OpCode=0
NmFlags=0x0
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=* NameType=0x00 (Workstation)
QuestionType=0x21
QuestionClass=0x1

Is this some part of the keep-alive or NAT-T that needs turning of separately?

Post Reply