I setup a VPN using SoftEther VPN software, but I don't know if my web communications are encrypted. In the software, I have L2TP/IPsec and AES-256-SHA checked off/enabled, but I want to be sure that I'm not transmitting data that isn't unencrypted. Both of the computers are running Windows 7. I downloaded Wireshark, but I don't know how I can tell if the packets I send out are secure/encrypted. TL;DR Connected to VPN in my house. Enabled encryption in software, want to see if the packets are encrypted. How do I find encrypted packets and be sure that the connection is encrypted? asked 30 Jul '13, 12:15  MastaChief11 edited 31 Jul '13, 10:55 |
3 Answers:
without a VPN tunnel you would not be able to connect to any of your internal 'home/house' IP addresses from any location in the internet. So just by applying logic thinking, you can conclude, that encryption (or at least some tunnel technology) is in place if you are able to connect to those IP addresses, right? Using Wireshark, you should see the encryption protocols you described, if you capture the communication off-box (means in front on any of the involved systems). You will see those encrypted packets with this display filter
as long as you really use those tunnel protocols! If you capture the traffic on-box (means the VPN client), it depends on the internals of the VPN client if Wireshark sees the unencrypted or the encrypted traffic. I can't tell, as I don't know SoftEther VPN. Just try it and you'll see... Regards answered 08 Aug '13, 02:37  Kurt Knochner ♦ showing 5 of 18 show 13 more comments |
Watch the stream and look for negotiation using defined encryption protocols. If you know the data is compressed with bzip2, look for the strings 0x314159265359 and 0x177245385090. Unless headers are totally stripped out, they'll appear once for every block. You can take a guess at whether data is encrypted by following the stream and checking for entropy. The more entropy per bit, the more likely you're seeing encryption. This unfortunately applies to compression as well. I would say that you can discern known encrypted, or known unencrypted. Differentiating encryption or compression would take a while and involve more complex code without header information for magic strings (like above) to give it away. Regards http://www.education4world.net/ answered 24 Aug '13, 12:13  Ali Hassan |
Wirelessly posted (Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16) Setup an access point on your mac, connect your phone. Ensure all your webpages on your phone are using HTTPS, and not HTTP. Install a packet analyzer like Packet Peeper, Cocoa, Or Wireshark on your mac, and take samples while you transmit data with the Phone. Take a look at the packets and their headers, all should be unreadable. Regards http://www.virtualians.pk/ answered 24 Aug '13, 12:14  Irfan Khan Thanks for your help, Irfan, but I don't use Macs. Your suggestion is still appreciated though. (30 Aug '13, 15:44) MastaChief11 |
On the server, I sometimes see TLSv1 packets being sent from the server to the client, and the client to the server. Within these packets, I see that it says Secure Sockets Layer. However, I also see packets that are not encrypted, such as ones that are labeled TCP and UDP.
that could be simply HTTPS or an SSL based VPN.
On the client, I have something similar to "Encrypt connection with Secure Sockets Layer" checked off. Are you saying that my connection is encrypted?
No. I am saying, that there seems to be a TLS/SSL secured connection between your client and your VPN Server. That could be
So, to come back to your original question, how you can verify if the connection is encrypted or not?
As you did not give any details about your network setup, let's just assume a standard setup.
Please replace my sample IPs with the ones in your environment!
If you establish a VPN Tunnel from your client and you do a ping from 10.1.1.x to 192.168.1.x (CLI: ping 192.168.1.x), do you see that ping in the capture file?
If you can't see the ping (Display Filter: icmp) in the capture file and you get a response on the CLI, then there is a pretty good chance, that the VPN tunnel is established and the communication is encrypted (see my argument about applying logical thinking in my answer ;-)).
If you do see the ping in the capture file, then we really need more detailed information about your network setup.
The VPN Server that I am using is within my house, and on the same network that my client is on. I have SSL enabled within the client, but I don't know if TLS is enabled.
This is my setup (this is the equipment that I have, I'm not sure if this is the correct order):
VPN Client - VPN Server - Router - Internet
Should I type this into my Wireshark console (without the things in parenthesis)?
(Client) 192.168.1.134 --- (Server) 192.168.1.132 --- (Router) 192.168.1.1 -- (Public IP) 50.censored
I apologize for my inexperience.
is this your VPN client (the system that runs the VPN client software) or the system you connect to from the internet, using a VPN client on a laptop?
SSL and TLS is almost the same (from a very high-level view - there are of course technical differences). Anyway, if you have enabled SSL, your VPN tunnel traffic (encrypted traffic) will appear as SSL (or TLS) protocol in Wireshark.
The IP that I listed as the client is running as the VPN client (it's running the VPN client software). This is a snapshot I took of Wireshark on my server last week.
http://www.vpnusers.com/download/file.php?id=117&mode=view
I noticed that not all of the packets are labeled TLSv1. The packet data on the lower half of the image is from the TLSv1 packet.
O.K. what are you trying to do? Having a VPN Tunnel in the local network (client and VPN server are in the same subnet), is only useful in certain environments. Is this just a test?
The UDP packets in the screenshot could be part of the VPN tunnel. As I don't know your VPN software, I can't tell you.
please run the following commands on both the client and the server.
The command may take a few seconds, don't interrupt it! Please run the command as Administrator (e.g. in an elevated DOS box). Then post the content of text files here. I'm interested in the 'owner' of port 40000 (safetynetp).
The rest (SSL/TLS/https) is either part of the VPN tunnel or (as I already mentioned), the web admin GUI of the server, if that runs on port tcp/443 (https).
I wanted to get the VPN working at my house first (be sure I can connect to it, that it's encrypted, etc.), and then bring it to an office. The server does listen on port 443, and the client is configured to connect to the server via port 443.
I typed in "netstat -nab > netstat_client.txt" (as an Administrator), but it just skipped to the next line. However, typing only "netstat" did work, and this is the result.
imgur.com/sOAR6vX
Where would the file generate if the command worked?
Both computers are running Windows 7 64 Bit.
well, then you will be able to establish a VPN tunnel, but you will not get any answer if you try to connect something through the tunnel, unless you simulated the office environment at your home.
I need the output of the file netstat_client.txt (command run on the client) and netstat_sever.txt (command run on the client). Both files will be created in the same directory where you executed the netstat command.
Unfortunately that does not help for two reasons.
O.K. then there is no reason why the traffic should not be encrypted, however, as I said above, you will have a hard time to test the tunnel, as you won't get an answer from anything "after" the tunnel, unless you simulated parts of the office environment at your home. BTW: What is the IP subnet in the office? If it is also 192.168.1.0/24, then you won't be able to test anything at your home, because the client and the systems that are supposed to be located 'behind' the VPN tunnel are in the same subnet!
I had to post this as an answer because I can't post more than 2500 characters if I post a comment. I censored a couple lines just in case they had sensitive information in them, but not much. This is the client file. I will post the server file very soon (within 15 minutes). As of 5:17 P.M., I removed the information pertaining to my antivirus.
this is the output of the client. Can you please add the output of the server as well? I’m still trying to find port 40000 to figure out if that belongs to the VPN.
BTW: What is the IP subnet in the office? If it is also 192.168.1.0/24, then you won’t be able to test anything at your home, because the client and the systems that are supposed to be located ‘behind’ the VPN tunnel are in the same subnet!
This is the server netstat output. .132 is the server, and .134 is the client. I found port 40000, and I highlighted and italicized it to make it easier to find (it’s 2/3 of the way down). I won’t be able to get the subnet at this moment, but I will find out when I can get there.
As you can see, port udp/40000 also belongs to the VPN solution.
If that is however VPN traffic (encrypted payload) or some form of status/management protocol, I can’t tell you.
To sum it up. It looks like your VPN solution works (kind of). If you move the solution to the office, you may have to open more that just port tcp/443 on your office firewall to make the VPN work (port udp/40000 seems to be involved as well). However, that is ‘a bit’ off topic for this site and you better ask that question in the forum of the vendor.
As long as it is at my home, the ports won’t need to be opened in order for the VPN to work properly (although I do have two of the ports that the VPN listens on open), and connection to be encrypted, correct?
Yes, as there is no firewall between the client and the server, except the Windows 7 firewall, which is (most certainly) automatically configured (during installation of the VPN software) to make the VPN work.
Would I be correct to say that the VPN works, but there is no way to be sure that the packets are encrypted, but it is very likely that they are encrypted?
sounds reasonable.