Jump to content
TorGuard

4b3e098b

Members
  • Content Count

    5
  • Joined

  • Last visited

Community Reputation

0 Neutral

About 4b3e098b

  • Rank
    Newbie

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. This was an issue a year or two ago when I used TorGuard and it still seems to be an issue now. There's nothing you can do to fix it. TorGuard's server config is botched in such a way that you can't negotiate with it. I'll use connecting to UDP port 53 as an example. These are the listed ciphers. cipher AES-256-CBC* cipher AES-128-GCM cipher AES-256-GCM cipher AES-128-CBC cipher BF-CBC A proper OpenVPN server would use cipher AES-256-CBC and then ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC:BF-CBC. An older OpenVPN client (pre 2.4) would pass cipher AES-256-CBC in their client config. These don't support cipher negotiation, so OpenVPN 2.3 or less, or Open 2.4+ with cipher negotiation disabled, would use AES-256-CBC. But once cipher negotiation is in play (ncp), the cipher config is overridden in favor of ncp-ciphers. An OpenVPN client could pass a list in order of preference and as long as the server accepts them, the first one the server supports gets used. I build my own OpenVPN servers so I have worked with this. An example in my case, I only want to support the AES-256-GCM cipher as I only let the latest clients connect. I set cipher AES-256-CBC as is proper, then ncp-ciphers AES-256-GCM. Since any client with OpenVPN 2.4 by default will use negotiation, and I only list AES-256-GCM, the client absolutely must support and use AES-256-GCM. Technically, they could disable ncp client side and connect with AES-256-CBC (and a 2.3 client might be able to connect, but then I use 2.4+ features so they wouldn't work anyway). I could allow additional ciphers server side by setting ncp-ciphers AES-256-GCM:AES-256-CBC:AES-128-GCM:AES-128-CBC. Now, a 2.4+ client with ncp enabled will default to AES-256-GCM, but they can set ncp-ciphers in the client config to force any one of those 4. TorGuard will need to fix their servers to remedy this. There is nothing you can do on your end to force AES-256-GCM properly. I posted here awhile ago about this issue and it looks like they never fixed it. It would also be nice if they would allow SHA-512 on their tls-crypt servers, but at least according to the specs page that no configuration supports that, as opposed to the specs page stating all listed ciphers are valid on 2.4+ despite this being provably false due to their configuration error. On both ASUS Merlin and pfSense, there is no setting that allows me to get AES-256-GCM without the local/remote error and issues that follow from there. So I've just disabled ncp and used AES-256-CBC.
  2. 4b3e098b

    iOS DNS Leak with IKEv2 and/or IPSec VPN

    Connecting via IKEv2, I tested what DNS leaks and what doesn't. I used the Direct IP, though the one for Chicago never works, so I did an nslookup and used a working IP. PS: I tested almost 50 different Chicago servers via OpenVPN and they all had bad speeds (and there are some IPs that I can never connect to via Chicago). Oddly, I can get full speeds from LA despite being much farther away. DNS LEAK YES Atlanta Dedicated IP New Jersey New York Seattle DNS LEAK NO Chicago (I did not test every IP out the the many I tried, but the ones I did look at didn't leak) Dallas Las Vegas Los Angeles Miami
  3. 4b3e098b

    iOS DNS Leak with IKEv2 and/or IPSec VPN

    I got the idea to test a UK server since you mentioned O2. I also tested Chicago. They don't seem to leak, but I have a lot more difficulty connecting to them than NY. I can't connect to either over IKEv2 at all if I use my iOS profile, but I can if I setup manually (not sure if these have different settings than NY IKEv2).
  4. 4b3e098b

    iOS DNS Leak with IKEv2 and/or IPSec VPN

    It seems I'm getting Google DNS IPs. Cellular No VPN: 1 AT&T DNS IP (Expected) Cellular ProtonVPN IKEv2: 1 Endpoint IP (Expected) Cellular ProtonVPN OpenVPN: 1 Endpoint IP (Expected) Cellular TorGuard AnyConnect: Several Level 3 DNS IPs Cellular TorGuard Dedicated IP OpenVPN: 1 Endpoint IP (Expected) Cellular TorGuard Dedicated IP IKEv2: Several Google DNS IPs Cellular TorGuard Dedicated IP IPSec: Several Google DNS IPs Cellular TorGuard Dedicated IP L2TP: 1 Endpoint IP (Expected) Cellular TorGuard New York OpenVPN: 1 Endpoint IP (Expected) Cellular TorGuard New York IKEv2: Several Google DNS IPs Cellular TorGuard New York IPSec: Several Google DNS IPs Cellular TorGuard New York L2TP: 1 Endpoint IP (Expected) Wi-Fi No VPN: Several OpenDNS IPs (Expected) Wi-Fi ProtonVPN IKEv2: 1 Endpoint IP (Expected) Wi-Fi ProtonVPN OpenVPN: 1 Endpoint IP (Expected) Wi-Fi TorGuard AnyConnect: Several Google DNS IPs Wi-Fi TorGuard Dedicated IP OpenVPN: 1 Endpoint IP (Expected) Wi-Fi TorGuard Dedicated IP IKEv2: Several Google DNS IPs Wi-Fi TorGuard Dedicated IP IPSec: Several Google DNS IPs Wi-Fi TorGuard Dedicated IP L2TP: 1 Endpoint IP (Expected) Wi-Fi TorGuard New York OpenVPN: 1 Endpoint IP (Expected) Wi-Fi TorGuard New York IKEv2: Several Google DNS IPs Wi-Fi TorGuard New York IPSec: Several Google DNS IPs Wi-Fi TorGuard New York L2TP: 1 Endpoint IP (Expected) Notes -I use UDP for all OpenVPN, though TCP doesn't make a difference. -My carrier is AT&T. -It hasn't mattered in the past which New York server I use, though I'm using a direct IP so that I always get the same one. -I do get the WAN IP successfully in all cases, and I can connect to all protocols listed regardless of being at home, work, or on cellular. -AnyConnect seemed to differ depending on Wi-Fi or Cellular. Everything else was the same DNS service regardless of Wi-Fi or Cellular. I don't plan on using AnyConnect, but wanted to compare it here. -ProtonVPN doesn't DNS leak over IKEv2. They only offer OpenVPN and IKEv2, and no Dedicated IP options (or port forwarding) so the other protocols don't apply. -OpenVPN works fine in all cases. -I also get DNS Leaks over IKEv2 if I connect on Mac settings instead of my iPhone.
  5. When using OpenVPN via OpenVPN Connect, I do not get DNS Leaks, but OpenVPN on iOS doesn't auto-reconnect or support On Demand VPN. TorGuard L2TP doesn't DNS leak like IKEv2 or IPSec, but it's the least secure protocol. When setting up TorGuard with IKEv2 or IPSec, regardless if using the TorGuard iOS app, manually configuring in Settings, or using a .mobileconfig profile to load the VPN configuration settings, TorGuard leaks the DNS, and this has been happening since I've tried. I'm using a .mobileconfig profile to load all my VPN servers/configuration, and I wrote it to effectively kill-switch/auto-reconnect, which works well with TorGuard minus the DNS Leak (I get this no matter how I connect via IKEv2 or IPSec so I know it isn't the profile, as the official iOS app has the same problem). I have a different VPN service that can do IKEv2 (they don't support IPSec, and I prefer IKEv2 over that anyway), though I've been having trouble connecting to it over Wi-Fi via IKEv2. That they avoid the DNS leak though shows that TorGuard should as well.
×