Swimminginthought

A place for all things technical and my mind..

Menu
  • About Me / Hire Me
Menu

Encryption type Matters with Deep Packet Inspection – solved

Posted on July 4, 2012 by Percy Kwong

I was helping a client yesterday set up a VPN tunnel only to have it constantly disconnected.  The client was located outside of the country.  For the sake of avoiding throttling and saving on CPU, we were using the Blowfish cipher and it kept on getting disconnected.

I found this rather strange as I’ve never had this problem before.  We’d literally get the client up and running only to find that it was immediately disconnected. This went on for a while (about 15 min.) when the lightbulb went off in my head to try something different. (Lateral Thinking has always been my forte).   I switched the encryption from Blowfish to AES-128.  Surprisingly, it changed everything, the tunnel stayed up and didn’t disconnect.

So apparently some Deep Packet inspection technology has the ability to decrypt on the fly very quickly Blowfish and determine what the contents of the tunnel are.

It didn’t matter what port we were running on.  We tried several different ports prior to this.

So If you’re noticing many random disconnects for no apparent reason (and I’ve set up enough VPN servers in my day to definitely know I didn’t do anything wrong.  Consider changing your encryption to a stronger cipher.  Apparently, it does make a difference.

Total time to figure it out? About 1 hour Tops.

The good thing about the AES cipher is that it’s still considered pretty much unbreakable.  Even by the NSA and their supercomputer at building 5300.

So my recommendation is switch the cipher before switching ports around to see if it makes a difference.

I’m not naming the country or the ISP, but clearly privacy is not high on their list.

It’s two simple changes.

On the OpenVPN server if that’s what you’re using, just uncomment the AES line in /etc/openvpn/server.conf

and on the client, just change the Cipher to  AES-128.  All done.

Obviously issue an openvpn and dnsmasq restart.

For good measure, I always restart the iptables as well.

This should help many people if you’re having constant disconnects with OpenVPN.

Cheers.

 

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Kubernetes install gotcha on CentOS-7.x
  • Infrastructure as Code using AWS Cloudformation
  • Does SSL matter? It does and it’s not just web encryption.
  • Apache can’t serve the .well-known directory
  • Cloudy with a chance of Meatballs
  • Resurrection of the Blog
  • Encryption type Matters with Deep Packet Inspection – solved
  • Completely off topic.. Just a personal note.
©2023 Swimminginthought | Built using WordPress and Responsive Blogily theme by Superb