Is VPN-over-ICMP/DNS just a marketing trick?
Posted: Fri May 22, 2020 3:00 pm
According to the Manual and a several forum posts,
1st, it enabled very easy with the only one check-mark in the server's config and nothing more,
2nd, it activated automatically when the two "generic" (Direct and NAT-T) ways to connect fails,
3rd, it's impossible to forcibly activate this mode.
But a lot of post are flying around the Net about a bunch of tests that brings up very critical thoughts.
Let's take a very basic logic and think:
- I've set up a remote server and it works,
- I've enabled these "over-something" in its config,
(condition "1st" completed)
- I've created the respective connection to this server and tested it,
- this connection works both directly and via NAT-T,
- next in my firewall I've blocked both TCP and UDP and explicitly enabled any ICMP, everything pointing to/from my-server-ip, and checked it of course,
(condition "2nd" completed)
- and then I've tried to make connection again.
Now, taking in account these 3 conditions described at the beginning, what result shall I wait for? Remember, we're thinking logically! Connection made via this VPN-over-ICMP, right?
Boo! You lose!
So, just a pair of very simple questions:
1. How to set up this super-mega-feature right?
2. How to prove it works?
1st, it enabled very easy with the only one check-mark in the server's config and nothing more,
2nd, it activated automatically when the two "generic" (Direct and NAT-T) ways to connect fails,
3rd, it's impossible to forcibly activate this mode.
But a lot of post are flying around the Net about a bunch of tests that brings up very critical thoughts.
Let's take a very basic logic and think:
- I've set up a remote server and it works,
- I've enabled these "over-something" in its config,
(condition "1st" completed)
- I've created the respective connection to this server and tested it,
- this connection works both directly and via NAT-T,
- next in my firewall I've blocked both TCP and UDP and explicitly enabled any ICMP, everything pointing to/from my-server-ip, and checked it of course,
(condition "2nd" completed)
- and then I've tried to make connection again.
Now, taking in account these 3 conditions described at the beginning, what result shall I wait for? Remember, we're thinking logically! Connection made via this VPN-over-ICMP, right?
Boo! You lose!
So, just a pair of very simple questions:
1. How to set up this super-mega-feature right?
2. How to prove it works?