VPN

[Stu Etheridge]

There have been a few posts on FB etc speculating about the fleet wide blocking of VPNs.

Just as an update we are currently on Oasis and VPNs are most definitely blocked onboard.

I guess for most people it’s not a big deal but I have to say I personally find it annoying. I want to use it for perfectly legitimate use. Having said that I’m sure it’s not a deal breaker for anyone! 

There are workarounds of course for those tech savvy enough to know but I don’t really want to go down that road. 

[WAAAYTOOO]

Not that I normally work while onboard but what would be the purpose of blocking a VPN ?  I would be unable to work onboard if they are blocking VPNs.  That is the way I connect to work sites.  Just curious

[Gears]

FAQs say VPNs should work.

https://www.royalcaribbean.com/faq/questions/onboard-internet-wifi-speed

Security policy settings on your company's end may prevent it from working also (like where the traffic is coming from).

[monorailmedic]

Curious if you were able to determine if they were blocking by port or protocol.  Also, was this a public VPN (such as Private Internet Access, Tunnelbear, etc) or a workplace VPN?  Any insight or clarity would be appreciated as this is something I use for several reasons while on-board.

[Stu Etheridge]

https://www.facebook.com/RealityAfloat/posts/434097283659619

 

This kinda confims things.

[JBC]

I imagine if this is new that they will get a lot of complaints about blocking VPNs.  A lot of people need them for work (myself included).  

Matt, you seem to do a lot of work while on board, is this something that you can comment on?

[Orange Crush]

There's no rational reason why they would block workplace VPNs.  This is almost certainly targeted at public VPNs to prevent passengers from using them to get around the naughty filters and management & monitoring systems.

I'm going to test out my workplace VPN and a couple of the public VPNs when I'm on the Majesty in a few weeks & report back to confirm.

[Stu Etheridge]

I agree there is no rational but if they are trying to block VPNs in general it’s easier to just block everything than be selective.

Its not a good thing though and I think will cause wider issues. 

[Rose City Cruiser]

I hope I will be able to access my work VPN on Freedom of the Seas in April.  I may have to turn on data roaming on when we arrive at one of the ports.

[Matt]

17 hours ago, JBC said:

Matt, you seem to do a lot of work while on board, is this something that you can comment on?

I was able to use my company's VPN while on Harmony in July, which was not a major VPN provider.

While I was on Independence last week, I could not connect to Windscribe VPN on multiple occasions.  It would time out, which seems to indicate it was blocked.

[clmsnskr]

I was able to VPN to my corporate network from onboard with no issues at all when I was on Oasis back in March 2017.  We use Cisco IPSec VPN

[twangster]

VPN is a very broad term.  There is corporate VPN and then are VPN providers who are used by folks trying to access services outside of their home country.  Pandora radio for example was only available in the US for a long time.  By using a VPN service you could connect and appear to be in the US when traveling abroad and therefore listen to Pandora anywhere on the planet.  

There are many different VPN technologies.  Some are based on open standards and some use more proprietary methods.  A big factor for some VPN protocols is latency.  Ship internet uses satellite and it takes time to beam a signal into space and send it back from the satellite to earth.  This delay plays havoc with some VPN protocols and they don't work over it.  It's not that its being blocked, its just that the protocol can't handle the delay.  

Corporate SSL VPN seems to be pretty tolerant to satellite delay either for the newer O3b ships as well as the older ships systems that use geostationary satellites with a lot more delay.

I've had issues with IPSEC based VPN on the older ships.    

When something doesn't work lots of people mistakenly assume it some devious plot by the cruise lines to block it.  Sometimes though its just the nature of satellite internet.

[Traveler]

During my October cruise on the Voyager of the seas I could easily connect to the work VPNs 

We have two ways to connect one based on SSL and one based on IPsec  (CISCO) both of them worked well with no issues.

Hope they did not change anything lately as the ability to connect to work from time to time make it much easier for me to cruise.

[notorious.dds]

On 11/27/2017 at 10:27 AM, Gears said:

FAQs say VPNs should work.

https://www.royalcaribbean.com/faq/questions/onboard-internet-wifi-speed

Security policy settings on your company's end may prevent it from working also (like where the traffic is coming from).

Hi guys,

I just wanted to put my 2¢ in here.

I just got off the Oasis on 12/31/2017.

My VPN was most definitely blocked.  It has nothing to do with my company's settings. I can say this because I'm the one who set up the VPN that I utilize and there's nothing preventing this connection from my server's end. Further, this reality is tacitly confirmed simply by performing web searches via VOOM that involve the word "VPN". Clicking upon links from those searches results in pages that are blocked by VOOM's content filter.

In other words, not only do they activity block VPN connections, but they also go out of their way to obfuscate information one might be able to obtain via web searches that could assist in getting around the VPN connection block.

It's important to note that I was trying to connect via OpenVPN.  And, although I couldn't get my VPN working, I still had connectivity to my VPN server via an SSH connection. With that SSH connection, I was able to manipulate my VPN server's settings. Subsequently, I fiddled with my VPN's settings to see if I could get it to work. I tried the following:

non-standardports

UDP connections

TCP connections

TCP connections via port 443

... and nothing worked.  Because I set this server up myself, it was also using an unknown URL for the connection (ie not privatetunnel.com or or nordvpn.com, etc)

With those tests, the only conclusion I can make is that the means of VPN blocking by VOOM is Deep Packet Inspection (aka DPI). Blocking VPN's by way of DPI is well known by anyone using VPN'S in countries whose governments try to block them (ie Syria).

The good news is, there IS a way to evade VPN blocking by DPI.  It's commonly referred to as Stealth or Obfuscated VPN.  I speculate that those who ARE still able to connect to their VPN's are probably already using Obfuscated connections.

With this frustrating experience of being blocked from my server while on a non-free wifi connection, I have subsequently converted my VPN server so that it now uses obfuscated connections.  However, I won't be able to test this setup for another year when I set out on my next cruise.  

[notorious.dds]

On 11/27/2017 at 2:18 PM, Stu Etheridge said:

https://www.facebook.com/RealityAfloat/posts/434097283659619

 

This kinda confims things.

It seems that this rep states at the end of the interview why they block VPNs.  However, I couldn't quite understand what the reason was from the video.  

Does anyone else have any insight into why the VPNs are blocked?

Honestly, I'm struggling to come up with a plausible reason.

[twangster]

OpenVPN is not tolerant of high latency.  At least not some version.  OpenVPN on BSD using UDP for example doesn't work well over satellite.

SSL VPN and IPSEC VPN work fine on Voom, even the geosync satellites with 600+ms latency.  

I routinely use Cisco AnyConnect (SSL or IPSEC) and Tunnelblick on OSX on Voom using TCP and have no issues.  Both to corporate and to my home ASA firewall.  

I've also used Juniper's VPN client without issue.  

I too have set up many VPN servers and/or firewalls in my lifetime and the only ones that don't work well on Voom are OpenVPN based and/or UDP based.

I also make numerous wifi calls over Voom.  Sometimes multiple hours long sitting on boring conference calls.  So I'm not sure who that facebook page belongs to but they have a very different experience from mine.  Even the MagicJack app worked on Oasis.  

I will say though that the only Carnival ship of 10 I've sailed where I could get even SSL VPN to work was the Breeze.  The rest?  No way.  

[monorailmedic]

On 11/28/2017 at 9:13 AM, Matt said:

I was able to use my company's VPN while on Harmony in July, which was not a major VPN provider.

While I was on Independence last week, I could not connect to Windscribe VPN on multiple occasions.  It would time out, which seems to indicate it was blocked.

I'm curious which protocols and/or ports they're blocking as I could set my home VPN up to allow said protocols/ports then tunnel out from there.

[Gears]

RC is likely taking an unspoken stand that residential Internet providers do. That is "Our service provides general Internet connectivity supporting web browsing and application support for services specific to company xyz under the terms and conditions of the service. Any other end user specific applications such as VPNs, VoIP services etc...are the responsibility of the end user...your mileage may vary."

[Matt]

19 hours ago, notorious.dds said:

I just wanted to put my 2¢ in here.

I appreciate you sharing your in-depth experience.  

Since you are the VPN expert, my company has shifted to Cisco AnyConnect.  Would that have any better luck?

Is there anything an end-user can do to circumvent the blocking? If so, I'd love to write up a how to for folks in the future.

Also, your username is awesome @notorious.dds

[notorious.dds]

Hi Matt,

I read somewhere in my exploration that AnyConnect will work on board.  That said, I have not tested it.  I'm near certain that the blockage is due to use of DPI on VOOM's firewall.  What I don't know is if:

1. They've configured it to allow certain VPN connections and not others, OR IF

2. The people who are getting through on their VPN's are using services that utilize obfuscated control channels thereby evading the DPI.

Also, for the record, I don't buy twangster's argument that the VPN failure is due to latency.  Here's why:

1. While I was on board, my VPN connection attempts ALWAYS failed during the TLS handshake.

2. As I mentioned earlier, their web content filter blocks access to many websites that simply discuss VPN's.  This alone suggests that they are "anti VPN" at RCI.

3. He states that OpenVPN can't handle lag but that "SSL VPN and IPSEC VPN work fine on Voom, even the geosync satellites with 600+ms latency". OpenVPN is an SSL VPN, so I'm not so sure he is an expert about which he speaks. 

Circumventing the blockage via changes only accessible to the end user is tough.  If you're VPN provider doesn't offer obfuscated/stealth connections, SSL tunneling, or SSH tunneling, it would require that the user set up his own server to which the user could connect while on board.  Then, that traffic would have to be routed from the user to their personal server and then through another tunnel that can connect with their desired VPN provider.   That's probably very unrealistic for your average user.

24 minutes ago, Matt said:

Also, your username is awesome @notorious.dds

Thanks!  I like too. 

[JLMoran]

One thought I just had on this, which isn't so much a technical matter as a political one.

Countries like China and parts of the Middle East ban the use of VPNs. It's unpopular with everyone except the local governments, but those same governments have put the squeeze on companies that sell products that violate the rule (see the recent kerfuffle over Apple removing all VPN apps from its China app store). If all of Royal's VOOM service goes through the same infrastructure, then it may be that they need to block VPN access everywhere in order have their ships that sail in those regions be compliant with the local laws.

No certainty around this, but it may be something that's playing a factor here. Especially given @notorious.dds's finding that searching for how to access VPN around VOOM while actually using VOOM. That kind of blocking would also be something that I'd expect those more repressive governments to demand of businesses that provide internet service while operating within their borders.

[twangster]

OpenVPN runs a custom security protocol based on SSL.  As you are likely aware 'SSL' is a very broad term.  Within that umbrella are many phase 1 and phase 2 protocols and options.  

I can tunnel AnyConnect SSL VPN within AnyConnect SSL VPN tunnels over Voom.  For example I can connect to my home ASA firewall and then within that tunnel I can tunnel to another SSL based ASA firewall and appear to be coming from my home IP address.

i can not tunnel OpenVPN within an AnyConnect SSL VPN tunnel in the same manner.   Once my initial VPN tunnel is established, Voom has zero visibility what occurs within that tunnel.  They couldn't possibly block even with DPI an application within a VPN tunnel. 

I am well trained in Cisco FirePower and Fortinet UTM.  I know their DPI capabilities well and I know for fact they can not decrypt an AES256 phase 2 tunnel to perform DPI in real time for traffic within that tunnel.  So why can't OpenVPN work tunneled within an AnyConnect tunnel?

I will take up this challenge and spend some time looking at it on my next cruise.  I can easily spin up a Linux VM in my ESXi lab at home and try to determine if there are methods to make OpenVPN work over satellite, first within an AnyConnect tunnel and then directly.  

What are you using to terminate your OpenVPN tunnel on?

[monorailmedic]

21 minutes ago, JLMoran said:

Countries like China and parts of the Middle East ban the use of VPNs. It's unpopular with everyone except the local governments, but those same governments have put the squeeze on companies that sell products that violate the rule (see the recent kerfuffle over Apple removing all VPN apps from its China app store). If all of Royal's VOOM service goes through the same infrastructure, then it may be that they need to block VPN access everywhere in order have their ships that sail in those regions be compliant with the local laws.

I doubt his for a few reasons, including that I'm not sure China would want to/be able to pressure RCI to make these changes.  In the case of Apple it's about devices in that country rather than, "a Chinese citizen may travel with you outside of our control."  To point out one that is reasonably comparable, if you roam with T-Mobile in China you're actually not subject to the "Great Firewall of China."  Interestingly, whatever methods of blocking traffic China uses, at least as of a couple years ago, seems to be dependent on the IP as I had friends there connecting to my PPTP VPN at home but unable reach other PPTP VPN servers.

[notorious.dds]

 

1 hour ago, twangster said:

I can tunnel AnyConnect SSL VPN within AnyConnect SSL VPN tunnels over Voom.  For example I can connect to my home ASA firewall and then within that tunnel I can tunnel to another SSL based ASA firewall and appear to be coming from my home IP address.

I'm not super familiar with AnyConnect.  However, a cursory reading of the application appears to suggest that the control channel is always made via TCP.  It seemed to me that even if your connecting via UDP with AnyConnect, the control channel remains as a TCP connection.  I think this could be important later, see below. Also, it appears that the control channel is encrypted by default with AnyConnect.  If true, this would get you past DPI.  With OpenVPN, encrypting the control channel has only become possible with the most recent releases of the program.  In fact, if you're only looking at "stable" releases, the first release in which control channel encryption became available was 2.4.4 which just came out in September.  

 

1 hour ago, twangster said:

i can not tunnel OpenVPN within an AnyConnect SSL VPN tunnel in the same manner.   Once my initial VPN tunnel is established, Voom has zero visibility what occurs within that tunnel.  They couldn't possibly block even with DPI an application within a VPN tunnel. So why can't OpenVPN work tunneled within an AnyConnect tunnel?

Was your OpenVPN server configured with UDP or TCP?  I'm not aware of any TCP connection through which a UDP OpenVPN connection can be made.  All of the OpenVPN tunneling procedures with which I'm familiar require that OpenVPN use a TCP connection.  

 

1 hour ago, twangster said:

I am well trained in Cisco FirePower and Fortinet UTM.  I know their DPI capabilities well and I know for fact they can not decrypt an AES256 phase 2 tunnel to perform DPI in real time for traffic within that tunnel. 

I will take up this challenge and spend some time looking at it on my next cruise.  I can easily spin up a Linux VM in my ESXi lab at home and try to determine if there are methods to make OpenVPN work over satellite, first within an AnyConnect tunnel and then directly.  

I appreciate your response and, at this point, concede that you likely know more about this topic than I.  However, I felt your statement of:

"When something doesn't work lots of people mistakenly assume it some devious plot by the cruise lines to block it.  Sometimes though its just the nature of satellite internet"

to be a little dismissive.  I'll will admit that is may have ruffled my feathers a bit .  However, I'm over that.  Regardless, I still don't buy the latency argument. What I'd like to know about VOOM with regard to VPN's is the following:

1. Can anyone successfully tunnel a TCP OpenVPN connection via AnyConnect, SSL, SSH or otherwise?
2. If using a newer release of OpenVPN that can utilize the --tls-crypt (aka encrypted control channel) option, can a connection be made?  If so, does it work both with both UDP and TCP connections?

The only thing I could have tried while on board but didn't was to tunnel the VPN through and SSH connection.  I didn't think to try that until it was too late.  I guess that's what the next cruise is for!

1 hour ago, twangster said:

What are you using to terminate your OpenVPN tunnel on?

Fair question.  It was running on my router.  I know, I know... but it works.  However, since this frustrating experience, I've since set it up on my linux box at home where I can compile and install the lastest version of OpenVPN thereby allowing me to use --tls-crypt. I've also configured a route to my work from this server via a regular OpenVPN tunnel.  This allows me to evade DPI and get to both my home and office with setting up a new server at the office as well.

[Orange Crush]

Here's what I tested and my results on the Majesty over Christmas:

WindScribe Subscription VPN using Strong Swan Client on Android:  Wouldn't connect at all.  I didn't test this thoroughly, but it did not work with the default settings from Windscribe.  I'll try some other servers and protocols on Allure in March.

Chrome Remote Desktop to home PC:  Worked perfectly.  A little laggy, but understandable with satellite.  Still perfectly usable.

Connecting to work via Citrix Receiver: Also worked perfectly

WiFi calling on T-mobile w/ Android phone and Verizon w/ an iPhone 7+.  Both worked perfectly.

My office does have an actual VPN, but I was unable to test that.  Everything I needed to work remotely from the ship worked, however.

[notorious.dds]

It looks like Windscribe could be a good testing tool.  From the Windscribe FAQ:

Quote

What are the connection modes?

Connection modes allow for connecting to our servers using different ports and protocols. This exists to make sure that if a certain port is blocked, or your network operator is performing deep packet inspection in order to track down VPN usage, you can still connect. The default is "Automatic" which will pick the best mode for you. You can switch it to manual mode if you wish.

• UDP - Default connection mode, usually the fastest.
• TCP - Use this if UDP fails to connect. Much more resilient to bad network conditions, but could be slower.
• Stealth - TCP protocol via Stunnel. Only use this if all other methods fail. May be handy in China.

So next question, can anyone using Windscribe connect using stealth mode?

[twangster]

@Orange Crush - are you using a free Windscribe account or a paid service?

If free I'll try it on my next cruise in 15 days.

[Orange Crush]

55 minutes ago, twangster said:

@Orange Crush - are you using a free Windscribe account or a paid service?

If free I'll try it on my next cruise in 15 days.

It's paid, not sure if there's a free option.  It was one of those "buy 5 years for $50 deals" that came up a while back.

[Matt]

9 minutes ago, Orange Crush said:

It's paid, not sure if there's a free option.  It was one of those "buy 5 years for $50 deals" that came up a while back.

I also have paid WindScribe VPN and it would not connect at all when I was on Independence.  I was not aware of the stealth option, but I could test that when I go on Brilliance in a few weeks.

I have not tried my work VPN since being on Harmony in July.

[Traveler]

21 minutes ago, Matt said:

I also have paid WindScribe VPN and it would not connect at all when I was on Independence.  I was not aware of the stealth option, but I could test that when I go on Brilliance in a few weeks.

I have not tried my work VPN since being on Harmony in July.

So I checked the work VPN on Indi ,  

The one which is IPSEC VPN (from CISCO) worked without any issues, the one that is web based was not working. 

[joost]

i hope my vpn is not blocked, one of the reasons i bought mine so i was able to trick the app ap of my tv provider that im still in the country so i can watch tv every where. 

i have a small not very well known vpn maybe im lucky. the faq still states you can use vpn, if that is still the case on board and stuff seems blocked im going to ask for a discount. 

i guess if im bringing my own router use my key on there i can use x connections if i want to 

[twangster]

49 minutes ago, joost said:

i guess if im bringing my own router use my key on there i can use x connections if i want to 

I bring a TP link travel router with me.  It's no secret that I sometimes work while on a cruise, at least when solo.  In my cabin I use the router to have my laptop and phone both connected.  That works fine for me because when I only take my phone out of the cabin so I just logout and log back in on my phone.  It would work great for a couple or family in a cabin at night but during the day when out of the cabin the travel router has limitations - everyone has to be close together and someone has to carry the router and power supply. 

[notorious.dds]

2 hours ago, joost said:

i hope my vpn is not blocked, one of the reasons i bought mine so i was able to trick the app ap of my tv provider that im still in the country so i can watch tv every where. 

It appears to me that RCI is blocking the same VPN's that the government of China has also figured out how to block.

In other words, if you're using an IPSEC or PPTP VPN, you could be okay. If you're using an SSL VPN with an encrypted control channel, you could be okay. 

If you're using an SSL VPN with an unencrypted control channel, you're screwed. 

If you're using a publicly available VPN service whose server has been blocked by RCI's firewall, you're screwed regardless of the type of VPN.

This isn't yet confirmed, but I'd be willing to wager on it.

Also, I agree.  RCI needs to fix their FAQ specifically stating that you can use VPN's.  

[twangster]

1 hour ago, notorious.dds said:

It appears to me that RCI is blocking the same VPN's that the government of China has also figured out how to block.

In other words, if you're using an IPSEC or PPTP VPN, you could be okay. If you're using an SSL VPN with an encrypted control channel, you could be okay. 

If you're using an SSL VPN with an unencrypted control channel, you're screwed. 

If you're using a publicly available VPN service whose server has been blocked by RCI's firewall, you're screwed regardless of the type of VPN.

This isn't yet confirmed, but I'd be willing to wager on it.

Also, I agree.  RCI needs to fix their FAQ specifically stating that you can use VPN's.  

A VPN service with an unencrypted control channel is useless.  Not that I agree with your assessment that this is the root cause of your issue, but poorly encrypted control channels is exactly what made WEP for WiFi susceptible to hacking so easily.  If you are are using an unencrypted control channel for VPN my only question is ... why would you?

I use a consumer VPN service whose OpenVPN based gateways do not work over Voom yet their IPSEC gateways on the same IP addresses work fine.  Satellite internet is not just internet with a delay due to sending the signal into space.  There is a lot more to it in order to optimize the experience, organize traffic flows and make it work as well as it does. 

There are thousands of consumer VPN providers these days who have limited support and whose only interest is standing up a basic service that barely works at minimal cost so they can sell it to the masses.  It would be impossible for any service provider to certify every VPN service out there.  

Lastly, RCI outsources the whole operation.  You give RCI much more credit that I think you would it if you realized how small their HQ IT staff really is.  

[Gears]

17 minutes ago, twangster said:

There are thousands of consumer VPN providers these days who have limited support and whose only interest is standing up a basic service that barely works at minimal cost so they can sell it to the masses.  It would be impossible for any service provider to certify every VPN service out there.  

Lastly, RCI outsources the whole operation.  You give RCI much more credit that I think you would it if you realized how small their HQ IT staff really is.  

DING! (sorry...maybe that should be BING BONG! for those who remember) You got it @twangster. I spent 27 years as a Systems Engineer, service development and Product Manager in the IT and Telecom space (putting together similar services) and I love reading the conspiracy theories about it. All it takes is one device, in the outsourced service, that doesn't support the traffic type (that it was never intended to anyway) and Shazam!, something doesn't work and out come the daggers.

BTW...I'm waiting for someone to say that IPX doesn't work either...

[notorious.dds]

15 minutes ago, twangster said:

A VPN service with an unencrypted control channel is useless.  Not that I agree with your assessment that this is the root cause of your issue, but poorly encrypted control channels is exactly what made WEP for WiFi susceptible to hacking so easily.  If you are are using an unencrypted control channel for VPN my only question is ... why would you?

I rescind my earlier statement about you likely knowing more about this topic than I.

[twangster]

1 hour ago, Gears said:

DING! (sorry...maybe that should be BING BONG! for those who remember) You got it @twangster. I spent 27 years as a Systems Engineer, service development and Product Manager in the IT and Telecom space (putting together similar services) and I love reading the conspiracy theories about it. All it takes is one device, in the outsourced service, that doesn't support the traffic type (that it was never intended to anyway) and Shazam!, something doesn't work and out come the daggers.

BTW...I'm waiting for someone to say that IPX doesn't work either...

Yep,  when something doesn't work, blame it on the network.

[twangster]

13 hours ago, notorious.dds said:

I rescind my earlier statement about you likely knowing more about this topic than I.

I finished standing up an OpenVPN server on Linux in parallel to my AnyConnect VPN.  I have been able to connect over cellular directly to OpenVPN as well as tunneled within an AnyConnect VPN session.   

I'll be on board in two weeks and be able to test various options.  If you are still interested in troubleshooting OpenVPN over Voom let me know.  

If I have time I'll spin up a Fortigate VM and test their client over Voom as well. 

[LetsTryThisPlace]

So I take it Teamviewer is probably on the blocked list. I normally use this to control my office computer. Is there any easy option to use, or am I going to need to buy a router to configure?

[Matt]

I tried Windscribe VPN on Brilliance last week in both UDP and TCP mode and neither worked.  Windscribe says it has a stealth mode, but in my Linux CLI, there was no option for Stealth.