VPN

[twangster]

I was troubleshooting OpenVPN using my phone last week.  It worked up to the point where my phone needed to create the tunnel interface after negotiating certs and learning tunneled routes.  At this point it stopped the process with an error to the effect "can't create tunnel interface on device".

Unfortunately the OpenVPN client on my phone updated itself mid-cruise and wiped out my profiles in the process.  I had loaded them VIA iTunes at home and didn't have my iTunes laptop with me to re-load the profiles so I couldn't continue to troubleshoot. 

I had TCPdump running on my OpenVPN server at home and it saw two way traffic up to this point so I'll need to do some more work to see if there is a work around.  Very curious that it couldn't create the tunnel interface on Voom but could over cellular.

[nneul]

Mariner of the Seas - July 2018:

Both OpenVPN in UDP mode and SSH worked without any issues. The service itself (independent of VPN) varied from reasonably responsive (seemed like in the 500ms latency range) up to downright unpleasant on sea day (at times in the 3000+ ms range - virtually unusable at that point). 

[masterdrago]

This is really an old thread. I'm a pretty simple computer user and don't have any idea what all the NASA acronyms even mean (except VPN). But, I am interested in security when using a laptop onboard which I have not done as of yet. Why not would something like Safe Money buried inside Kaspersky Total Security work through Voom when wanting some semblance of privacy? 

[notorious.dds]

On 7/27/2018 at 6:25 PM, masterdrago said:

Why not would something like Safe Money buried inside Kaspersky Total Security work through Voom when wanting some semblance of privacy? 

I don't really see any of this software as giving you "privacy" per se.  However, it should keep you out of hot water with regards to entering personal info into fake websites designed to look like you bank's website, downloading viruses, etc.

The reason I wouldn't call this "privacy" is that anything you do on that public network could be visible by other users and is almost certainly viewable by the network operator.  For instance, they could see that you visited your bank's website, but they wouldn't be able to get your password... assuming it was encypted which it almost certainly would be.

And, for what it's worth, US Intelligence advocated that Kaspersky software not be used by essentially anyone last December.  Subsequently, a mandate was given to all federal agencies to remove it from their machines.  

Other than that, I woudn't worry too much.

[masterdrago]

21 hours ago, notorious.dds said:

I don't really see any of this software as giving you "privacy" per se.  However, it should keep you out of hot water with regards to entering personal info into fake websites designed to look like you bank's website, downloading viruses, etc.

The reason I wouldn't call this "privacy" is that anything you do on that public network could be visible by other users and is almost certainly viewable by the network operator.  For instance, they could see that you visited your bank's website, but they wouldn't be able to get your password... assuming it was encypted which it almost certainly would be.

And, for what it's worth, US Intelligence advocated that Kaspersky software not be used by essentially anyone last December.  Subsequently, a mandate was given to all federal agencies to remove it from their machines.  

Other than that, I woudn't worry too much.

I read all that about the Moscow made software back last summer. My wife has never wanted me using Kaspersky but after years and years of using many other anti-virus packages, I just found their support so much better. It does have some sort of VPN (secure connection) that supposedly allows data transfer through a protected channel (their words). As for private browsing, it appears to block way more crap during browsing (ads, beacons, web analytics, and social network intrusions) than anything I've used in the past. You're right. It simply blocks the attempts to collect data. Correct me if I'm wrong, but does a VPN just encrypt your connection through another server that then decrypts it and sends it on to the place you want it to go?

[masterdrago]

I think what I was trying to get across is that Kaspersky Total Protection has a built-in VPN client that connects to their servers. And as far as any anti-virus getting bad control of our machines, all can. Anytime.  I'll report back next summer after attempting to use the client onboard.

[notorious.dds]

4 hours ago, masterdrago said:

 Correct me if I'm wrong, but does a VPN just encrypt your connection through another server that then decrypts it and sends it on to the place you want it to go?

Pretty much.  I don't know that I'd be a big fan of routing all of my network communication through Kaspersky's servers, but that's up to you.  It doesn't sound to me like you really have an overwhelming need using the VPN anyway.

In my case, I've set up my own VPN server(s).  The main purpose is so that I can connect to my home or office from wherever I happen to be.  However, I have used it to evade packet filtering while connected to some retailer's "free wifi" that subsequently filters out traffic headed for Amazon or other any of its competitors.  

In an effort to bring this thread back on topic, it sounds as though RCI's VPN restrictions have loosened since last December based upon nneul's post.  Since my experience with RCI's Voom wireless, I've discovered numerous other public wifi networks that also block VPN usage.  In all cases, I've been able to get around the block by tunneling my VPN through an SSL connection.  I never tried this while connected to Voom, but I was hoping to do so when I'm back on board this December.  However, this may be unnecessary based upon nneul's post.  Regardless, I have a series of tests that I'm prepared to run while on board.  I'll post my results once I have them.

 

[ronnievision]

I have two back to back 1 week cruises coming up next month and I will be purchasing the package with VOOM through Royal Caribbean and sailing on the Harmony of the Seas. I am also a Realtor and have heard that I will not be able to gain access to the MLS and other apps/sites due to VPN restrictions. Any updates from anyone regarding a workaround? I see the last post was July 2018.

[Jw940]

Hi all,

Any recent experience? Nord do an openvpn with obfuscation option, hoping that will work now. 

Has anyone been able to connect to an ftp server?

thanks!

[KristiZ]

My husband works onboard regularly, which requires ftp connection. He uses StrongVPN and has no issue, although I believe he had to change one config item to make it work. I don't know if that was because of Royal's network or some other issue he had, but I remember it didn't take him long to fix it.

Our last cruise was March 2019, so pretty recent. Hope that helps!

[notorious.dds]

On 9/25/2019 at 3:17 AM, Jw940 said:

Hi all,

Any recent experience? Nord do an openvpn with obfuscation option, hoping that will work now. 

Has anyone been able to connect to an ftp server?

thanks!

It's been a few months since I was on board (December 2018), but I ran a number of tests while I was there trying to connect to different types of VPN servers.  All of the servers I tested were run by me personally.  In other words, I did not test any commercially available VPN services.  That said, the commercially available services typically use some variation of the methods used in my tests.  

Here's what I found:

    TLDR: The only VPN connections I could make work required that the connection be wrapped in an SSH connection.

Here's the list of VPN connection types that would NOT connect while using VOOM internet on board RCI's Harmony of the Seas:

• PPTP (default port)
• L2TP/IPSEC (Sonicwall Global VPN Client using default ports)
• SSL VPN (OpenVPN using UDP protocol, default port 1194, no TLS key authentication) 
• SSL VPN (OpenVPN using UDP protocol, non-standard port, no TLS key authentication) 
• SSL VPN (OpenVPN using UDP protocol, port 443, no TLS key authentication) 
• SSL VPN (OpenVPN using TCP protocol, default port 1194, no TLS key authentication) 
• SSL VPN (OpenVPN using TCP protocol, non-standard port, no TLS key authentication) 
• SSL VPN (OpenVPN using TCP protocol, port 443, no TLS key authentication) 
• SSL VPN (OpenVPN using UDP protocol, default port 1194, TLS Direction = Encryption) 
• SSL VPN (OpenVPN using UDP protocol, non-standard port, TLS Direction = Encryption) 
• SSL VPN (OpenVPN using UDP protocol, port 443, TLS Direction = Encryption) 
• SSL VPN (OpenVPN using TCP protocol, default port 1194, TLS Direction = Encryption) 
• SSL VPN (OpenVPN using TCP protocol, non-standard port, TLS Direction = Encryption) 
• SSL VPN (OpenVPN using TCP protocol, port 443, TLS Direction = Encryption) 

Here's what would actually connect:

• SSL VPN  tunneled through an SSH connection (OpenVPN using TCP protocol - port utilized and existance of a TLS key were unimportant)

As I mentioned earlier in this thread, RCI is clearly taking an active approach to blocking VPN use. Further, the only test of mine which succeeded was the one in which tunnel overhead was GREATEST. This fact plainly dismisses the earlier assertions (made by those who relied on virtuoso arguments to support their claim) that VPN connection issues were the result of "network latency".

My speculation is that those who are currently able to successfully get their VPN to connect while using VOOM are able to do so because their VPN service already utilizes some sort of obfuscation (i.e. SSH tunneling) or possibly VOOM has whilelisted some VPN servers for some companies.

For what it's worth, I haven't yet found a  network that successfully blocks my VPN connection when it's wrapped inside and SSH tunnel.  (On some networks - not VOOM, I've had to use the SSH server's acutal IP address because the network wouldn't resolve my server's domain address... but that's about it).

Lastly, If you're looking for a commercial VPN service that will work while on board any RCI ship, I'd recommend getting one which is already known to work from within China.  This ought to give you the best chance of getting around RCI's rediculous firewall.

[notorious.dds]

On 9/25/2019 at 3:17 AM, Jw940 said:

Has anyone been able to connect to an ftp server?

You should be able to connect to an FTP server.  As far as I can tell, RCI's firewall is using DPI to block traffic with headers that reveal a VPN connection.

[Matt]

Thanks for sharing this, @notorious.dds

[12thman]

Anyone know what the VPN is for Verizon wireless? That's what we have. Tried on Allure and it worked the entire time. 

[whitsmom]

My VPN for AT&T works fine also.

[Peter2]

This may sound weird or stupid but I am worried if we say what VPN works Royal Caribbean then may block it

Not saying it will happen just saying it is possible. This is a public forum after all.

 

[notorious.dds]

11 minutes ago, Peter2 said:

This may sound weird or stupid but I am worried if we say what VPN works Royal Caribbean then may block it

Not saying it will happen just saying it is possible. This is a public forum after all.

 

If their IT department's employees are worth the paychecks they receive, they already know what's possible and what isn't.

[twangster]

13 minutes ago, notorious.dds said:

If their IT department's employees are worth the paychecks they receive, they already know what's possible and what isn't.

It's all outsourced.  Royal IT has nothing to do with the day to day operations of Voom.  That's all part of the service Speedcast/O3b offers.  

On board Voom specialists can do certain admin functions like create or delete user accounts, reset passwords, refunds when appropriate and check user utilization but when it comes to anything truly technical they open a ticket with Speedcast.

[Nautical Travels]

Has anyone used “global connect” VPN successfully. I work for Intuit. Need to work while aboard ship. Any help or anyone who has used GC please post your experience with it

[Matt]

35 minutes ago, Nautical Travels said:

Has anyone used “global connect” VPN successfully. I work for Intuit. Need to work while aboard ship. Any help or anyone who has used GC please post your experience with it

I havent used that one, but if it's a commercial grade VPN (and not something people buy for like $5 for a year off random sites), it will probably work.  I had good luck with Cisco and other commercial VPNs, but hit or miss with consumer stuff

[twangster]

It can depend how the VPN administrators have your corporate VPN configured.  These type of VPN platforms have many options for your IT department to choose from.  Some are more tolerant of the latency over satellite, some choices not so much.  

Keep in mind that satellite internet from a ship is not like internet at home.  The signal can fade for a number of reasons at times and murphy's law says that will occur when you need it most.  A heavy rainfall can block the signal, sometimes if the ship is on the right heading the stacks or something else temporarily blocks the path to the satellite.  Some regions like Alaska just have slow internet since the satellite coverage is weak that far North.  

The point is if you need to guarantee a working connection at all times that doesn't always happen on a ship at sea.