DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Is a local device using a VPN?
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
01 Jul 2019 23:33 #94692
by akwe-xavante
Is a local device using a VPN? was created by akwe-xavante
Draytek 2862.
How would i know if someone is using a VPN?
If someone was using a software VPN on my local network, how would i know?
Is the device given a local IP address? I'm assuming that the answer is Yes.
I'm assuming that all devices regardless of connection and whether or not they are using a VPN must initially register on the local LAN and obtain a local IP address.
I'm assuming that the device will make an initial connection to a VPN provider and that providers IP address will be logged within the syslog. I'm assuming that auth will take place and that will be the last of any entries in the routers syslogs until perhaps a disconnection happens then reconnection will then be recorded.
I'm experiencing a more than usual amount of data going back and forth (Traffic Graph) but no devices are connected. No devices have been given local ip addresses.
In Addition:
I do have the following entries repeating over and over, but i have no idea where from. I'm assuming that somewhere, someone is attempting to dial in and establish a vpn connection directly with the router rather than a device on the LAN. But i'm not sure.
<158>Jul 1 06:42:00 COTTAGE: PPP Start ()
<158>Jul 1 06:42:00 COTTAGE: Incoming Call Failed : No Such Entry for 1
<158>Jul 1 06:42:00 COTTAGE: CHAP Login Failed () -
<158>Jul 1 06:42:00 COTTAGE: PPP Start ()
<158>Jul 1 06:42:01 COTTAGE: Incoming Call Failed : No Such Entry for 111
<158>Jul 1 06:42:01 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:14 COTTAGE: PPP Start ()
<158>Jul 1 13:57:17 COTTAGE: Incoming Call Failed : No Such Entry for Admin
<158>Jul 1 13:57:17 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:17 COTTAGE: PPP Start ()
<158>Jul 1 13:57:17 COTTAGE: Incoming Call Failed : No Such Entry for admin
<158>Jul 1 13:57:17 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:18 COTTAGE: PPP Start ()
<158>Jul 1 13:57:18 COTTAGE: Incoming Call Failed : No Such Entry for user
<158>Jul 1 13:57:18 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:26 COTTAGE: PPP Closed : LCP Time-out ()
How would i know if someone is using a VPN?
If someone was using a software VPN on my local network, how would i know?
Is the device given a local IP address? I'm assuming that the answer is Yes.
I'm assuming that all devices regardless of connection and whether or not they are using a VPN must initially register on the local LAN and obtain a local IP address.
I'm assuming that the device will make an initial connection to a VPN provider and that providers IP address will be logged within the syslog. I'm assuming that auth will take place and that will be the last of any entries in the routers syslogs until perhaps a disconnection happens then reconnection will then be recorded.
I'm experiencing a more than usual amount of data going back and forth (Traffic Graph) but no devices are connected. No devices have been given local ip addresses.
In Addition:
I do have the following entries repeating over and over, but i have no idea where from. I'm assuming that somewhere, someone is attempting to dial in and establish a vpn connection directly with the router rather than a device on the LAN. But i'm not sure.
<158>Jul 1 06:42:00 COTTAGE: PPP Start ()
<158>Jul 1 06:42:00 COTTAGE: Incoming Call Failed : No Such Entry for 1
<158>Jul 1 06:42:00 COTTAGE: CHAP Login Failed () -
<158>Jul 1 06:42:00 COTTAGE: PPP Start ()
<158>Jul 1 06:42:01 COTTAGE: Incoming Call Failed : No Such Entry for 111
<158>Jul 1 06:42:01 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:14 COTTAGE: PPP Start ()
<158>Jul 1 13:57:17 COTTAGE: Incoming Call Failed : No Such Entry for Admin
<158>Jul 1 13:57:17 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:17 COTTAGE: PPP Start ()
<158>Jul 1 13:57:17 COTTAGE: Incoming Call Failed : No Such Entry for admin
<158>Jul 1 13:57:17 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:18 COTTAGE: PPP Start ()
<158>Jul 1 13:57:18 COTTAGE: Incoming Call Failed : No Such Entry for user
<158>Jul 1 13:57:18 COTTAGE: CHAP Login Failed () -
<158>Jul 1 13:57:26 COTTAGE: PPP Closed : LCP Time-out ()
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
02 Jul 2019 10:25 #94694
by admin3
Forum Administrator
Replied by admin3 on topic Re: Is a local device using a VPN?
Thanks for posting those logs, it looks like something is trying to authenticate with different account names. If the logs show which IP address is doing that, you can block that IP address from [Firewall] > [Defense Setup]
Tick "Enable DoS Defense" and click OK
Then go to "White/Black List Option" and enter that IP address for the router to ignore any VPN requests from it.
Additionally, those logs suggest that the type of VPN being used is PPTP, I recommend disabling that service if you're not using it. Other VPN options such as SSL VPN and IPsec are considered to be more secure now.
You can disable the router's PPTP VPN service in [VPN and Remote Access] > [Remote Access Control]
Tick "Enable DoS Defense" and click OK
Then go to "White/Black List Option" and enter that IP address for the router to ignore any VPN requests from it.
Additionally, those logs suggest that the type of VPN being used is PPTP, I recommend disabling that service if you're not using it. Other VPN options such as SSL VPN and IPsec are considered to be more secure now.
You can disable the router's PPTP VPN service in [VPN and Remote Access] > [Remote Access Control]
Forum Administrator
Please Log in or Create an account to join the conversation.
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
02 Jul 2019 17:37 #94700
by akwe-xavante
Replied by akwe-xavante on topic Re: Is a local device using a VPN?
Thank you for your reply,
I can find no reference to the ip address in the log files anywhere. Do i have to enable VPN logs to get this info?
I've found unless i'm mistaken that this option only seems to log activity taking place within my own VPN setup (Office (2860) to Cottage (2862) VPN).
I would block the ip address if i could find out what it is.
All but IPsec disabled now, i'll monitor activity over the next few days and see what happens.
I still have roughly 450mb of unaccounted data going back and forth fairly even 200+ TX and 200+ RX every day!
This router is at a holiday cottage where there are 4 people this week and nobody has connected a single device to the internet since they arrived 4 days ago! (2 adults, a 16yr lady and a 11yr old lad)!!!!!!
I've only had this router (2862 at the cottage) 3 weeks, somethings not right! I've no phone call complaining that theres a problem! I am actually visiting tomorrow (Looking after the Garden Day) if i see them i'll ask if all's ok as i usually do. I've upgraded from (Office 2860 to Cottage 2820) to (Office (2860) to Cottage (2862) if this is a significant upgrade that may help to identify where my daily 400+mb of data is coming from given that miraculously the 4 guests have not connected a single device to the internet so far this week!!
Thank you again
I can find no reference to the ip address in the log files anywhere. Do i have to enable VPN logs to get this info?
I've found unless i'm mistaken that this option only seems to log activity taking place within my own VPN setup (Office (2860) to Cottage (2862) VPN).
I would block the ip address if i could find out what it is.
All but IPsec disabled now, i'll monitor activity over the next few days and see what happens.
I still have roughly 450mb of unaccounted data going back and forth fairly even 200+ TX and 200+ RX every day!
This router is at a holiday cottage where there are 4 people this week and nobody has connected a single device to the internet since they arrived 4 days ago! (2 adults, a 16yr lady and a 11yr old lad)!!!!!!
I've only had this router (2862 at the cottage) 3 weeks, somethings not right! I've no phone call complaining that theres a problem! I am actually visiting tomorrow (Looking after the Garden Day) if i see them i'll ask if all's ok as i usually do. I've upgraded from (Office 2860 to Cottage 2820) to (Office (2860) to Cottage (2862) if this is a significant upgrade that may help to identify where my daily 400+mb of data is coming from given that miraculously the 4 guests have not connected a single device to the internet so far this week!!
Thank you again
Please Log in or Create an account to join the conversation.
- akwe-xavante
- Topic Author
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
02 Jul 2019 18:03 #94701
by akwe-xavante
Replied by akwe-xavante on topic Re: Is a local device using a VPN?
A little more info....
Having disabled all but the IPsec entries as suggested i had to reboot the router.
On reboot and looking in the log file i have the following entries....
<150>Jan 1 00:00:47 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:52 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:56 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:57 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:01:01 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<158>Jan 1 00:01:04 COTTAGE: PPP Start (PPPoA)
<158>Jan 1 00:01:04 COTTAGE: CHAP Login OK (PPPoA)
<158>Jan 1 00:01:04 COTTAGE: IPCP Opening (PPPoA); Own IP Address : ***.***.***.*** Peer IP Address : ***.***.***.***; Primary DNS : 83.146.21.6 Secondary DNS : 212.158.248.6
<158>Jan 1 00:01:06 COTTAGE: Dialing Node1 (HOME) : ***.***.***.***
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11:45828 -> 34.243.94.37:80 (TCP)Web
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11:45828 -> 34.243.94.37:80 (TCP) close connection
<150>Jul 2 17:12:00 COTTAGE: [Web]WebUI login success from IP ***.***.***.*** [admin]
<166>Jul 2 17:44:39 COTTAGE: acme client: Error: DDNS is not activated
In The Arp Cache Table 192.168.1.11 is listed and connected to VLAN0 port 1, this is correct. Other fixed ip address devices are listed but not connected. There are no other devices connected in the arp cahe table.
The device 192.168.1.11 is a set top DVD Blu ray player that has the bbc iPlayer accessing the internet BUT it is not listed in the enabled Data Flow Monitor. It's connected via cable and not wirelessly. I would normally see this device within the data flow monitor and it's missing.
Do i have a faulty router, it was listing connected devices in its first two weeks of being switched on, but not this week at all.
Having disabled all but the IPsec entries as suggested i had to reboot the router.
On reboot and looking in the log file i have the following entries....
<150>Jan 1 00:00:47 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:52 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:56 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<150>Jan 1 00:00:57 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jan 1 00:01:01 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.4.4 inquire tap.api.bbc.co.uk
<158>Jan 1 00:01:04 COTTAGE: PPP Start (PPPoA)
<158>Jan 1 00:01:04 COTTAGE: CHAP Login OK (PPPoA)
<158>Jan 1 00:01:04 COTTAGE: IPCP Opening (PPPoA); Own IP Address : ***.***.***.*** Peer IP Address : ***.***.***.***; Primary DNS : 83.146.21.6 Secondary DNS : 212.158.248.6
<158>Jan 1 00:01:06 COTTAGE: Dialing Node1 (HOME) : ***.***.***.***
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11 DNS -> 8.8.8.8 inquire tap.api.bbc.co.uk
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11:45828 -> 34.243.94.37:80 (TCP)Web
<150>Jul 2 17:11:50 COTTAGE: Local User (MAC=00-15-C0-26-A2-41): 192.168.1.11:45828 -> 34.243.94.37:80 (TCP) close connection
<150>Jul 2 17:12:00 COTTAGE: [Web]WebUI login success from IP ***.***.***.*** [admin]
<166>Jul 2 17:44:39 COTTAGE: acme client: Error: DDNS is not activated
In The Arp Cache Table 192.168.1.11 is listed and connected to VLAN0 port 1, this is correct. Other fixed ip address devices are listed but not connected. There are no other devices connected in the arp cahe table.
The device 192.168.1.11 is a set top DVD Blu ray player that has the bbc iPlayer accessing the internet BUT it is not listed in the enabled Data Flow Monitor. It's connected via cable and not wirelessly. I would normally see this device within the data flow monitor and it's missing.
Do i have a faulty router, it was listing connected devices in its first two weeks of being switched on, but not this week at all.
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank you received: 0
03 Jul 2019 11:13 #94702
by admin3
Forum Administrator
Replied by admin3 on topic Re: Is a local device using a VPN?
Those logs look more normal, those PPP messages are normal for establishing the ADSL/VDSL internet connection. If your STB isn't showing up in the Data Flow Monitor, try restarting the STB, maybe update the router's firmware if it's on an older one. I don't think your router is faulty for that issue with Data Flow Monitor - it's potentially a firmware issue.
Specifically you'd want to look for this message, but with the PPTP VPN service disabled, it's unlikely it will show up again: <158>Jul 1 13:57:18 COTTAGE: CHAP Login Failed () -
Specifically you'd want to look for this message, but with the PPTP VPN service disabled, it's unlikely it will show up again: <158>Jul 1 13:57:18 COTTAGE: CHAP Login Failed () -
Forum Administrator
Please Log in or Create an account to join the conversation.
- piste basher
- Offline
- Big Contributor
Less
More
- Posts: 1199
- Thank you received: 9
03 Jul 2019 15:20 #94705
by piste basher
Replied by piste basher on topic Re: Is a local device using a VPN?
On my 2926ac there are occasions in which there are no entries in the data flow monitor table at all, when I know that various PCs etc are active. The table re-populates at a later date, but I have no idea what triggers it. Apologies for slightly off-topic but possibly related to the monitor issue?
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek