Right, I've been here before.
Our app requires an internet connection, and one of our clients wants to roll it out on a strictly managed network.
We told them which addresses our app communicates with and their network team opened them up for traffic. Should work, right?
Nope, doesn't work.

So I request them to use Fiddler to do some debugging of the network traffic, and lo and behold, it does work when Fiddler is active.
One important detail is that Fiddler uses it's own SSL certificate to debug HTTPS communications. I've had moments where expired certificates were the cause of things not working and running Fiddler "fixes" this because of their own certificate.

So I point this out in numerous mails to their network team, every time I get a response saying "nah, that can't be it".
I keep insisting "I have had this before, please check if any installed Root CA Certificates is expired"
At this point I'm certain they have updates turned off on these machines, and their certificates must not have been updated for a long time.

At one point they come back to me. "Hey, when Fiddler is off, WireShark shows the app communicating with ICMP calls, but when it's on it shows HTTP calls instead".

...YOU'RE THE SUPPOSED NETWORK EXPERTS?! You think data can be send via ICMP? Do you even know what ICMP is? Of course you'll see ICMP calls when the network is rejecting the packages instead of HTTP calls when everything's fine.
(ICMP is used to communicate errors)

I'm trying to keep my patience with these guys until they find exactly what's wrong because even I am somewhat grasping at straws right now. But things like this makes me doubt their expertise...

  • 3
    These are what I would call the "NG" experts. As in Firewall-NG knowledge without the basic networking knowledge at all.
  • 1
    @AtuM but but but, they said I'd never need to do anything more complicated than ufw! iptables and ebtables, what's that? Netfilter?!
  • 3
    The moment you realise, that VPN over ICMP actually is a thing...
    Also a thing: VPN over DNS.

    If it allows to send user-specified data, it can be used to replace TCP and UDP. People are using it to connect to the free part of the Internet from behind all sorts of shitty firewalls (probably doesn't work from China anymore though).
  • 1
    @Condor I've heard comments saying "classic firewalls are for old ppl who don't know better". And "leave it to the pros who work with ng firewalls" and shit like that. Freaking insulting stuff trying to put down a net admin that apposed some stupid idea.
  • 2
    @Oktokolo vpn over DNS can punch through most captive portals even getting you free satellite internet in a plane. And it's almost unfixable.
  • 1
    You can easily make it unusable by ratelimiting DNS traffic.
    Just limit to an average 1KiB/s with a bucket size of 100KiB and nobody will like using it for actual traffic apart from MUDs while DNS resolution still works fine.
  • 1
    @Oktokolo that's actually a good point. It's slow af anyways though, and unrelisble.

    Using it as a VPN is not the best one can do though. Much better would be to directly proxy http (buffered) and talk to simple APIs say for messaging. To teyt with someone you don't need much data.... But when using it as VPN and having all the Background services trying to connect it's unusable.
  • 1
    It can be fast enough to stream videos. So it may be a viable option if you are behind some restrictive firewall and the oppressor isn't that smart...
Add Comment