Hi,
Sorry maybe this is a stupid question, but I am trying to understand the following:
I have a standard ISP router, to which I connected a more capable regular router (with mesh etc) namely a AX11000
If I access my work environment via Citrix from my personal laptop, can Citrix or a Firwall see any difference in traffic patterns via DPI or the like between:
a) I connect regular from my home via ethernet or wifi to my regular home router (AX11000)
b) vs if I run a VPN Server on another router at home (Flint) that is connected with ethernet to my regular home router (AX11000) or to my ISPs Router and I connect from abroad via Wireguard VPN tunnel from a travel router (Slate AX) to the home router (Flint) So: Laptop → Slate AX ->WG VPN Tunnel->Flint-> AX11000 or ISP router → internet
I read that DPI can recognize certain patterns of the packet content as well as headers. My assumption would be that the traffic outside the tunnel (from the home router to the internet) should appear as regular, decrypted traffic, not showing VPN-specific patterns. Meaning that the VPN’s distinguishing characteristics are only present between the travel router and the home router. Is this correct?
MTU would take a hit.
If you knew what you were looking for the decrease in MSS would be an indicator, otherwise the remote end wouldn’t have much of an idea other than your traffic is originating from your home address.
You can try a proxy like shadow socks to obscure the Wireguard packet headers, but anyway you do it the work VPN/Firewall can see that it’s VPN traffic if it has DPI.
Thank you, I just checked from the Citrix side what can be monitored in their Access Assurance Dashboard is:
Locations- Filter the logon events by countries and their cities.
OS- Filter the logon events by operating system and their versions.
Subnet- Filter the access events by the subnets.
Client IP type- Filter the access events by the public and the private IP types.
IP Registering Organization- Filter the access events by user availed ISP.
Private VPN Service- Filter the access events by the private VPN network names.
Proxy Type- Filter the access events by the proxy type classifications such as HTTP, web, Tor, and SOCKS
If you run a wireguard client on the computer the competing VPN client may not respect it. You can check with the route print command.
If you have an external router creating the tunnel and regardless of settings on the computer the traffic is tunneled then there’s no way to determine that traffic is different.
You can always say I just use a router as a WiFi access point…
Thank you this looks extremely interesting
Thank you, yes correct the VPN tunnel start and end points would be both separate external routers not on a computer
This is not correct. If the traffic is going through a work VPN, the traffic has Wireguard packet headers that CAN be seen by DPI.
The guy wants to go on a holiday while WFH.
He’s using a travel router to create a tunnel to make it look like he’s at home.
He’s going to establish a work VPN through this tunnel to his work.
Why would there be wireguard packet headers after it exits his home router via NAT after it’s been through the tunnel?
I’m well aware of what OP is trying to do.
You’re right, on second thought the Wireguard packet headers would only be on the travel router and not be seen by the work computer.
The way they probably detect it is:
-
MTU discrepancy - and the solution to that issue is to set it to: 1500 inside the tunnel. This will cause the outer packets to be fragmented between your current location and your home and will hurt performance, as fragmented packets cannot be offloaded to NIC hardware to fill in missing details.
-
Agent software your employer installed running your your local machine that either scans for other wifi networks and detects your location or something similar. The only solution there is to use wired networking and don’t have wifi turned on at all.
-
If you have an IPv4 tunnel but have IPv6 connectivity, and your employer has IPv6 set up for the VPN endpoint, they will see your IPv6 address as that doesn’t go through the tunnel at all. But I believe allowing all IPs including IPv6 would fix this.
That’s correct, so I would set up my own VPN between my personal travel router and my personal home router, I am not sure if I would then additionally need to connect this home router to my regular home router or straight to the ISPs router - or if that does not make any difference. I would access work via Citrix Workspace which only transmits the interface via a protocol called HDX which is imho not the same as a VPN.
You can argue that you’ve no idea what an MTU is.
Yes if the software can collect data, as you said go full wire to avoid this put laptop in airplane mode.
You don’t need to worry about ipv6 if your travel router isn’t configured to understand or work with ipv6. I wouldn’t argue that disabling ipv6 in the ethernet adapter is fool proof as the VPN agent could turn it back on, windows update or another piece of software.
There are a lot of people working for Citrix and it only takes a few smart people to find unusual loopholes to extract the information they need. Is this legal? Depends on the terms of employment and various related policies.
It doesn’t matter where you put the wireguard in your home network as long as it’s externally accessible and routes peers to the internet.
There’s probably some form of secure tunnel which is another way of saying virtual private network…
Merging the remote desktop program with a VPN and calling it whatever you want is also the same as VPN + rdp.
Either way Citrix has to jazz it up somehow to make it sound better to charge more.