Hi, I'm seeing periodic packet loss with tinc (1.0.16). I have 'ReplayWindow 0' in config, and ping between the hosts is perfect. I suspect the packets are identified and then dropped by the Great Firewall. My question is: can it be identified by DPI? If yes, how should I improve tinc to avoid this? Thanks in advance. Roger -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20110920/44eab4bf/attachment.html>
Guus Sliepen
2011-Sep-20 15:07 UTC
Can tinc traffic be identified by Deep Packet Inspection?
On Tue, Sep 20, 2011 at 09:35:13AM +0800, Roger wrote:> I'm seeing periodic packet loss with tinc (1.0.16). I have 'ReplayWindow > 0' in config, and ping between the hosts is perfect.Setting ReplayWindow to zero will disable protection against replayed packets. If you do not set ReplayWindow, what exactly happens with ping between the hosts?> I suspect the packets are identified and then dropped by the Great Firewall. > > My question is: can it be identified by DPI? If yes, how should I improve > tinc to avoid this?In principle tinc packets can be identified, if you have seen the initial handshake and can associate the UDP packets with it, or if you do statistics on the UDP packets. If you want a firewall to not detect tinc traffic, it should be encapsulated in another protocol that the firewall does not block. You can run tinc over HTTPS using stunnel for example, and you should use TCPOnly = yes to disable UDP traffic in that case. -- Met vriendelijke groet / with kind regards, Guus Sliepen <guus at tinc-vpn.org> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: <http://www.tinc-vpn.org/pipermail/tinc-devel/attachments/20110920/b27ca5d6/attachment.pgp>