L2TP/IPsec web browser location result issue

servaris · August 25, 2021, 3:34pm

Hi, have 2 Mikrotik routers, hEX S and CCR1009 both running L2TP server with IPsec.
The issue is when connected to the CCR1009 L2TP/IPsec vpn, the remotely connected computer doing a search for ‘my location’ will display the country the computer is physically in (not desired). When connected to the hEX s and doing the exact same search for ‘my location’ will display the location where the hEX S physically is (desired)

After looking at the configuration differences for both routers …
hEX PPP profile: Use UPnP no
hEX Allow fast path uncheked

I am unsure if those two items would cause browser result for my location to display the place the computer is physically.

Thanks for any help with this.

sindy · August 25, 2021, 3:48pm

What computer do you use? Windows/Linux/Mac/other?

It looks as if the VPN client settings at the computer differed, where the one connecting to hEX S has the “use the VPN gateway” enabled whereas the one connecting to CCR1009 has this option unchecked and adds a class-based route only (to the private subnet, in the old-fashioned A, B, C classification, that contains the IP address it gets from the Mikrotik). Or these basic settings have been overriden using powershell by something even more elaborate.

servaris · August 25, 2021, 3:57pm

Used a windows 7 notebook to connect to both routers. I connected to the hEX S, location shows up as physical location of the hEX S whereas when I connect to the CCR1009 and location search displays the location of the notebook.

I figure it might be a misconfiguration somewhere.
The other problem is it affects all computers connecting to VPN on the CCR1009. By that I mean if anyone connected does a search for my location it shows a remote country where there are a few people who connect to the VPN on the 1009. It is really undesirable to say the least.

In all cases nothing was changed in the computer location settings.

Thanks.

servaris · August 25, 2021, 4:03pm

Both VPN client (hEX S and CCR1009) connection settings have ‘Use default gateway on remote network’ checked.
Thanks.

sindy · August 25, 2021, 4:34pm

Start by double-checking, using /tool sniffer on the CCR, that the traffic from the client to internet really goes through the VPN.

Another possibility is DNS query leakage - Windows used to have the bad habit of sending DNS queries down every gateway they could see, regardless what the routing was saying, in order to get the fastest response available. But I admit I don’t understand why the behavior should be different depending on the VPN server used.

Can you keep the connections on the test PC but swap their settings (server address, preshared key, user name, password - whichever of these differs between the two servers) to see whether the issue sticks to the VPN server or to the configuration on the PC?

servaris · August 26, 2021, 9:44am

Have changed the CCR1009 PPP settings to be exactly same as the hEX S. No change. ‘my location’ search still shows the remote country I am currently in. hEX S shows the location country where the hEX S is.

Search ‘my ip’, the result is the same using either router. Shows the public IP of the hEX S and the dhcp IP address assigned by the CCR1009. It’s just the location that is the problem. For some unknown reason the CCR1009 doesn’t hide it or masquerade the location.
Thanks.

sindy · August 26, 2021, 9:47am

Wait… is “the DHCP IP assigned by the CCR1009” a public one?

servaris · August 26, 2021, 10:18am

The search results for anything when connected to the CCR1009 show the results based on one remote country where there are only 3 or 4 client computers. Other VPN clients that are in the same country as the CCR1009 also show search results for the one remote country . These other VPN clients are actually in the same city as the CCR1009.

servaris · August 26, 2021, 10:21am

The CCR1009 dhcp server hands out routable (non rfc1918) ip addresses. The hEX S only has 1 public IP address as its just a home office. The CCR1009 has /24 and some of the IP addresses are in pools. The VPN clients get the right IP addresses. There is no problem there.

CZFan · August 26, 2021, 10:24am

I dont see how this is possible, your local public IP should not be routed to remote country via the internet, so you must be breaking out locally and not using the VPN when you think you do.

Best will be to post config of both devices, also check routing on client devices

servaris · August 26, 2021, 10:35am

Perhaps you can tell me exactly which config you want to see?
Thanks.

sindy · August 26, 2021, 10:46am

I’d rather see what exact online service you use to check the VPN connection and the leakage of the actual address and/or location. As I’ve suggested earlier, the actual IP of the client may leak via DNS query, which may bypass the VPN tunnel even if the default route is set via that tunnel. I understand it is hard to believe it could happen, but Wireshark has confirmed that to me. And the VPN check service can then use the real address to determine the geographic location.

And the fact that the hEX hands out private IPs to the clients whereas the CCR hands out public ones is a significant difference, it may affect some other behaviour of the client. Since the only advantage of assigning public IPs to clients is that you can be sure they will never collide with whatever private network they may be using, I’d try to use a pool of private addresses for them on the CCR and test again.

Yet another possibility is that the public IPs you assign to the clients are linked to a wrong country in the geoIP database used by the VPN check service, but to me it is the least likely variant.

servaris · August 26, 2021, 10:50am

IP routes for the hEX S:
Canyon] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 l2tp-out1 1
1 ADS 0.0.0.0/0 pppoe-bell 1
2 ADC 10.11.2.1/32 76.64.225.235 pppoe-bell 0
3 A S XX.121.77.192/27 l2tp-yonge-out 1
4 ADC XX.121.77.193/32 192.168.225.6 l2tp-yonge-out 0
5 A S XX.193.49.0/24 l2tp-out1 1
6 SB XX.193.49.0/24 2
7 ADC XX.193.49.1/32 104.193.49.155 l2tp-out1 0
8 ADC 172.16.32.0/24 172.16.32.1 sip_devices 0
9 A S ;;;
172.16.40.0/24 l2tp-out1 1
10 A S ;;;
192.168.2.0/24 l2tp-out1 1
11 ADC 192.168.25.0/24 192.168.25.1 bridge 0
12 A S ;;;
192.168.26.0/24 l2tp-out1 1
13 A S ;;;
192.168.28.0/24 l2tp-out1 1
14 A S ;;;
192.168.65.0/24 192.168.25.1 l2tp-out1 1
15 A S ;;;
192.168.70.0/24 l2tp-out1 1
16 A S ;;;
192.168.125.0/24 l2tp-out1 1
17 A S ;;;
192.168.130.0/24 l2tp-out1 1

The above l2tp-out go to the CCR1009.

PPP Profiles on hEX S:
Canyon] > /ppp profile print
Flags: * - default
0 * name=“default” bridge-learning=default use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default
change-tcp-mss=yes use-upnp=default address-list=“” on-up=“” on-down=“”

1 name=“l2tp-out” bridge-learning=default use-ipv6=yes use-mpls=no use-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes use-upnp=no address-list=“” dns-server=XX.193.49.1,208.67.222.222 on-up=“” on-down=“”

2 name=“l2tp-in” local-address=192.168.25.1 remote-address=vpn_pool bridge-learning=default use-ipv6=no use-mpls=default
use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=no address-list=“” dns-server=192.168.25.1
wins-server=192.168.25.253 on-up=“” on-down=“”

3 * name=“default-encryption” bridge-learning=default use-ipv6=yes use-mpls=default use-compression=default use-encryption=yes
only-one=default change-tcp-mss=yes use-upnp=default address-list=“” on-up=“” on-down=“”

When I connect to the hEX S my profile is l2tp-in

There is nat masquerading for the l2tp connection

0 ;;; defconf: masquerade
chain=srcnat action=masquerade src-address=192.168.25.0/24 out-interface=pppoe-bell log=no log-prefix=“”

1 chain=srcnat action=masquerade src-address=172.16.32.0/24 out-interface=pppoe-bell log=no log-prefix=“”

servaris · August 26, 2021, 10:55am

The only thing I’ve checked is simple search in search engine. ‘My IP’ and ‘My Location’. My IP results are always correct regardless of which Router I am connected to.
When opening browser and connected to say google.com the result (no search yet just opened google.com) page is in foreign language (the language of the country google thinks the computer is in, even though the client is actually in the same city as the CCR1009).

You want me to run wireshark on my computer when connected to the CCR1009 VPN ?
Thanks.

servaris · August 26, 2021, 11:21am

vpntesting.com
Ran the test while connected to CCR1009 L2TP/IPsec vpn

IPv4

xx.193.49.109 (this is correct IP address handed out by dhcp server in CCR1009)

The IP address you use for IPv4 connections.

IPv6

N/A

The IP you use for IPv6 connections.

Connection

IPv4

The connection protocol you use now (IPv4 or IPv6).(*) Your device does not support IPv6, so no IPv6 leak possible.

Location

Canada (this is correct)

The country detected by geo API. There is a lot of countries that force ISPs to watch the user’s online activity. (*) You are connecting from non-UKUSA country, this is good for your anonymity.

ASN

AS36692 Cisco OpenDNS LLC

An officially registered autonomous system number detected by geo API.
DNS Leak Test
You use 13 DNS Servers
67.215.84.31 Canada AS36692 Cisco OpenDNS LLC
67.215.84.34 Canada AS36692 Cisco OpenDNS LLC
67.215.84.35 Canada AS36692 Cisco OpenDNS LLC
67.215.84.36 Canada AS36692 Cisco OpenDNS LLC
67.215.84.64 Canada AS36692 Cisco OpenDNS LLC
67.215.84.66 Canada AS36692 Cisco OpenDNS LLC
67.215.84.68 Canada AS36692 Cisco OpenDNS LLC
67.215.84.69 Canada AS36692 Cisco OpenDNS LLC
67.215.84.70 Canada AS36692 Cisco OpenDNS LLC
67.215.84.71 Canada AS36692 Cisco OpenDNS LLC
67.215.84.72 Canada AS36692 Cisco OpenDNS LLC
67.215.84.73 Canada AS36692 Cisco OpenDNS LLC
2001:4cd0:1000:153::118 Israel AS8551 Bezeq International-Ltd (this is where my computer is physically right now)
DNS may be leaking.
WebRTC Leak Test
WebRTC is able to see 1 IP
XX.193.49.109 Canada AS40028 1651884 Ontario Inc.

CZFan · August 26, 2021, 11:45am

How is your VPN connections to 1009 working?

client–>L2TP/IPSec–>CCR1009
or
client–>hEX–>L2TP/IPSec–>CCR1009

servaris · August 26, 2021, 12:10pm

Using https://mylocation.org/

Shows the correct IP address but the browser geolocation shows the country where the computer is located.

The google ads all display based on the country the computer is located in rather than the location of IP address. This really screws up clients connected to the L2TP/IPsec VPN on the CCR1009.
Thanks.

servaris · August 26, 2021, 12:11pm

The connection to the CCR1009 is direct. Have client configured for each separate VPN.
Thanks.

servaris · August 26, 2021, 12:14pm

The browser geolocation is actually correct, but that’s not the desired result. It should show the country where the IP address is. In this case the IP address is located in Canada. The map image above is not Canada.

Thanks.

servaris · August 26, 2021, 12:27pm

Connected now to hEX S L2TP/IPsec vpn, IP address is right but same issue it seems with browser geolocation. The google ad at the bottom though is not in foreign language.

But when going to google.com it sees me in Canada with hEX S

Disconnect from hEX S and connect to CCR1009 and then open google.com

What the heck is causing this???

Thanks,