Community discussions

MikroTik App
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

L2TP/IPsec web browser location result issue

Wed Aug 25, 2021 6:34 pm

Hi, have 2 Mikrotik routers, hEX S and CCR1009 both running L2TP server with IPsec.
The issue is when connected to the CCR1009 L2TP/IPsec vpn, the remotely connected computer doing a search for 'my location' will display the country the computer is physically in (not desired). When connected to the hEX s and doing the exact same search for 'my location' will display the location where the hEX S physically is (desired)

After looking at the configuration differences for both routers ...
hEX PPP profile: Use UPnP no
hEX Allow fast path uncheked

I am unsure if those two items would cause browser result for my location to display the place the computer is physically.

Thanks for any help with this.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec web browser location result issue

Wed Aug 25, 2021 6:48 pm

What computer do you use? Windows/Linux/Mac/other?

It looks as if the VPN client settings at the computer differed, where the one connecting to hEX S has the "use the VPN gateway" enabled whereas the one connecting to CCR1009 has this option unchecked and adds a class-based route only (to the private subnet, in the old-fashioned A, B, C classification, that contains the IP address it gets from the Mikrotik). Or these basic settings have been overriden using powershell by something even more elaborate.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Wed Aug 25, 2021 6:57 pm

Used a windows 7 notebook to connect to both routers. I connected to the hEX S, location shows up as physical location of the hEX S whereas when I connect to the CCR1009 and location search displays the location of the notebook.

I figure it might be a misconfiguration somewhere.
The other problem is it affects all computers connecting to VPN on the CCR1009. By that I mean if anyone connected does a search for my location it shows a remote country where there are a few people who connect to the VPN on the 1009. It is really undesirable to say the least.

In all cases nothing was changed in the computer location settings.

Thanks.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Wed Aug 25, 2021 7:03 pm

Both VPN client (hEX S and CCR1009) connection settings have 'Use default gateway on remote network' checked.
Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec web browser location result issue

Wed Aug 25, 2021 7:34 pm

Start by double-checking, using /tool sniffer on the CCR, that the traffic from the client to internet really goes through the VPN.

Another possibility is DNS query leakage - Windows used to have the bad habit of sending DNS queries down every gateway they could see, regardless what the routing was saying, in order to get the fastest response available. But I admit I don't understand why the behavior should be different depending on the VPN server used.

Can you keep the connections on the test PC but swap their settings (server address, preshared key, user name, password - whichever of these differs between the two servers) to see whether the issue sticks to the VPN server or to the configuration on the PC?
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 12:44 pm

Have changed the CCR1009 PPP settings to be exactly same as the hEX S. No change. 'my location' search still shows the remote country I am currently in. hEX S shows the location country where the hEX S is.

Search 'my ip', the result is the same using either router. Shows the public IP of the hEX S and the dhcp IP address assigned by the CCR1009. It's just the location that is the problem. For some unknown reason the CCR1009 doesn't hide it or masquerade the location.
Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 12:47 pm

Wait... is "the DHCP IP assigned by the CCR1009" a public one?
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:18 pm

The search results for anything when connected to the CCR1009 show the results based on one remote country where there are only 3 or 4 client computers. Other VPN clients that are in the same country as the CCR1009 also show search results for the one remote country . These other VPN clients are actually in the same city as the CCR1009.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:21 pm

The CCR1009 dhcp server hands out routable (non rfc1918) ip addresses. The hEX S only has 1 public IP address as its just a home office. The CCR1009 has /24 and some of the IP addresses are in pools. The VPN clients get the right IP addresses. There is no problem there.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:24 pm

I dont see how this is possible, your local public IP should not be routed to remote country via the internet, so you must be breaking out locally and not using the VPN when you think you do.

Best will be to post config of both devices, also check routing on client devices
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:35 pm

Perhaps you can tell me exactly which config you want to see?
Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:46 pm

I'd rather see what exact online service you use to check the VPN connection and the leakage of the actual address and/or location. As I've suggested earlier, the actual IP of the client may leak via DNS query, which may bypass the VPN tunnel even if the default route is set via that tunnel. I understand it is hard to believe it could happen, but Wireshark has confirmed that to me. And the VPN check service can then use the real address to determine the geographic location.

And the fact that the hEX hands out private IPs to the clients whereas the CCR hands out public ones is a significant difference, it may affect some other behaviour of the client. Since the only advantage of assigning public IPs to clients is that you can be sure they will never collide with whatever private network they may be using, I'd try to use a pool of private addresses for them on the CCR and test again.

Yet another possibility is that the public IPs you assign to the clients are linked to a wrong country in the geoIP database used by the VPN check service, but to me it is the least likely variant.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:50 pm

IP routes for the hEX S:
Canyon] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 l2tp-out1 1
1 ADS 0.0.0.0/0 pppoe-bell 1
2 ADC 10.11.2.1/32 76.64.225.235 pppoe-bell 0
3 A S XX.121.77.192/27 l2tp-yonge-out 1
4 ADC XX.121.77.193/32 192.168.225.6 l2tp-yonge-out 0
5 A S XX.193.49.0/24 l2tp-out1 1
6 SB XX.193.49.0/24 2
7 ADC XX.193.49.1/32 104.193.49.155 l2tp-out1 0
8 ADC 172.16.32.0/24 172.16.32.1 sip_devices 0
9 A S ;;;
172.16.40.0/24 l2tp-out1 1
10 A S ;;;
192.168.2.0/24 l2tp-out1 1
11 ADC 192.168.25.0/24 192.168.25.1 bridge 0
12 A S ;;;
192.168.26.0/24 l2tp-out1 1
13 A S ;;;
192.168.28.0/24 l2tp-out1 1
14 A S ;;;
192.168.65.0/24 192.168.25.1 l2tp-out1 1
15 A S ;;;
192.168.70.0/24 l2tp-out1 1
16 A S ;;;
192.168.125.0/24 l2tp-out1 1
17 A S ;;;
192.168.130.0/24 l2tp-out1 1

The above l2tp-out go to the CCR1009.

PPP Profiles on hEX S:
Canyon] > /ppp profile print
Flags: * - default
0 * name="default" bridge-learning=default use-ipv6=yes use-mpls=default use-compression=default use-encryption=default only-one=default
change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

1 name="l2tp-out" bridge-learning=default use-ipv6=yes use-mpls=no use-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes use-upnp=no address-list="" dns-server=XX.193.49.1,208.67.222.222 on-up="" on-down=""

2 name="l2tp-in" local-address=192.168.25.1 remote-address=vpn_pool bridge-learning=default use-ipv6=no use-mpls=default
use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=no address-list="" dns-server=192.168.25.1
wins-server=192.168.25.253 on-up="" on-down=""

3 * name="default-encryption" bridge-learning=default use-ipv6=yes use-mpls=default use-compression=default use-encryption=yes
only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

When I connect to the hEX S my profile is l2tp-in

There is nat masquerading for the l2tp connection

0 ;;; defconf: masquerade
chain=srcnat action=masquerade src-address=192.168.25.0/24 out-interface=pppoe-bell log=no log-prefix=""

1 chain=srcnat action=masquerade src-address=172.16.32.0/24 out-interface=pppoe-bell log=no log-prefix=""
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 1:55 pm

The only thing I've checked is simple search in search engine. 'My IP' and 'My Location'. My IP results are always correct regardless of which Router I am connected to.
When opening browser and connected to say google.com the result (no search yet just opened google.com) page is in foreign language (the language of the country google thinks the computer is in, even though the client is actually in the same city as the CCR1009).

You want me to run wireshark on my computer when connected to the CCR1009 VPN ?
Thanks.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 2:21 pm

vpntesting.com
Ran the test while connected to CCR1009 L2TP/IPsec vpn



IPv4

xx.193.49.109 (this is correct IP address handed out by dhcp server in CCR1009)

The IP address you use for IPv4 connections.

IPv6

N/A

The IP you use for IPv6 connections.

Connection

IPv4

The connection protocol you use now (IPv4 or IPv6).(*) Your device does not support IPv6, so no IPv6 leak possible.

Location

Canada (this is correct)

The country detected by geo API. There is a lot of countries that force ISPs to watch the user’s online activity. (*) You are connecting from non-UKUSA country, this is good for your anonymity.

ASN

AS36692 Cisco OpenDNS LLC

An officially registered autonomous system number detected by geo API.
DNS Leak Test
You use 13 DNS Servers
67.215.84.31 Canada AS36692 Cisco OpenDNS LLC
67.215.84.34 Canada AS36692 Cisco OpenDNS LLC
67.215.84.35 Canada AS36692 Cisco OpenDNS LLC
67.215.84.36 Canada AS36692 Cisco OpenDNS LLC
67.215.84.64 Canada AS36692 Cisco OpenDNS LLC
67.215.84.66 Canada AS36692 Cisco OpenDNS LLC
67.215.84.68 Canada AS36692 Cisco OpenDNS LLC
67.215.84.69 Canada AS36692 Cisco OpenDNS LLC
67.215.84.70 Canada AS36692 Cisco OpenDNS LLC
67.215.84.71 Canada AS36692 Cisco OpenDNS LLC
67.215.84.72 Canada AS36692 Cisco OpenDNS LLC
67.215.84.73 Canada AS36692 Cisco OpenDNS LLC
2001:4cd0:1000:153::118 Israel AS8551 Bezeq International-Ltd (this is where my computer is physically right now)
DNS may be leaking.
WebRTC Leak Test
WebRTC is able to see 1 IP
XX.193.49.109 Canada AS40028 1651884 Ontario Inc.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 2:45 pm

...
The above l2tp-out go to the CCR1009.
...
How is your VPN connections to 1009 working?

client-->L2TP/IPSec-->CCR1009
or
client-->hEX-->L2TP/IPSec-->CCR1009
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:10 pm

Using https://mylocation.org/

Shows the correct IP address but the browser geolocation shows the country where the computer is located.
browser_geolocation.png
The google ads all display based on the country the computer is located in rather than the location of IP address. This really screws up clients connected to the L2TP/IPsec VPN on the CCR1009.
Thanks.
You do not have the required permissions to view the files attached to this post.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:11 pm

The connection to the CCR1009 is direct. Have client configured for each separate VPN.
Thanks.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:14 pm

The browser geolocation is actually correct, but that's not the desired result. It should show the country where the IP address is. In this case the IP address is located in Canada. The map image above is not Canada.

Thanks.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:27 pm

Connected now to hEX S L2TP/IPsec vpn, IP address is right but same issue it seems with browser geolocation. The google ad at the bottom though is not in foreign language.
hexs_ip_address.png
hexs_browser_geolocation.png
google-from-hexs.png
But when going to google.com it sees me in Canada with hEX S

Disconnect from hEX S and connect to CCR1009 and then open google.com


What the heck is causing this????

Thanks,
You do not have the required permissions to view the files attached to this post.
Last edited by servaris on Thu Aug 26, 2021 3:33 pm, edited 1 time in total.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:28 pm

IIRC, in Google Chrome you can set your geolocation to something you specify manually, this is not the case?
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 3:35 pm

I'm using firefox not chrome.
This computer location is set to Canada. So are the clients that need to connect to the CCR1009 as I have asked them.

Thanks.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 4:16 pm

Check the geolocation settings in Firefox. Settings -> Privacy and Security -> Permissions -> Position -> Settings (the names may not be precise, my Firefox language is not English).

I don't think the issue is directly with the VPN, and once you've described how you test it, I don't think any more it's an issue with leakage via DNS, I second @CZFan in assuming it's the browser sending the geolocation info.

As suggested earlier, try to assign addresses from a private pool to the CCR users and do a src-nat/masquerade to some public IP you've never assigned to any VPN user so far (or maybe just do the src-nat/masquerade without changing the pool).

Given that you assign public IPs to the VPN clients, I could also imagine some routing shortcut if there is a LAN connection between the test PC and the CCR, but I don't know your test network topology. If you connect the test PC to the internet e.g. using a mobile connection while it is disconnected from the wired LAN, the routing shortcut is definitely not the reason.
 
servaris
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Tue May 20, 2014 4:30 pm
Location: Planet Earth
Contact:

Re: L2TP/IPsec web browser location result issue

Thu Aug 26, 2021 6:55 pm

Tried your suggestion of settings => privacy => Permissions => Location to block new requests for location. Cleared cache, closed and then reopened firefox. Open google.com and it shows the location of the computer. Location permissions is not the issue.
google-from-ccr1009.png
Disconnected from CCR VPN, cleared cache in firefox then connected to the hEX S VPN. Open google.com and it sees my computer in Canada.
google-from-hexs.png
Thanks.
You do not have the required permissions to view the files attached to this post.
 
whereami
just joined
Posts: 1
Joined: Wed Aug 16, 2023 8:58 pm
Contact:

Re: L2TP/IPsec web browser location result issue

Wed Aug 16, 2023 9:03 pm

Hi there,

It's intriguing that you're seeing varied geolocation results on your MikroTik routers' L2TP/IPsec VPNs. The discrepancy might stem from how the geolocation service interprets the IP addresses assigned by each router's VPN.

The settings you mentioned, UPnP and fast path, usually don't influence geolocation in this way. Geolocation hinges on the public IP address, which could differ between your routers.

To address this, consider:

IP Address Ranges: Check VPN-assigned IP ranges for each router. Differences could impact geolocation.

Routing and NAT: Ensure routing and NAT settings match, as these affect how traffic is seen.

Public IP: Verify the CCR1009 router's IP isn't inaccurately tagged in my location databases.

VPN Setup: Align L2TP/IPsec settings on both routers for consistent configuration.

Browser Factors: Remember browser settings and privacy extensions might affect geolocation.
Last edited by whereami on Fri Aug 25, 2023 12:27 pm, edited 5 times in total.

Who is online

Users browsing this forum: DanMos79, matbcvo and 88 guests