A certificate is like an identity document; you send it to the other party to identify yourself as authorized or to confirm your identity. However, since anyone can create a certificate with any content on their computer, it is important that a trustworthy CA confirms the information in the certificate by signing the certificate. This also prevents the certificate from being changed later. The CA certificate is only needed to be able to later check the validity of this signature and to see which CA is responsible for this information, so that I can decide whether I want to trust this CA.

Each certificate has a private key. This serves as proof that you are the owner of the certificate or are authorized to identify yourself with this certificate, since only authorized people are ever allowed to have access to the private key, while the certificate can and often is accessible to everyone. So I can easily get the certificate of any web server or OpenVPN gateway, because both send me the certificate when I try to connect to them, but without a private key I cannot identify myself with the certificate .

If an attacker wants to pretend to be a specific OpenVPN gateway, e.g. to get passwords from users, then he has to set up his own OpenVPN gateway and redirect his victim's data traffic there, both of which are quite possible. But then he has a problem: he also has to identify himself as the correct gateway. However, if the client does not check whether the gateway address is in the certificate, it can simply use a user certificate from a VPN user, because this is also signed with the same CA as the gateway certificate.

It is much easier to get a user certificate and its private key than the gateway certificate.

To get the gateway certificate, you have to hack into the gateway directly, but if I have unrestricted access to the gateway, then I no longer need the certificate because then I can intercept passwords directly at the gateway and have full access immediately to all private networks behind it.

Gateways are of course designed to be as difficult to attack as possible, in contrast to users' work computers, which can be much more easily foisted with a Trojan. And it's even easier if a VPN user wants to act as a hacker himself, because he has regular access to a valid user certificate including a matching private key and can thus get other users' passwords, which may grant him extensive access rights Passwords are often managed centrally and the same password is also used for other company services.

That's why it's not enough that a certificate is valid and signed with the appropriate CA, it also has to be ensured that the gateway certificate is really the gateway certificate and also matches the gateway you're currently talking to, anything else undermines the whole thing Security concept of certificates.

If you are having trouble accessing your equinux ID account with 2FA, please read on. For support with 2FA for your VPN connection itself, please reach out to your VPN admin who can assist you with resetting your 2FA setup.

Reset 2FA for your equinux ID

If you no longer have access to your 2FA device, you can reset 2FA using your recovery codes. Visit the 2FA guide for details.

I don’t have recovery codes

If you no longer have your recovery codes, 2FA can be reset by the equinux support team. Please note that for security reasons, manual 2FA reset will take up to 72h to process, to reduce the risk to accounts.

To proceed, please contact equinux support with your equinux ID and our team will let you know which additional data is required to reset your 2FA setup.

In order to get OpenVPN connections from Ubiquiti Unifi to work correctly with VPN Tracker, the following change must be made to the config file before importing it into VPN Tracker:

- Download the OpenVPN configuration file from the Unifi console.
- Open the configuration file with a text editor.
- Identify this line:
Cipher AES-256-CBC
- Change the line to:
AES-256-GCM
- Save the file.
- Import the file into VPN Tracker

When your IPsec connection is often able to establish a connection, but sometimes times out because there was no response to the first packet, the problem might be due to host name resolution. This is often the case in IPv6-based networks such as cellular connection, e.g. also when using the Personal Hotspot function on the iPhone.

Some host names can resolve to both IPv4 and IPv6 addresses, but depending on your current network location and VPN gateway it's possible that only IPv4 addresses work correctly.

You can enforce resolving to IPv4 addresses only for your connection:

• Edit your connection.
• Navigate to the “Advanced Options” section.
• In “Additional Settings”, change the setting “Connect using IPv4 or IPv6” to “Use IPv4”.
• Save your connection and start your connection.

Another way to completely disable IPv6 for Wi-Fi on macOS:

1. Open the Terminal app from the Utilities folder.
2. Enter the following command:
sudo networksetup -setv6off Wi-Fi


Note: If your Wi-Fi interface has a different name (e.g., `en0`), replace "Wi-Fi" with the correct name. You can check the name of the interface using this command:
networksetup -listallnetworkservices


3. After entering the command, you'll be prompted to enter your admin password.

This will completely disable IPv6 for your Wi-Fi connection.

VPN Tracker 365 offers support for countless VPN protocols and gateways, including support for the SonicWALL TZ series.

Our detailed step-by-step guide shows you exactly how to set up a VPN connection on your SonicWALL device using VPN Tracker 365.

• Read the SonicWALL setup guide
• See all supported devices and protocols

VPN Tracker for iOS is now available!

Find out more

VPN Tracker for iOS is compatible from iOS 15, including iOS 16.

Test VPN Tracker for iOS here.

To connect to a WireGuard® VPN server - e.g. in order to remotely connect to your home network -, you need a VPN client app. VPN Tracker supports WireGuard® VPN connections on Mac, iPhone and iPad!

To get connected, follow these 3 steps:

1. Open VPN Tracker and add a new WireGuard® connection
2. Upload your WireGuard® configuration file or scan your QR code
3. Save your connection to your account using secure end-to-end encryption

You can now connect to your WireGuard® VPN server on Mac, iPhone or iPad.

→ More information on connecting to WireGuard® VPN in VPN Tracker

WireGuard® is a registered trademark of Jason A. Donenfeld.

With TLS-Crypt the data is encrypted twice. Once with the connection key, which is renegotiated every connection, and once with a static key, which is part of the config and therefore never changes. In order to better secure this static key, with TLS-Crypt the packets contain an additional timestamp that is otherwise not needed and this causes the problem.

We therefore recommend turning off TLS crypt on the server. TLS crypt is activated by the following entry in the server config: "tls-crypt ta.key".

If you remove this, nothing changes except that TLS crypt is no longer used and must also be switched off in VPN Tracker. This still gives you an encrypted connection, it's just no longer double encrypted, but simply encrypted once.

This makes the connection even faster and not more insecure. TLS-Crypt only serves to make it impossible for attackers to find an OpenVPN server on the network and, if necessary, to paralyze it via a DoS attack, because if the first packet is not correctly encrypted, the server will not respond to the packet at all.

Without a TLS crypt it would respond and only the negotiation of the key would then fail, but then an attacker would know that an OpenVPN server is running there and could bombard it with requests until it collapses, since it is responsible for every request computing time has to be spent.

Each side (i.e. server and client) sets its own rules as to when the connection key must be renegotiated. If connections are frequently lost, it may help to extend the time required to renegotiate the connection key.

If no lifetime is set in VPN Tracker, VPN Tracker takes one hour (3600 seconds). The connection can be edited in VPN Tracker and this value can be increased. To keep the key valid for 24 hours, you would have to set the value to 86400 seconds.

The same should be stored on the server side.

If your OpenVPN connection drops after a while, it may be due to the rekeying period. Test whether extending the period can solve the problem.

Proceed as follows:

• Edit your OpenVPN connection in VPN Tracker
• Navigate to "Advanced Settings > Phase 2"
• Change the Lifetime value to 28800 (which corresponds to a period of 8 hours)

If this doesn't resolve your issues, may also want to check your interoperability keep-alive, activity, and dead peer detection settings.

If you continue to have problems with your VPN connection, please send us a TSR report.

Sonicwall has been experiencing various issues with its iOS and Mac VPN client ("„Sonicwall Mobile Connect") recently.

An error message appears during setup:
'Your Sonicwall' is either currently unreachable or is not a valid SonicWall appliance. Would you like to save this connection anyway?

When starting the connection, the following appears:
Connection Error
'Your Sonicwall' is not a SonicWall SSL VPN server.

In such cases, we recommend switching to VPN Tracker. VPN Tracker is available for both Mac and iOS. An added advantage is that once a connection is set up, it’s immediately available on both devices, as VPN Tracker securely syncs the settings through the Personal Safe.

Update September 2024: SonicWall has introduced another update with SonicOS 6.5.4.15-116n, which has rendered SSL VPN functionality non-operational for many SonicWall devices.

Update November 2024: This issue seems to be addressed by the SonicOS 6.5.4.15-117n update. For more information, please visit:
https://www.sonicwall.com/support/knowledge-base/mobile-connect-breaks-after-upgrade-to-sonicos-6-5-4-15/240903132324983

1. Open the connection in VPN Tracker and go to “Edit > Setup > Advanced Settings”.
2. Navigate to “Traffic Control” and add the Fritzbox’s IP range, e.g., 192.168.178.0/24, under “Use VPN for the following addresses only”.

“Use VPN for the following addresses only”
192.168.178.0/24

3. If your Fritzbox uses a different IP range, enter the corresponding range instead.

When connecting via SonicWall SCP or SonicWall IKEv1 with DHCP, VPN Tracker 365 for Mac requests an IP address from the SonicWall gateway using the DHCP protocol. For this request, VPN Tracker 365 modifies the MAC address slightly, making it different from the actual MAC address of your device. This allows administrators to assign a fixed IP address when your Mac is connected via LAN or WiFi and a different IP when it’s connected through VPN.

This modification sets a specific bit in the MAC address, marking it as a self-assigned address rather than a factory-assigned one.

Example:
Original MAC address: 00:1B:63:B7:42:23
VPN Tracker MAC address: 02:1B:63:B7:42:23

Starting with macOS 15 Sequoia, Apple defaults to using a rotating MAC address for WiFi connections, labeled as a “Private Wi-Fi Address” in System Settings. To prevent connectivity issues related to this feature, VPN Tracker 365 reports the actual hardware address (with the minor modification described above) instead of the one used in “Rotating” or “Fixed” modes.

On iOS, VPN Tracker cannot retrieve a MAC address directly. Instead, it generates a random value once and stores it for future use. VPN Tracker for iOS then uses this stored value as the MAC address.

To change the name of your VPN Tracker Team follow these steps:

• Log in to your my.vpntracker.com account
• Select your team in the top left corner
• On the left side choose "Team Cloud"
• Scroll down to the section "Rename your team"
• Enter your new Team Name and press "Rename"

To add a new team member to your VPN Tracker Team follow these steps:

• Log in to your my.vpntracker.com account
• Select your team in the top left corner
• On the left side choose "Team Cloud"
• In the Invite section at the top, enter your new Team Member's name and company email address, then click "Send invitation".

• The invited team member will then receive an automatic email invitation with a personalised link to click on and join your team.
• Tip: Each VPN Tracker 365 user needs their own, personal equinux ID. After the user receives a team invitation from you and clicks the invite link, they can either create a new equinux ID or log in using their existing account.
• In case the user does not receive the invitation email, you can access the invitation link by clicking on "Details" next to the user name
  
  
  

• Once a team member has accepted your email invitation, you will be notified via email
  

Since 2019, Firefox have been rolling out DNS over HTTPS (DoH) by default in several countries, including the USA, Canada, Russia and Ukraine.

What does this mean?

When DoH is enabled, it bypasses your DNS server and instead, domains you enter into your browser are sent via a DoH-compatible DNS server using an encrypted HTTPS connection.

This is intended as a security measure to prevent others (e.g. your ISP) from seeing the websites you are trying to access. However, if you're using a DNS server provided by your VPN gateway, it allows DNS queries to run outside the VPN tunnel. Moreover, if the VPN specifies a DNS server that resolves internal host names, these are either not resolved at all or resolved incorrectly when DoH is enabled.

How to disable DNS over HTTPS in Firefox

To ensure all your DNS queries run via your VPN's DNS, you will need to disable DoH in Firefox. To do so, open your Firefox browser, go to Firefox > Preferences > Network Settings and deselect the checkbox by "Enable DNS over HTTPS":

Click OK to save your changes.

SonicWALL listed a known issue in the release notes of 6.5.4.13:

An established IPSEC VPN tunnel intermittently fails in a NAT environment. (GEN6-2296)

Please contact Sonicwall for more information on when Sonicwall plans to fix this issue.

Whenever a security problem with certificates is discovered, the rules for certificates are adjusted and tightened accordingly. However, the new rules do not apply retroactively, i.e. they only apply to certificates that were created after the new rules have already come into force. Certificates that are older must still be accepted as valid, even if they were created according to older rules.

The longer an old certificate remains in circulation, the more likely that someone with the appropriate knowledge and skills will come across it and then exploit its security problem. Therefore, you don't want to have long terms, because if a certificate has to be renewed, it must always be renewed in accordance with the current applicable rules and this happens sooner, the shorter its term is. In the past, the runtimes were too long, but this had led to problems several times when RSA was cracked with 768 bits or when a method was found to create SHA-1 collision, which means that signatures based on SHA-1 all at once could be forged. Back then, it took far too long until insecure certificates were no longer in circulation, which resulted in various avoidable attacks.

By the way, renewing only affects the gateway certificate. User certificates do not need to be renewed if you exchange the certificate at the gateway. Users also do not need a new configuration. In fact, users don't even notice such an exchange. On web servers today, this usually happens automatically and even more often, as web certificates are often only valid for a maximum of 90 days.

We offer a free trial for VPN Tracker which can be used to test all functionality of the app, helping users identify the best fit for their needs. After this trial period, all sales are final upon subscription, in accordance with our Terms and conditions.
 
Please be aware that we cannot process refunds in the following scenarios:

• Non-usage of the app or service
• Failure to cancel your account within the cancelation period
• Lack of features or functionality on your subscribed plan
• Purchases made in error
• Exceptional circumstances beyond our control
• Violations to our Terms of Use

By default Zyxel creates firewall policies to allow traffic to flow from SSL VPN to LAN zone and from LAN to SSL VPN zone. Those rules are required to allow VPN traffic flow once the connection has been established. But there is no policy that actually allows VPN management traffic at the WAN port, client requests arriving at the WAN port are discarded by the firewall.

To allow an OpenVPN connection on the WAN port, you first have to create an own policy. In the main navigation, select Security Policy > Policy Control, click on the + Add button and create a policy that allows traffic for the service SSLVPN to flow from WAN to ZyWALL. Please see screenshot below.

When you start a trail license (e.g. 7 days), we authorize your card for the annual amount of the corresponding license as soon as you start the test (similar to a hotel or rental car deposit).
If you cancel the trial license within the specified period, your account will not be charged. The pre-authorization then no longer applies.

There can be some problems with the setup in the Fortigate web interface, possibly with certain browsers like Safari. Here are some tips:

• Check if there is a firmware update for the Fortigate device: Firmware Updates
• First, set up the new connection in the Fortigate web UI, and then review all fields again by selecting ‘Edit’. This can help, as not all fields may have been visible during the initial setup

Convert Your Products into Store Credit

If you wish to change the number of your licenses, you have the option to convert your existing license into store credit. You can then use this credit for your next purchase:

• Visit our Store Promo Code Transfer Page and follow the instructions to receive your promo code.
• Select your new products in the my.vpntracker Store.
• Enter your promo code during the checkout process.

Note: If the remaining value of your old product exceeds the amount for the new product, you will receive an additional promo code for the remaining value.

Certain SonicWall releases have known issues with DHCP IP assignment for clients, which can result in duplicate IP address assignments. To troubleshoot this, try the following:

1. Connect to the VPN with the computer experiencing the connection problem.
2. Note its assigned client IP address.
3. Ping this IP address from within your LAN.
4. Disconnect the VPN on the problematic computer. You will likely observe that the ping continues, indicating that another device is using this IP address.

Troubleshooting Steps:

1. Identify the computer that is using the duplicate IP address. Often, a computer within the LAN is already using an IP address that falls within the DHCP range of the SonicWall.
2. If step 1 does not resolve the issue, restart the SonicWall.

In AnyConnect gateways, the case sensitivity of the gateway address can sometimes matter. gateway.example.com and Gateway.example.com are treated differently. Please ensure that the case exactly matches the AnyConnect gateway settings.

1. What are connection drops during rekeying?

   Connection drops during rekeying occur when the VPN connection is interrupted during the key update (rekeying). This causes traffic to not be processed for a short period, which is particularly problematic for stable connections such as video conferences.

2. Why does the problem occur during rekeying?

   The problem arises because, when using TCP with OpenVPN, the firewall does not accept any traffic during the rekeying process. This leads to an interruption of the traffic.

3. What impact do connection drops have on a video conference?

   During a video conference, connection drops during rekeying can result in a complete interruption of the traffic. This causes the connection to break, disrupting or even ending the video conference.

4. Why is TCP susceptible to this problem?

   According to OpenVPN, TCP is problematic for VPN connections because it is more sensitive to traffic congestion during network disruptions or the rekeying process. OpenVPN therefore recommends using UDP instead, as it can better handle rekeying processes.

5. What solution does VPN Tracker provide for the problem?

   VPN Tracker offers a particularly user-friendly solution: when establishing a connection, VPN Tracker automatically sets the rekeying timer to 24 hours. This significantly minimizes connection drops due to rekeying processes, keeping the connection especially stable. Additionally, VPN Tracker supports switching to UDP, which allows for an even more reliable connection.

6. Why should the rekeying timer be set to 24 hours?

   A longer rekeying cycle reduces the frequency of connection drops. By setting the timer to 24 hours— as VPN Tracker does by default— the likelihood of the rekeying process being triggered during a critical phase, such as a video conference, is decreased.

7. What advantages does VPN Tracker have when using UDP over TCP?

   VPN Tracker makes it easy to configure UDP, which offers faster connections and less sensitivity to packet loss. UDP is more efficient and resilient to interruptions during the rekeying process, which is particularly beneficial for bandwidth-intensive applications like video conferencing or streaming.

8. What recommendations does VPN Tracker provide for companies to optimize their VPN connections?

   For companies relying on stable connections, VPN Tracker offers simple and effective solutions:

   • By default, the rekeying timer is set to 24 hours to minimize connection drops.
   • It is recommended to use UDP instead of TCP whenever possible to further enhance performance.

If you are experiencing problems with your FortiSSL connection, it might be related to the “Strict Host Check.” You can try disabling this setting on the gateway.

Follow these steps:

To disable the host check on the FortiSSL server side, you can turn off the “Host Check” in the SSL-VPN settings.

Steps:

1. Log in to the FortiGate CLI or GUI (Command Line Interface or Graphical User Interface).
2. Enter the following command in the CLI to disable the host check:

config vpn ssl settings
set host-check disable
end

This will disable the strict host check for SSL-VPN clients.

For error messages related to a possible faulty internet connection, try the following steps:

1. Are you connected to the internet? Check your internet connection by opening a website like www.google.com in your browser (e.g. Safari).
If that works, proceed to Step 2.

If no page loads, try the following:

• Check your Wi-Fi connection: Make sure Wi-Fi is enabled on your device and connected to the correct network.
• Check cable connections: If you are using a wired connection, ensure the cable is securely connected and undamaged.
• Restart the router: Disconnect the router from the power source for about 30 seconds, then plug it back in. Wait a few minutes for the connection to re-establish.
• Contact an administrator or provider: If the problem persists, there may be an issue with your internet provider. Contact your administrator or your internet provider's customer service.
• Use a mobile hotspot: If you have access to mobile data, try setting up a hotspot to test the connection.

2. If a specific server is mentioned in the error message, try accessing the specified address via your browser (e.g., Safari).

If that works, proceed to Step 3.

If it doesn’t work, there may be an issue with the server mentioned in the error message. In this case, please try the action in VPN Tracker that triggered the error message again at a later time.


3. Check if your current VPN connection or a firewall is blocking access to the internet or a specific site, and disable this block if necessary.

• You can see and configure if your currently active VPN connection excludes certain internet addresses in the connection configuration: In VPN Tracker, select the connection, choose "Edit," and then "Advanced Settings." In the "Traffic Control" area, there may be internet addresses listed that the VPN restricts access to.
• To check if your firewall excludes certain internet addresses, temporarily disable your firewall and try again the action in VPN Tracker that triggered the error message.
• Check your firewall settings for blocked applications or websites. Some firewalls allow specific IP addresses, domains, or applications to be selectively blocked or allowed.
• If you find that a rule is blocking access, you can adjust this rule or add an exception to allow access to specific websites or services.
• If you are still unable to gain access to certain areas, contact your firewall manufacturer's support or your IT support.

SonicWall's SonicOS 6.5.4.15-116n update breaks SSL-VPN connections with SonicWall Mobile Connect and VPN Tracker 365.
In VPN Tracker's log, you can also see the error message:

LCP: PPP peer accepted proposal but also modified it which isn't allowed.

Please update your Sonicwall to at least SonicOS 6.5.4.15-117n to fix this problem. For more information, please visit: https://www.sonicwall.com/support/knowledge-base/mobile-connect-breaks-after-upgrade-to-sonicos-6-5-4-15/240903132324983

Fortinet recommends using the IPsec protocol for FortiGate devices and now explicitly highlights this preference (as of November 2024):

Our experience also shows that IPsec connections are significantly more performant, so we likewise recommend using IPsec.

• Send keep-alive ping every

  This option controls whether and how often VPN Tracker sends keep-alive pings. A keep-alive ping is not a normal ping, and is not considered tunnel traffic by the VPN gateway, so it does not keep the connection alive at the gateway. The sole purpose of these pings is to keep the connection alive through firewalls and NAT routers between VPN Tracker and the gateway when no other tunnel traffic is being sent.

• Disconnect if inactive for

  This option controls if and after how long VPN Tracker will disconnect due to inactivity. Only tunnel traffic is considered activity, keep-alive pings sent from either side and protocol management traffic are not considered tunnel traffic.

• Consider the peer dead if no sign of liveliness for

  This option controls if and after what time VPN Tracker will disconnect due to no sign of life. Any traffic from the gateway is considered a sign of life, regardless of whether it is tunnel traffic, keep alive ping, or protocol management traffic.

  This option has no effect if the gateway is not configured to send pings (--ping option or ping in the server configuration file), because without pings enabled, there may be no tunnel or management traffic for quite some time, but this is not proof that the gateway is no longer alive, since it won't send anything if there is nothing to send. With ping enabled, the gateway would at least send keep-alive pings in such a situation, and if those don't arrive either, the gateway has most likely dropped the connection or gone offline.

Yes, you can print to your home printer while connected to VPN Tracker away from home. To ensure a seamless remote printing experience, follow these steps:

1. Assign a Static IP Address to Your Printer

• Access your router’s web interface by entering its IP address in a web browser (e.g., 192.168.1.1 or 192.168.0.1).
• Navigate to the LAN or DHCP settings.
• Assign a static IP address to your printer (e.g., 192.168.50.100) so it remains consistent.

2. Configure Your Mac for Remote Printing

• Connect to your > Printers & Scanners on your Mac.
• Click "+" to add a new printer.
• Select the IP tab and enter the static IP address assigned to your printer.
• Choose the correct printer driver to ensure compatibility.

3. Avoid Bonjour for Remote Printing

Apple’s Bonjour service helps detect devices on local networks but does not work reliably over VPN due to its reliance on multicast DNS (mDNS). Instead, always connect to your printer using its static IP address.

4. Check Firewall & Network Settings

• Ensure that your firewall allows print traffic over VPN.
• Verify that the printer and VPN settings do not block remote connections.

By setting up a static IP address, avoiding Bonjour, and ensuring proper firewall rules, you can print documents remotely via VPN Tracker without issues.