Unitymedia is blocking VPN connections

unitymedia is a German ISP, and I made the unfortunate choice of using them as my internet service provider.

Unfortunately, they’re not a very good ISP, because they are using deep packet inspection (DPI) to throttle or block VPN connections. I would expect this sort of behaviour from certain countries (a full list of countries engaging in internet censorship can be found here) but never in Germany.

Obviously this claim cannot be made lightly. There must be some sort of proof to back up anyone who is claiming that a German ISP is filtering customer’s internet connectivity.

Could this be a mistake?
Possibly. Unitymedia does not have enough IPv4 addresses to give each customer a global IPv4 address. They are instead using something called DS-Lite in which each customer has a unique IPv6 address, and IPv4 connections are tunneled over IPv6 (4in6) to the carrier where customers then must go through carrier-grade nat (CGN) before reaching the internet.

Other people have written about frequent TCP disconnections and poor connectivity on unitymedia (DE, English version here), but I believe they are going farther.

The evidence
I had a strong suspicion from my regular use that unitymedia was filtering connections, but I needed a good way to prove it.

Since the most common use for a VPN is to get around region restrictions (honourable mention to YouTube DE and GEMA) or to download copyrighted content illegally, I thought torrenting Ubuntu 14.04 would be a good example use case.

I installed Transmission and configured it to require encrypted connections. This will ensure that any network connections to peers will be encrypted UDP. I should also note that IPv6 was disabled on the computer, so only IPv4 connections are possible.

So, for the first test, I downloaded the torrent for Ubuntu 14.04 LTS AMD64, and started downloading.

encrypted_udp_torrent_novpn

Everything is still working, good.

Now I paused the torrent and logged in to a paid OpenVPN service on UDP port 1194. To prove that the connection is working, I will run a ping test to Google’s public DNS. This is what happened next:

encrypted_udp_torrent_udpvpn

Okay, so we are still downloading, but much slower than before. Unitymedia would not be the first ISP in the history of the uncensored world to throttle VPN connections.

However, we cannot browse to websites. Chrome and Firefox just sit forever waiting for data from the remote server. To test my VPN connection, I tethered my phone to my PC and logged in to the VPN. Websites load perfectly.

But, what if we tried a TCP-based OpenVPN connection? Let’s connect to an OpenVPN endpoint using TCP on port 443. In the upper right xterm I have logged into my router and I am filtering for TCP RST packets on my upstream WLAN connection (to the unitymedia router). We can see that the ping is still running, although we have not started to download anything yet.

encrypted_udp_torrent_tcpvpn-working

I resume the torrent and all of a sudden I receive 2 TCP RST packets and the connection is dead.

encrypted_udp_torrent_tcpvpn-blocked

This is absolutely unacceptable. Under no circumstances should an ISP ever be inserting TCP RST packets into a user’s connections. Here is the PCAP file with the TCP RST packets that ended my connection.

ISPs inserting TCP RST packets to disrupt user connections is sadly not new. Comcast in the United States has been known to forge TCP RST packets for users who are using bittorrent, calling it “Network Management.” The EFF even compiled a report on Comcast’s shady behaviour. There is a Wikipedia article on the TCP reset attack if you want to know more about how it works.

An ISP is providing a service to paying customers, and at no point should they ever interfere or attack a customer’s connections. Sadly these days the terms of service (ToS) are usually in favour of the service provider, and not the customer.

I find it ironic that in Germany, which has spied on its citizens in the past, I cannot use such privacy enhancing technology as VPNs.

There are many legitimate uses for a VPN such as: encrypting your internet traffic from your ISP, anonymizing yourself to avoid higher prices in online shopping, or getting cheaper plane tickets for your holiday.

I have confirmed that this issue is not isolated to my Unitymedia connection. I have a friend living in another large German city, and their connection faces the same hostile behaviour from Unitymedia.

Unitymedia’s filtering is also not limited to commercial VPN services. My work requires I use a VPN connection to access internal services, and I frequently experience disconnections, dropped packets, extreme throttling, and corrupted packets while trying to work.

So, why am I writing this? I live in a free country, I can vote with my wallet and move to a different ISP. This is true, but if I did that, people who do not have the technical knowledge to diagnose connection problems would never know that Unitymedia is censoring their internet. Unitymedia would just be blasted for their DS-Lite implementation, and things would never improve.

In conclusion:

linus-torvalds-220612

Unitymedia is sending forged TCP RST packets to disrupt TCP VPN connections. They are throttling, and I suspect also filtering, UDP VPN connections to a severe extent.

thatwouldbegreat

28 thoughts on “Unitymedia is blocking VPN connections

  1. Veluria

    >However, we cannot browse to websites. Chrome and Firefox just sit forever waiting for data from the remote server.

    I have exactly the some problem with Unitymedia. The strange thing is, though, that it works just fine on Windows. I have confirmed at my university that the VPN provider is not the issue, because here everything works fine. But at home, using Linux, I cannot get the VPN to work properly, while it works just fine on Windows. Any thoughts on this?

    Reply
  2. another one

    so true, I work from home and I have constant problems with my connections

    But I assume their behaviour is not just as innocent as you think. The problem is, in Germany everyone cheats legally on his customers, so wtf, I manage as best I can. Telekom and 1&1 are not much better.

    Reply
  3. TS

    Hi, so how can I easily test if that affects me?
    Trying to use Hamachi VPN but have an issue with one service (internal Media Wiki via SSL on Linux Host) other services work (SSH on that same host, RDP on Windows host, SP site on Windows Host)

    Reply
  4. AngryGerman

    Reporting in. Im a customer of unity media too. I noticed this issue at first 3 or 4 months ago i thought my long term vpn service just sucked and got lame. i went to a new service and got the same problem. i feel kinda betrayed by them. openvpn does not work, i couldnt even download the openvpn app in itunes always said “connection error” i never had this issue before with appstore or any app

    Reply
  5. SuperCourier

    Same sad story here. It began on October 3rd, 2015 or so. I had only been able to use PPTP until then, but now all protocols (PPTP, OpenVPN, and L2TP) are blocked. Several of my neighbors with Unitymedia as their ISP reported the same problem on the same day and since. Some have reported sucesses with other proprietary VPN protocols, but my provider does not have them.

    I found the comment about Windows made by Veluria odd, however. I have this issue regardless of using any kind of Windows, Linux, or Android.

    Unitymedia continues to play dumb on the issue, at first replying with the oddly irrelevant “Sorry, but for private customers we do not offer IP V4. We only offer IP V6. Only business contracts have a IP V4 address.”

    After I recontacted them demanding a direct answer, I was told “Hello,
    we are still working on that problem, In general Unitymedia is not blocking any VPN connections.
    We just tested with a fritzbox without problem. to analize the problem we need the ip address of the server and the sort of
    VPN,PPTP,L2TP/IPSEC
    per windows client or a special software
    thanks for your cooperation”

    After providing them with a list of servers and their IP addresses posted by the VPN provider online, I heard nothing more. Likely I’ve just given them specific sites to block now. Great.

    When as

    Reply
  6. ethernall

    I was using Kabel BW, somewhere last summer (2015) they became Unitimedia… since then I noticed another issue with them. For similar purposes I am using SSH tunnel to machine in another country. I transfer large amounts of data through the connection – including backups of virtual machines. In the past I was maintaining steady speeds between 950KBs and 1,4 MBs (slower in peak loads time zone). Since last summer in peak times (like between 18:00 and 23:00) the download speeds drop to 150 – 300 KBs… So obviously they are also throttling heavily speeds. It took me a while to figure out some rules but it is not based on port (I can freely configure the listening port on the other side), so DPI seems the most logical explanation for that too… This is really shitty as such things can and are used for perfectly legitimate purposes and they basically one-sidedly change the service rules. Unfortunately throttling is a big problem in Germany as far as I read around people complaining and it is valid for all providers although they actively deny it. And this is 21 century in what is supposed to be the most developed country in Europe – ridiculous, simply ridiculous. On top comes the “spying” element… I was cautiously advised by one of their consultants that I can migrate to business service for 20 EUR more… I am planning to call or go to a service center to ask directly if those limitations are valid also for business clients.

    P.S. And they just informed me that they need to raise my installment by 2,90 because during the last year more then 50% of their customers used more than 50GB per month traffic and they need to invest more in infrastructure… WTF were they expecting? Its 21st century with HD video on demand. They should wake up! Nice example of monopolized market…

    Reply
  7. Unitymedia Sucks

    I was just connected to Unity Media today.
    Yes, my VPN doesn’t work at all. Nothing.
    Is there any service in the Frankfurt area that is supportive of their customers?

    Reply
  8. Manuel

    Same issue here in Stuttgart. Unitymedia told me “the function (VPN) is not supported for private clients”. Tried my business and private VPN.
    They must be kidding. It worked for me till some weeks ago.

    Reply
    1. ron

      I am experiencing the same problem with both my VPNS. This started over the weekend. I’ve never had a problem launching my VPN up until then. This should be against the law WTF! I never surf the web without my VPN, been using one for years. Unitymedia is one lousy service. What can we do???

      Reply
  9. Bila

    Hello there , yeah , they are blocking the VPN connections. One Lady from Customer service said to me that i need to change from Private to Business and then i will be able to work from home. WTF? :)))) You’re god damn right with the first Pic.

    Reply
  10. Hal Martin Post author

    Hey everyone, very sorry for the delay in getting your comments approved.

    I don’t personally have Unitymedia as my ISP anymore, I switched to O2 DSL, without a contract even. Only 50MBit, but it does work with VPN connections.

    I have a friend in Frankfurt using a Unitymedia connection, and while it’s fast (150MBit) VPN connections don’t work at all on it. It doesn’t seem that they really care if some small portion of their users don’t have full access to the internet.

    Reply
  11. Lman

    Hello,

    Cyberghost Premium working quite well with Unitymedia, but P2P connection not so much. uTorrent and all torrents looking for peers all the time…

    BR.

    Reply
  12. Tyler Durden

    Deep packet inspection and ISPs inserting TCP RST .. ja ne is klar.
    Und jetzt nehmen wir schnell den Aluhut ab und tragen

    link-mtu 1432

    in die OpenVPN Konfigurationsdatei ein 😉

    Reply
    1. Systembastler

      Servus,

      für meine L2TP VPN Connection über Windows Boardmittel ins Office scheint der MTU Wert 1492 optimal zu sein. Sonst war eine Verbindung schwierig und danach die Arbeit sehr laggy.

      Man sollte erst die VPN Verbindung starten und dann den MTU Wert setzen. Dann wieder trennen und verbinden plus testen. GGf. den Wert anpassen. Ich habe bisschen rumprobiert. Jetzt läuft es 1A.

      Danke für den Tip!

      Grüße
      Systembastler

      Reply
  13. warlock

    Hi all,

    I tought to write my toughs about this idiots from Unitymedia.

    Had the same issue with my VPN. I have 2 VPN connections, one for work Cisco and the other for personal usage Open VPN.
    Once connected no traffic!!!!
    Moved to another provider and all worked just fine.

    Its illegal in the 1st place to deny the usage of an internet connection!

    DPI is used by Unitymedia as they are the only ones in Germany with contracts with several lawyer companies hired by music companies and film producers to find illegal downloads.

    DPI is used to track not only illegal activity but also personal activity!

    Be very careful people the they know all that you do: photos you sent, emails incoming and outgoing, webpages ALL not only illegal activity.

    How does this help? Very easy: promotion, hacking, selling data to 3rd party!

    The most negative part? If one slick hacker will get access to that platform all your private data will reach anyone in this world.

    Read the contract with them! According to the German and EU law the user has to accept that his traffic is being inspected!!!

    They are not mentioning this aspects and people are not aware what this means and are cowards to quit their contract!!!

    Sadly I don’t have money to support a lawsuit but if I had I would go tomorrow in court and close this shit company once and for all!!!

    Reply
    1. Hal Martin Post author

      Be very careful people the they know all that you do: photos you sent, emails incoming and outgoing, webpages ALL not only illegal activity.

      I would like to make several counter points to the above:

      photos you sent

      Most connections to websites such as Facebook, Twitter, Google, Dropbox, etc are made using Transport Layer Security. Except for very unlikely circumstances (MITM) your provider can only see the top-level domain you’re going to, but has no ability to decrypt the communications, and cannot know any of the content.

      emails incoming and outgoing

      Email is inherently insecure. IMAP, POP, SMTP are all plain-text protocols, though many providers are now enforcing transport layer security (TLS) on your connection to their mail servers, and between mail relays. It is very likely that your internet service provider cannot read your emails when you send or receive them because the connection to your mailserver is made using transport layer security.

      This being said, only way to have secure communications via email is to use message encryption technology like S/MIME or PGP. These can only encrypt the body of the message, metadata such as the sender and receiver are still transmitted in plain-text. All your emails are stored on a server somewhere, in plain-text. System Administrators working for your email provider can read the contents of your email. Usually there are very strict policies in place to ensure this ability is not abused by anyone.

      The improvements in security policy made by email providers like Google, Microsoft, and Yahoo are enough that your email communications are likely secure from anyone except a national security agency. However, unless you are encrypting your emails using S/MIME or PGP, if there is a legal reason for your provider to give your emails to the authorities, they will do so, and the authorities will be able to read your emails. If you’re doing illegal things, don’t send any emails, or write any draft messages about it, mmmkay?

      The most negative part? If one slick hacker will get access to that platform all your private data will reach anyone in this world.

      This statement is true for any ISP in the world. If someone has compromised your connection to the internet (e.g. public WiFi) then they are able to do a numerous bunch of nasty things to your connection.

      If you don’t trust your ISP, then my suggestion is that you vote with your wallet, and switch to a different one.

      I don’t want to categorically deny any of what warlock has said. If no transport layer security is used, your provider can see everything you do online. However, in 2016 typical websites use TLS to secure communications.

      Reply
  14. Mark

    Even worse.
    They have blocked my Forex trading MT4 platform I guess becouse of the constant data stream. !!
    VPN wont work & uTorrent. And with 10-15 restarts of a router ber day this is a f*** joke but not the internet provider!!!! Bull sh**

    Reply
  15. patricke

    what is the best isp to use in germany with vpn ?
    I also have unitymedia and I had until yesterday the old router, all was fine and pia worked fine with it, no throttling. But then I got an email from them with the new router the white standing one. I took it and as soon as I installed it I notice that my pia vpn connection was “squeezed” from 50mbit/s to 0.1 per sec !!!
    without pia the speed is 50mbit/s
    The new router has a software configuration that will detect your vpn and will throttle it.
    so… what is the best isp to use in germany with vpn ?

    Reply
    1. Hal Martin Post author

      I don’t have a good answer. I think it probably depends somewhat on where you are living and which model of modem you have. Unitymedia is definitely the worst.

      I have O2 DSL and until 1 January 2017 I got the full speed (50MBit) while connected to a VPN. Since 1 January, they have implemented some kind of traffic shaping. Now if you are using the VPN, the maximum speed is limited to around 15MBit, and it frequently drops to 30KB/s or so. The OpenVPN log shows errors about replayed packets. VPN still works somewhat, but not nearly as well as it did previously.

      Maybe other people can share their experiences.

      Reply
  16. Angry expat

    Living in the Heidelberg/Mannheim area. Originally had Telekom 15 MB line, and they said that is the max they can do until fiber is eventually installed in our area. Called Unity Media, they promised a 400 MB connection. They just installed it. Without a VPN I get about 175 MB max, but extremely inconsistent. With a VPN I get around 1-5 Mbps – HORRIBLE!

    I’ve tried different encryption protocols – IPSEC IKEv2, OpenVPN – and even different VPN providers and server locations but it doesn’t matter. The connection is always awful. I would have been better staying with Telekom, where I could at least get a consistent 10-12 MB speed.

    Not even sure what to do at this point. I may look into O2. Any suggestions?? (Thanks to the author of this post, it confirmed my suspicions, very helpful!)

    Reply
    1. Hal Martin Post author

      I can’t say for certain that O2 will be an improvement. They seem to have deployed DPI at the start of 2017 and VPN speeds are quite erratic now. Sometimes it’s quite good (>15MBit/s) and other times it’s downright terrible (<0.5MBit/sec). It really seems to depend on the VPN endpoint and the alignment of the stars.

      The only thing I can recommend for certain is that you should avoid Unity Media at all costs if you want to use a VPN.

      Reply
  17. DaneeL

    Hi guys,

    I moved recently to the NRW area where I ordered Unitymedia as well. (Earlier I had Vodafone Kabel aka Kabel Deutschland)
    I had no problem with the VPN there but on UnityMedia I immediately noticed the above mentioned issues.

    Setting the MTU to 1432 – as suggested in one of the comments – solved the issue for me for my private OpenVPN installation.
    I also have VPN subscription but I didn’t notice any slowness on that one.

    Reply
  18. Yalcin Atasoy

    o2? holy crap please NO. Never go to o2!!! o2 is the worst company ever!!! I have a 50M line with them but very often I got only 6M. The support (if you stay in the hotline for 30-60min) is only triggering a connection test and saying to you that they will send you a SMS or give you a callback. However you will never received a SMS or a callback. So you end in calling again the hotline (with a wait time for 30-60min if you didn´t dropped automatically … ups… not our fault said o2) and they will trigger a 2nd test. However you will get also no callback or SMS with the result from the 2nd test. If you then give them a callback again (expected wait time is 30-60min) they will say you that everything is ok. There couldn´t be a faster connection at your location but they would offer you a cost free downgrad which they just applied … you do not wish a downgrade … ups our fault its already installed … so you wish to cancel the contract now? Sure but its running for 24months … so you wish to cancel it because of the bad connection … ups … you couldn´t because o2 do not grant you a max. connection. They eaven do not grant you a lowest connection. They grant you internet and if that is 1M or even worser the contract they have with you is fully ok.

    So no, i currently try to leave o2 for that shitty service they are providing… o2 is really the worst internet connection you could get in Germany when you require any kind of service… Check google here, every is mad at o2 which do not apply to 1u1 for example.

    Reply
  19. jack

    Same here with Arch Linux and Unitymedia. Can’t even choose an anonym Nameserver like 1.1.1.1 / 1.0.0.1 – blocked. No VPN is working proper – only dedicated, and only with linux systems.

    Tor Browser slowed down extreme – Unitymedia, lovely BND, your presence and spying is leaked – gfu.
    Never do something illegal guys – stay clean and go with the law as straight as possible and vote with your wallet 😉

    Best 2 u

    Reply
  20. J

    UM is not blocking VPN traffic – the problem is the MTU size and their DS Lite infrastructure where IPv6 and IPv4 are used at the same time. DS Lite is a cluster fuck seen from a network perspective. Change your MTU size to 1280 for the VPN connection for both ipv4 and ipv6 and your speed on VPN will be normal.
    I personally did this (adapted my MTU size) and it works like a charm. This will work for OpenVPN and similar technologies – it will not work for old school PP2P VPN – but that is insecure and should not be used for some years.

    This article describes perfectly what to do – no need to switch to a business contract with Unitymedia.

    https://aktuelles.computer-fuechse.com/294/unitymedia-vpn-probleme-ipv4-ipv6-geloest.htm

    QUOTE:
    “Auslesen der MTU Einstellungen:

    netsh interface ipv4 show subinterface – zeigt die Einstellungen aller Adapter für IPv4
    netsh interface ipv6 show subinterface – zeigt die Einstellungen aller Adapter für IPv6
    netsh interface ipv4 show subinterface „Local Area Connection“ – zeigt die Einstellungen für eine speziellen Adapter

    Setzten der Einstellungen für einen speziellen Adapter zum Beispiel dem virtuellen VPN Adapter, wichtig ist dabei das der VPN Tunnel vorab gestartet wird.

    netsh interface ipv4 set subinterface „Local Area Connection* 15“ mtu=1280 – wobei Local Area Connection* 15“ der Name des virtuellen Adapters ist

    netsh interface ipv6 set subinterface „Local Area Connection* 15“ mtu=1280 – 1280 ist dabei die Einstellung die das Gateway benötigt, will heissen das kann variieren.

    Wenn mann den MTU wert permanent setzten möchte ist je nach Betriebsystem noch der paremeter – store=persistent – anzufügen.

    Bsp.: netsh interface ipv6 set subinterface „$AdapterName“ mtu=1400 store=persistent”

    Reply

Leave a Reply to patricke Cancel reply

Your email address will not be published. Required fields are marked *