YouTube / GQUIC probleme

Started by hyper4d, March 26, 2021, 04:30:26 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 26, 2021, 04:30:26 PM
Hallo,

ich habe eine OPNsense über eine VM Cloud am laufen mit der ich über Wireguard connecte. Das alles funktioniert wunderbar. Die einzige Ausnahme: YouTube. Genauer gesagt YouTube und "YouTube Music" als iOS App Variante.
Jedes mal wenn ich mir ein Video anschauen möchte (oder bei YouTube Music einen Song an mache) bleibt dies erstmal schwarz und lädt teilweise 30 Sekunden bis 1 Minute (!!) bevor es dann letztendlich doch abspielt.

Ich habe auf der FW Suricata und Unbound am laufen.
- Unbound blockt die gesendeten DNS anfragen (*.googlevideo etc.) nicht.
- Suricata ist sowieso nur im "Alert" modus, blockt also auch nix.
- In den Firewall Logs konnte ich zur Abspielzeit auch keinen block/reject feststellen.
- Am wichtigsten: Sowohl am PC, als auch unter iOS, nur eben über den Browser, funktioniert YouTube (-Music) ohne Probleme! Super schnelle Ladezeiten, fast als ob ich ohne FW unterwegs wäre.

Ich habe verschiedene PCAPs unter verschiedenen Bedingungen gecaptured und konnte feststellen, dass der einzige Unterschied den ich erkennen konnte war, dass über die YouTube App UDP "GQUIC" Pakete ausgetauscht wurden. Diese endeten nach dem Client-Hello zunächst in Rejects, und zu der Zeit in der das Video dann endlich abspielte kam dann auch "Payload (Encrypted)" hinzu.

Beispiel Pakete:
307   4.647638   10.3.0.3   173.194.187.233   GQUIC   126   Client Hello, PKN: 1, CID: 9655794248220275632   14:45:31.626068

Code Select
Frame 307: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits)
Null/Loopback
Internet Protocol Version 4, Src: 10.3.0.3, Dst: 173.194.187.233
User Datagram Protocol, Src Port: 64341, Dst Port: 443
    Source Port: 64341
    Destination Port: 443
    Length: 1358
    Checksum: 0x7d08 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 3]
    [Timestamps]
    UDP payload (1350 bytes)
GQUIC (Google Quick UDP Internet Connections)
    Public Flags: 0x0d
    CID: 9655794248220275632
    Version: Q043
    Packet Number: 1
    Message Authentication Hash: f0ff80e7055b29d2c3e9d438
    STREAM (Special Frame Type) Stream ID: 1, Type: CHLO (Client Hello)
        Frame Type: STREAM (Special Frame Type) (0xa0)
        Stream ID: 1 (Reserved for (G)QUIC handshake, crypto, config updates...)
        Data Length: 456
        Tag: CHLO (Client Hello)
        Tag Number: 20
        Padding: 0000
        Tag/value: SNI (Server Name Indication) (l=32): r4---sn-4g5ednly.googlevideo.com
            Tag Type: SNI (Server Name Indication)
            Tag offset end: 32
            [Tag length: 32]
            Tag/value: 72342d2d2d736e2d34673565646e6c792e676f6f676c65766964656f2e636f6d
            Server Name Indication: r4---sn-4g5ednly.googlevideo.com
        Tag/value: STK (Source Address Token) (l=56)
            Tag Type: STK (Source Address Token)
            Tag offset end: 88
            [Tag length: 56]
            Tag/value: b5e068274ab69c1d3abce10b7768c84fb30b7bd2eaf2692200488b35a441fee1ec48e55f...
            Source-address token: b5e068274ab69c1d3abce10b7768c84fb30b7bd2eaf2692200488b35a441fee1ec48e55f...
        Tag/value: VER (Version) (l=4): Q043
            Tag Type: VER (Version)
            Tag offset end: 92
            [Tag length: 4]
            Tag/value: 51303433
            Version: Q043
        Tag/value: CCS (Common Certificate Sets) (l=16)
            Tag Type: CCS (Common Certificate Sets)
            Tag offset end: 108
            [Tag length: 16]
            Tag/value: 01e8816092921ae87eed8086a2158291
            Common certificate sets: 0x01e8816092921ae8
            Common certificate sets: 0x7eed8086a2158291
        Tag/value: NONC (Client Nonce) (l=32)
            Tag Type: NONC (Client Nonce)
            Tag offset end: 140
            [Tag length: 32]
            Tag/value: 605df38b00e03098f4cc8d8147011b48bbd9078347e5d6bbfa1368139dff6435
            Client nonce: 605df38b00e03098f4cc8d8147011b48bbd9078347e5d6bbfa1368139dff6435
        Tag/value: AEAD (Authenticated encryption algorithms) (l=4), AES-GCM with a 12-byte tag and IV
            Tag Type: AEAD (Authenticated encryption algorithms)
            Tag offset end: 144
            [Tag length: 4]
            Tag/value: 41455347
            Authenticated encryption algorithms: AESG (AES-GCM with a 12-byte tag and IV)
        Tag/value: SCID (Server config ID) (l=16)
            Tag Type: SCID (Server config ID)
            Tag offset end: 160
            [Tag length: 16]
            Tag/value: caafdaefae9ddcc8129e17fc1e3c0044
            Server Config ID: caafdaefae9ddcc8129e17fc1e3c0044
        Tag/value: TCID (Connection ID truncation) (l=4)
            Tag Type: TCID (Connection ID truncation)
            Tag offset end: 164
            [Tag length: 4]
            Tag/value: 00000000
            Connection ID truncation: 0 (0x00000000)
        Tag/value: PDMD (Proof Demand) (l=4): X509
            Tag Type: PDMD (Proof Demand)
            Tag offset end: 168
            [Tag length: 4]
            Tag/value: 58353039
            Proof demand: X509
        Tag/value: ICSL (Idle connection state) (l=4)
            Tag Type: ICSL (Idle connection state)
            Tag offset end: 172
            [Tag length: 4]
            Tag/value: 1e000000
            Idle connection state: 30 (0x0000001e)
        Tag/value: NONP (Client Proof Nonce) (l=32)
            Tag Type: NONP (Client Proof Nonce)
            Tag offset end: 204
            [Tag length: 32]
            Tag/value: 54c7e1f215b233c59aeff9a622b9510b5bb177262f9c4464acef8de289b7568f
            Client Proof nonce: 54c7e1f215b233c59aeff9a622b9510b5bb177262f9c4464acef8de289b7568f
        Tag/value: PUBS (Public value) (l=32)
            Tag Type: PUBS (Public value)
            Tag offset end: 236
            [Tag length: 32]
            Tag/value: e743f9acb79fc55f5287dadfb6933741adf0daf01aeec18899f10746dffc3458
            Public value: 17383 (0x0043e7)
            Public value: 12037369 (0xb7acf9)
            Public value: 6276511 (0x5fc59f)
            Public value: 14321490 (0xda8752)
            Public value: 9680607 (0x93b6df)
            Public value: 11354423 (0xad4137)
            Public value: 15784688 (0xf0daf0)
            Public value: 12709402 (0xc1ee1a)
            Public value: 15833480 (0xf19988)
            Public value: 14632455 (0xdf4607)
            Public value: 5780732 (0x5834fc)
        Tag/value: MIDS (Max incoming dynamic streams) (l=4): 100
            Tag Type: MIDS (Max incoming dynamic streams)
            Tag offset end: 240
            [Tag length: 4]
            Tag/value: 64000000
            Max incoming dynamic streams: 100
        Tag/value: KEXS (Key exchange algorithms) (l=4), Curve25519
            Tag Type: KEXS (Key exchange algorithms)
            Tag offset end: 244
            [Tag length: 4]
            Tag/value: 43323535
            Key exchange algorithms: C255 (Curve25519)
        Tag/value: XLCT (Expected leaf certificate) (l=8)
            Tag Type: XLCT (Expected leaf certificate)
            Tag offset end: 252
            [Tag length: 8]
            Tag/value: 4dd4b12ffd5d8c36
            Expected leaf certificate: 4dd4b12ffd5d8c36
        Tag/value: CSCT (Signed cert timestamp (RFC6962) of leaf cert) (l=0)
            Tag Type: CSCT (Signed cert timestamp (RFC6962) of leaf cert)
            Tag offset end: 252
            [Tag length: 0]
            Tag/value: <MISSING>
            Signed cert timestamp: <MISSING>
        Tag/value: COPT (Connection options) (l=12)
            Tag Type: COPT (Connection options)
            Tag offset end: 264
            [Tag length: 12]
            Tag/value: 41434b44414b44554e535450
            Connection options: ACKD
            Connection options: AKDU
            Connection options: NSTP
        Tag/value: CCRT (Cached certificates) (l=16)
            Tag Type: CCRT (Cached certificates)
            Tag offset end: 280
            [Tag length: 16]
            Tag/value: 4dd4b12ffd5d8c366032cb92a0414ddf
            Cached certificates: 4dd4b12ffd5d8c366032cb92a0414ddf
        Tag/value: CFCW (Initial session/connection) (l=4): 15728640
            Tag Type: CFCW (Initial session/connection)
            Tag offset end: 284
            [Tag length: 4]
            Tag/value: 0000f000
            Initial session/connection: 15728640
        Tag/value: SFCW (Initial stream flow control) (l=4): 6291456
            Tag Type: SFCW (Initial stream flow control)
            Tag offset end: 288
            [Tag length: 4]
            Tag/value: 00006000
            Initial stream flow control: 6291456
    PADDING Length: 863
        Frame Type: PADDING (0x00)
        [Padding Length: 863]
        Padding: 000000000000000000000000000000000000000000000000000000000000000000000000...


->
316   4.652478   173.194.187.233   10.3.0.3   GQUIC   1382   Rejection, PKN: 1, CID: 9655794248220275632   14:45:31.630908

Code Select
Frame 316: 1382 bytes on wire (11056 bits), 1382 bytes captured (11056 bits)
Null/Loopback
Internet Protocol Version 4, Src: 173.194.187.233, Dst: 10.3.0.3
User Datagram Protocol, Src Port: 443, Dst Port: 64341
    Source Port: 443
    Destination Port: 64341
    Length: 1358
    Checksum: 0xdde3 [unverified]
    [Checksum Status: Unverified]
    [Stream index: 3]
    [Timestamps]
    UDP payload (1350 bytes)
GQUIC (Google Quick UDP Internet Connections)
    Public Flags: 0x08
    CID: 9655794248220275632
    Packet Number: 1
    Message Authentication Hash: 5dbce39e00d6397da95c6f63
    ACK (Special Frame Type)
        Frame Type: ACK (Special Frame Type) (0x40)
        Largest Acked: 1
        Largest Acked Delta Time: 1129
        First Ack block length: 1
        Num Timestamp: 0
    STOP_WAITING
        Frame Type: STOP_WAITING (0x06)
        Least unacked delta: 0
    STREAM (Special Frame Type) Stream ID: 1, Type: REJ (Rejection)
        Frame Type: STREAM (Special Frame Type) (0xa0)
        Stream ID: 1 (Reserved for (G)QUIC handshake, crypto, config updates...)
        Data Length: 594
        Tag: REJ (Rejection)
        Tag Number: 7
        Padding: 0000
        Tag/value: STK (Source Address Token) (l=56)
            Tag Type: STK (Source Address Token)
            Tag offset end: 56
            [Tag length: 56]
            Tag/value: 9e93043bc00176a9c03812a2fa166a03bc074ca435d39226ba34207ef361ebc46ffe25df...
            Source-address token: 9e93043bc00176a9c03812a2fa166a03bc074ca435d39226ba34207ef361ebc46ffe25df...
        Tag/value: SNO (Server nonce) (l=52)
            Tag Type: SNO (Server nonce)
            Tag offset end: 108
            [Tag length: 52]
            Tag/value: 45ed20d4d498e528dea613a163894abc81e6e21cfcce9f9835f7a95db7e3d026edd32b3e...
            Server nonce: 45ed20d4d498e528dea613a163894abc81e6e21cfcce9f9835f7a95db7e3d026edd32b3e...
        Tag/value: PROF (Proof (Signature)) (l=256)
            Tag Type: PROF (Proof (Signature))
            Tag offset end: 364
            [Tag length: 256]
            Tag/value: 8ff366ede919ede938eb1b4fe0c149d2df5bbc769b8c57093526b3c8eae8b8313e2f6639...
            Proof (Signature): 8ff366ede919ede938eb1b4fe0c149d2df5bbc769b8c57093526b3c8eae8b8313e2f6639...
        Tag/value: SCFG (Server Config) (l=135)
            Tag Type: SCFG (Server Config)
            Tag offset end: 499
            [Tag length: 135]
            Tag/value: 534346470600000041454144080000005343494418000000505542533b0000004b455853...
            Server Config Tag: SCFG
            Number Server Config Tag: 6
            Tag/value: AEAD (Authenticated encryption algorithms) (l=8), AES-GCM with a 12-byte tag and IV, Unknown
                Tag Type: AEAD (Authenticated encryption algorithms)
                Tag offset end: 8
                [Tag length: 8]
                Tag/value: 4145534743433230
                Authenticated encryption algorithms: AESG (AES-GCM with a 12-byte tag and IV)
                Authenticated encryption algorithms: CC20 (Unknown)
            Tag/value: SCID (Server config ID) (l=16)
                Tag Type: SCID (Server config ID)
                Tag offset end: 24
                [Tag length: 16]
                Tag/value: 21b0521101193d259cacb4cc3915e237
                Server Config ID: 21b0521101193d259cacb4cc3915e237
            Tag/value: PUBS (Public value) (l=35)
                Tag Type: PUBS (Public value)
                Tag offset end: 59
                [Tag length: 35]
                Tag/value: 200000cea92e9c6470ac4648af5d13941168404a650bfb7ca97544dab9f49099748465
                Public value: 32 (0x000020)
                Public value: 11128320 (0xa9ce00)
                Public value: 6593582 (0x649c2e)
                Public value: 4631664 (0x46ac70)
                Public value: 6139720 (0x5daf48)
                Public value: 1152019 (0x119413)
                Public value: 4866152 (0x4a4068)
                Public value: 16452453 (0xfb0b65)
                Public value: 7711100 (0x75a97c)
                Public value: 12180036 (0xb9da44)
                Public value: 10064116 (0x9990f4)
                Public value: 6653044 (0x658474)
            Tag/value: KEXS (Key exchange algorithms) (l=4), Curve25519
                Tag Type: KEXS (Key exchange algorithms)
                Tag offset end: 63
                [Tag length: 4]
                Tag/value: 43323535
                Key exchange algorithms: C255 (Curve25519)
            Tag/value: OBIT (Server Orbit) (l=8)
                Tag Type: OBIT (Server Orbit)
                Tag offset end: 71
                [Tag length: 8]
                Tag/value: b4bbcd2d2fdc99ba
                Server orbit: b4bbcd2d2fdc99ba
            Tag/value: EXPY (Expiry) (l=8)
                Tag Type: EXPY (Expiry)
                Tag offset end: 79
                [Tag length: 8]
                Tag/value: 53ee476100000000
                Expiry: 1632104019
       [b] Tag/value: RREJ (Reasons for server sending) (l=4), Code Couldn't find the Server config id (kSCID)
            Tag Type: RREJ (Reasons for server sending)
            Tag offset end: 503
            [Tag length: 4]
            Tag/value: 0d000000
            Reasons for server sending: Couldn't find the Server config id (kSCID) (13)[/b]
        Tag/value: STTL (Server Config TTL) (l=8)
            Tag Type: STTL (Server Config TTL)
            Tag offset end: 511
            [Tag length: 8]
            Tag/value: c7fae90000000000
            Server Config TTL: 15334087
        Tag/value: CRT� (Certificate chain) (l=19)
            Tag Type: CRT� (Certificate chain)
            Tag offset end: 530
            [Tag length: 19]
            Tag/value: 024dd4b12ffd5d8c36026032cb92a0414ddf00
            Certificate chain: 024dd4b12ffd5d8c36026032cb92a0414ddf00
    PADDING Length: 721
        Frame Type: PADDING (0x00)
        [Padding Length: 721]
        Padding: 000000000000000000000000000000000000000000000000000000000000000000000000...


Ich denke am wichtigsten ist hier:
        Tag/value: RREJ (Reasons for server sending) (l=4), Code Couldn't find the Server config id (kSCID)
            Tag Type: RREJ (Reasons for server sending)
            Tag offset end: 503
            [Tag length: 4]
            Tag/value: 0d000000
            Reasons for server sending: Couldn't find the Server config id (kSCID) (13)

Auf dem PC (und überall sonst wo es funktioniert) wird dagegen anscheinend "QUIC" verwendet. Nicht "GQUIC".

Ich bin mir natürlich nichtmal sicher ob es an GQUIC liegt oder ich mich zu sehr daran festgehangen habe und es an vielleicht ganz andere Ursachen hat.
Ich habe leider auch sonst noch keinen Post gefunden, in dem jemand dieses Problem bezüglich YouTube hatte, darum würde ich mich sehr freuen wenn mir irgendjemand hier bei diesem merkwürdigen Problem helfen könnte.

Mit freundlichen Grüßen
Martin
March 27, 2021, 12:53:41 PM #1
89 Views und keine Antwort. Das sagt viel. Ich glaube ich schreib das nochmal ins Englische Forum 😅
March 27, 2021, 10:32:18 PM #2
Quote from: hyper4d on March 27, 2021, 12:53:41 PM
89 Views und keine Antwort. Das sagt viel. Ich glaube ich schreib das nochmal ins Englische Forum 😅


Das sagt meiner Meinung nach so viel wie, dass man vermutlich deinen Fall relativ schlecht nachstellen kann bei solch einem spezifischen Fehler.
Ich denke niemand hat genau solch etwas am Laufen.


Zudem bin ich mir unsicher ob es direkt an der OPNsense liegt, da (wie du bereits schreibst) die Pakete gesendet werden und auch wieder ankommen.
Hat deine Cloud-OPNsense eine IP jene GeoIP-technisch auch nach Deutschland zugeordnet wird? Nicht das Youtube da ganz frech anfängt was zu sperren oder ähnliches.
Anderer Lösungsvorschlag wäre die unbound blockade mal aufzuheben und nochmals zu versuchen.


Grüße
superwinni2
Proxmox VE
i3-4030U | 16 GB RAM | 512 GB SSD | 500 GB HDD
i3-2350M | 16 GB RAM | 120 GB SSD | 500 GB HDD

FW VMs:
2 Cores | 1 GB RAM | 20 GB SSD
March 29, 2021, 10:58:56 AM #3
YouTube denkt tatsächlich das die IP in den USA wäre. Meinst du es liegt daran? US IPs sollten die ja eigentlich nicht sperren...
March 30, 2021, 09:13:15 PM #4
Quote from: hyper4d on March 29, 2021, 10:58:56 AM
YouTube denkt tatsächlich das die IP in den USA wäre. Meinst du es liegt daran? US IPs sollten die ja eigentlich nicht sperren...

Es könnte sein, dass deine YT App DNS mäßig was anderes auflöst oder eben aus DE kommt.

Da du dann aber über eine US IP reinkommst werden die Pakete vielleicht geblockt

Sozusagen ein DNS Leak der da für Chaos sorgt
Würde auch erklären weshalb es über den Browser geht.
(Unoffial Community) OPNsense Telegram Group: https://t.me/joinchat/0o9JuLUXRFpiNmJk

PM for paid support
Print
Go Up Pages1
User actions