Removing content block not taking effect, EE still blocking VPN traffic

mergefailure · ‎02-01-2022

My VPN wasn't working when I attempted to communicate over EE connection but worked fine on an alternate connection/carrier/ee number.

I hadn't changed anything so spent a couple of fruitless days investigating whether if it was an issue with my router.

I then went to the EE website and found that content blocking was set to 'moderate' for that account, I reason that when content blocking of any sort is active, EE proactively blocks all traffic they can't monitor/control, e.g. VPN, SSH, etc.

I changed it to 'allow everything', and restarted my router.

Still blocked.

I thought, maybe it takes 24 hours to push out to edge locations e.g. perhaps they filter traffic at the cell tower.

So I waited.

Now it's been three days and I still can't run my VPN traffic, I need a VPN as my client mandates it's used for connecting to their corporate network.

It's Sunday, and I don't want to wait until the call center opens on Monday before continuing to investigate the issue.

Has anyone, or have any EE staff knowledge with changing these settings failing to propagate.

I know that EE uses an eventually consistent database for propagating such settings, is it possible to escalate to someone who can figure out why the changes aren't propagating and give some system a kick?

Thanks in advance.

mergefailure · ‎02-01-2022

Hmmm... Perhaps this is a hint; apparently, "something went wrong".

In addition to this, there's was also an issue with connecting to the payment system host, eesecurepayments.ee.co.uk where the host was down as I attempted to process my monthly payment.

I'm on a client contract right now, but as I've mentioned to your customer service staff on more than one occasion, I'm happy to re-architect your systems so they scale properly and deliver proper reliability...

mikeliuk · ‎02-01-2022

Hi @mergefailure ,

EE doesn't block VPN or SSH.

What do your client logs say as to why a connection cannot be made? Can you see that the ports that you require are open on the VPN server?

mergefailure · ‎02-01-2022

I see requests going out, I don't see any responses coming back. This only happens on one of my two devices. I'm going to swap the sims between my router (which doesn't work) and my phone (which does).

I am absolutely certain that EE does block VPN's, how else would its content moderation system be able to work? Content moderation without blocking VPN traffic is an oxymoron.

mikeliuk · ‎02-01-2022

Hi @mergefailure ,

Is the VPN protocol OpenVPN, IPsec, or something else?

Do you know which ports you need to be able to hit on the VPN server?

Are those ports open when checking from within your network?

Can you test using the SIM which doesn't work, put into an unlocked mobile and configuring a WiFi hotspot?

These forums would be flooded with unhappy customers if EE were to block VPNs, given the number of people working from home now.

Is there an enable VPN support setting in your router?

The best thing to get working first is probably SSH. If you can't get SSH working, you likely have something misconfigured.

mergefailure · ‎02-01-2022

Thanks, Mike. What I've found is that VPN traffic is only being blocked when I've got my B535-232 in use,

EE SIM 1 in Android phone -> VPN allowed

EE SIM 2 in Android phone -> VPN allowed

Three SIM in B535-232 -> VPN allowed

B535-232 connected to Starlink via Ethernet -> VPN allowed

EE SIM 1 in B535-232 -> VPN blocked

EE SIM 2 in B535-232 -> VPN blocked

So, an EE SIM in a Huawei B535-232 router results in blocked VPN traffic.

I've also noticed that the Huawei B535-232 router cannot check for updates when running on EE, but when connected via either the Starlink or Three connection, it can check for updates.

I've also noticed from its logs that it's detecting and blocking port scanning attempts from the EE network, specifically, 109.249.185.229 and other EE IP addresses. Perhaps this is related. I notice an endpoint security product (MI) bundled with the service that the user can't disable. A google search indicates it's got some VPN sinkhole stuff going on, I'd browse the product documentation, but they're presenting a bad SSL cert to upstream Cloudflare, so I can't browse their site... God only knows how they're messing with the data.

https://help.ivanti.com/mi/help/en_US/mtd/75.0/gdcl/Content/MTD_all/mtd_phishing_enable_advanced_.ht...

In any event, if the Chinese kit is no longer welcome, I've got a TP-LINK Archer MR600 arriving on the 4th. Hopefully, I'll use EE to do my job then.

In answer to your other question regarding the protocols used, I tried the IKE2, Nordlink, and OpenVPN (UDP/TCP) protocols.

I can confirm that all requests were silently discarded with no response packets from inspecting packet capture data.

Man, I wish I could bill the last 4 hours of my life to EE.

EssexBoyEE · ‎02-01-2022

As a test switch your Huawei router to 3g only (switch 4G off) and see if it's still blocking VPN, if it isn't then it's probably an EE LTE IPV6 Gateway issue.

Re the above try changing the Routers APN Profile to IPV4 Only.

mikeliuk · ‎02-01-2022

Hi @mergefailure ,

Thanks for doing those checks and sharing with the community. I think the comparison with the Three SIM is especially informative and causes us to take your report more seriously than if you did not have that comparison.

You mention that logs show port scanning attempts from EE's network. Are these your router logs or the logs from the remote VPN server?

Within the next few days, I will return to work so will be able to check if my previously working VPN configuration (in-built Windows 10 client) still works. My Netgear MR1100 defaults to IPV4-only which tends to simplify things.

mergefailure · ‎03-01-2022

@EssexBoyEE thanks for the suggestions. I'm on client time now so I'll have to abandon until later in the week. In any event, as I mentioned, I've got the TP-LINK Archer MR600 arriving on the 4th so hopefully just paying will make the problem go away. I'll update if there's any further problems with that new kit. Thanks!

mcstu · ‎25-06-2023

There is no doubt that EE blocks VPN. I use VPN for work and if I connect through Virgin, or ID network or O2 network it is fine, but won't work on EE. Literally using same mobile internet device with just swapping sims, only one that doesn't work is EE. With everything else the same the only point of failure is using EE. Internet works otherwise, just not the VPN part. So any claim that EE doesn't block VPN is false, just question of whether it is deliberate or a bug? Something about their systems that conflicts with VPN?