What does the Wireless ISP (WISP) "see" when I'm using VPN from home?

William Unruh wrote, on Fri, 05 Sep 2014 20:31:05 +0000:

Given all these answers, it seems the WISP sees this:

  1. The IP address of the VPN server.
  2. The (single) port used by the VPN server.
  3. The sheer amount of bits to and from that VPN server.

It seems, I think, from the answers, that the WISP does not see: a. The port (e.g., nntp, smtp, http, ssh, telnet, https, pop, imap, etc.).

Is that correct yet?

Reply to
Yaroslav Sadowski
Loading thread data ...

But where is the "nex hop" It might one of the computers the ISP controlls. If it cannot see the IP address, it has no idea what to do with the packet. Ie, the IP address of the packet MUST be visible. to all routers in the chain.

>
Reply to
William Unruh

No idea what this means.

No idea what this means. If you switch to port 1000 on your computer, the message sent out from your computer says it came from port 1000 since that is where the return must be delivered. Ports are addresses.

What to you does "If I switch from port 80 to port 1000" mean? Tell me what you would be doing to do that?

Reply to
William Unruh

No. The stuff you send over the vpn is on that port. The stuff you send out from other ports is on whatever port it is on.

Reply to
William Unruh

I think that's wrong.

I'm not an expert, but what good would it be if you sent http traffic on port 80 when you're using VPN? Likewise with all the other ports.

It would make no sense if what you said is true.

Reply to
H?seyin B?l?kba??

What is the next hop, if, for example, you established a VPN connection and then used a TOR browser?

Without the VPN, the ISP sees the connection to the TOR directory server, in the clear, and the IP address of the first hop, in the clear, and only after that, the ISP sees an encrypted connection with no further next-hop information.

I'm not an expert, nor even knowledgeable, but I "think", with VPN, the ISP would only see gibberish, and would never even *know* that the homeowner is using TOR.

I think.

Reply to
H?seyin B?l?kba??

If they care they can see port number and addres. they can also see the data stream and can usage pattern. they just can't interpret the content

If they see 2M od data flow down to you then 30 minutes later 2M back up to the vpn.

They could guess that you fetched a 2M document, edited it a bit and sent it back.

Reply to
Jasen Betts

I don't think that would give useful results.

what are you proposing switching?

Reply to
Jasen Betts

The VPN packets are on that port. The VPN client looks like a route to the client computer. It takes whatever packets the client computer routes to it, encrypts them, wraps them up in its own packets, and sends them to its other end, which unwraps them, decrypts them, and sends them to a normal router. It's an IP over IP tunnel. The ISP can see where the tunnel goes (it has to in order to route the VPN packets) but it can't see what's inside.

Reply to
John Hasler

Yes they can't see what you are doing, only how much. they may be able to guess what sort of thing accurately, but they can't get any details.

for sort of thing I mean "downloading emails" "watching web video" "voip conversation" but no more detail than than a guess at the type and an approximate file size, no addresses and no content,

Reply to
Jasen Betts

I didn't notice whether the OP mentioned if it's going to be a split tunnel or not. If it's a split tunnel, he could indeed send some traffic through the VPN tunnel and some traffic around it.

Reply to
Char Jackson

I was merely playing off of the comment that the ISP has to "deliver the packets to the right place", when the comment immediately before that referred to the VPN provider. It's unlikely that the WISP will be delivering packets to the VPN provider.

In general, no Internet router is responsible for final delivery to a destination unless that destination is directly connected. If there's one or more additional routers between the current router and the final destination, the best that the current router can do is (hopefully) send the packet on its way in the general direction of the final destination.

Reply to
Char Jackson

I don't know anything about vpn or about a split tunnel, but it just wouldn't make sense if what Mr. Unruh said was true.

VPN is supposed to protect you. If it allowed port 80 (http) traffic on port 80, it wouldn't be encrypted. If it allowed port 110 (pop) traffic on port 110, it wouldn't be hidden. If it allowed port 6881?6887 (bittorrent) traffic on those ports, then everyone would know what you're torrenting.

Again, I don't know *how* vpn works, but it seems to me that it absolutely *has* to be using its own port (let's say it's using port

1194) for the entire tunnel, doesn't it?

I'm just guessing, so, someone who knows should correct my mistakes, but here's how I would *guess* it to work.

User establishes a vpn connection over (say) port 1194 to server

100.100.100.100. The isp can see traffic on that port, to and from that ip address. But the traffic is encrypted.

Now, the op then goes to the web, on port 80, to connect to some web site, and that information is all encrypted over port 1194 until it gets to the vpn server at 100.100.100.100. Then, from that vpn server to whatever web page the op was trying to get to, only then does it go out on port 80 to the desired web server.

Same with port 110. The op opens up is mail user agent which is set to go to port 110 (pop) and that connection is encrypted and sent to the VPN server at 100.100.100.100. At the vpn server, it's unencrypted, and then it goes to the desired mail server on port 110 unencrypted.

Same with the bittorrent ports 6881?6887. From the standpoint of the isp, the op is still on port 1194 to server 100.100.100.100, but, in reality the op is torrenting like crazy all sorts of suzie-loves-dallas videos, wholly unbeknownst to the employer or to the isp. The only one who knows for sure is the vpn server administrator.

Now, if it does *not* work that way, please let me know, because Mr. Unruh certainly knows this better than I do, but it just wouldn't make strategic sense for all the ports to be open when the machine is tunneled into a vpn server.

Reply to
H?seyin B?l?kba??

How do you imagine the packets get from your computer to the vpn provider? They are delivered as packets from some port on your machine to some port on the provider's machine using the standard IP routes.

Agreed. But that is "delivering the packets to the right place" namely to the next agent who may be able to get the packet closer to the end machine. That is the "right place". But it cannot do that without knowing the address, and knowing for example that that next hop is not to computer directly connected to itself.

>
Reply to
William Unruh

William Unruh wrote, on Fri, 05 Sep 2014 22:00:31 +0000:

I never determine, overtly, what port things go out on. I just read my mail. Post mail. Read and post Usenet messages. Read google news. Log into secure and unsecure sites. Bittorrent. Ftp. Telnet. SSH. etc.

If I pick a public VPN server such as cyberghost or vpnoneclick, how do I know which of those applications is going over VPN and which are not?

Reply to
Yaroslav Sadowski

John Hasler wrote, on Fri, 05 Sep 2014 18:14:47 -0500:

So does that mean that all the traffic on all the PC's ports are in the same single-port tunnel to the VPN server?

At the VPN server, do they splay out back to the original ports?

Reply to
Yaroslav Sadowski

William Unruh wrote, on Fri, 05 Sep 2014 21:59:12 +0000:

If I'm going to

formatting link
from Firefox, that would go out on port 80. The WISP could see *everything*, including what search I type, and the fact that I went to
formatting link

I assume if I use a VPN server, all that is hidden from the WISP.

Fast forward, and now I'm connected to a VPN server, which is using some port, which we can call port 1000 for this purpose.

Now, when I bring up Firefox, EVERYTHING goes through port 1000, right? So, if, in Firefox, I go to

formatting link
doesn't that port 80 HTTP traffic actually go out of my computer on the VPN encrypted port 1000?

So, if the WISP were monitoring port 80, wouldn't he see nothing?

Yet, the PC "thinks" it's going out on port 80, but, by some VPN'ish magic, isn't that port 80 traffic really going out on port 1000?

Reply to
Yaroslav Sadowski

William Unruh wrote, on Sat, 06 Sep 2014 01:49:52 +0000:

I think that *all* traffic *must* be directed to the VPN server! Otherwise, it's like battening only some of the hatches in a storm.

What good would VPN be if it didn't encrypt all the traffic on *all* the PC's ports?

Reply to
Yaroslav Sadowski

William Unruh wrote, on Sat, 06 Sep 2014 01:49:52 +0000:

That's not how I understand VPN to work, but I won't ever claim that I understand VPN.

My understanding is that all traffic goes to the VPN server, and from that VPN server, it then goes to whereever it was originally intended to go, and on the port from that VPN server that it was originally intended to be on.

But, for that to happen, all traffic on all ports of your PC must go to the VPN server on the one encrypted port.

Is that how it works?

Reply to
Yaroslav Sadowski

That's why some people use it, but I wouldn't say that that's its purpose.

I snipped your accurate description of a "full tunnel" VPN connection. With a full tunnel, all of your traffic gets encapsulated and goes into the tunnel, just as you described. When it pops out the other end, the encapsulation is removed and the traffic is forwarded on its way. The response traffic returns to the VPN tunnel endpoint, gets encapsulated, and comes back to you. On your end, it pops out of the tunnel, gets stripped of its encapsulation, and the rest is normal stack flow.

The VPN provider gets to decide whether this will be a full tunnel or a split tunnel. You already know what happens if it's a full tunnel.

If it's a split tunnel, *some* specific traffic goes through the tunnel, as specified by the VPN provider, and everything else goes around the tunnel as if it wasn't there.

formatting link

"For example, suppose a user utilizes a remote access VPN software client connecting to a corporate network using a hotel wireless network. The user with split tunneling enabled is able to connect to file servers, database servers, mail servers and other servers on the corporate network through the VPN connection. When the user connects to Internet resources (Web sites, FTP sites, etc.), the connection request goes directly out the gateway provided by the hotel network."

So one of the first questions I would ask is if the VPN will be full tunnel or split tunnel.

Reply to
Char Jackson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.