What does the Wireless ISP (WISP) "see" when I'm using VPN from home?

Yes, if it's a full tunnel. No, if it's a split tunnel.

Yes, when the encapsulation is removed at the other end of the VPN tunnel, the original destination IP and port are once again visible. At that point, though, the source IP and port will not match what it was when that traffic left your system. The VPN provider proxies it for you, and NAT is part of that.

You're describing a full tunnel VPN. It sounds like you hope that's what this VPN provider offers. If they offer a split tunnel, you won't see the behavior described above.

Nitpick: when you access

your traffic doesn't go OUT from port 80. It goes TO port 80 at but it goes OUT from a semi random port on your PC, usually somewhere between 1025 and 65535.

you'd have to check the routing table.

It depends on the purpose of the VPN tunnel. :)

If an employer set it up for its employees, they may not want all of your garbage traffic going through the tunnel. They may only want traffic destined for internal company resources.

OTOH, if a 3rd party VPN provider comes along and promises all kinds of anonymity, they're probably offering a full tunnel and then what you describe would be the case. With that kind of VPN, the question of whether you trust your ISP becomes a question of whether you trust your VPN provider.

Let's say you use Firefox. Firefox connects to the VPN then all traffic from Firefox directed at that VPN goes to the assigned port at the VPN. On your end Firefox is still using whatever port it is assigned to use. Then once connected to the VPN the traffic between you and the VPN are encrypted. On your end you are still using port 80 or whatever port you assigned Firefox to use. If you open another tab and go somewhere else it does not go to that VPN as it was not directed to the VPN so is not encrypted. If you are the VPN server then all of your traffic goes through the VPN and it's assigned port encrypted. Also if Firefox is connected to the VPN your mail client,RSS reader, etc aren't so they go out on whatever ports they are assigned to and are not encrypted, unless you are the VPN server, or unless you encrypt all traffic on your end. If you aim your mail program to go to the VPN then it will still use whatever port it is assigned to. From the VPN it will go out on the VPN assigned port.

Only the browsers traffic does and then only the traffic aimed at that VPN. If you open another tab and it is not aimed at the VPN then that tab's traffic does not go through the VPN.

Then only the traffic aimed at the VPN is protected by the VPN. If you open another window of that browser or another browser or another tab in that browser that is not aimed at that VPN then you don't have VPN protection in those instances. Nor does your Torrents, email, RSS, Chat unless they go out in the tab that is aimed at the VPN.

Char Jackson wrote, on Sat, 06 Sep 2014 01:00:59 -0500:

How can we tell, once connected, if it's a full tunnel VPN or just a split tunnel VPN?

Is there a command we can run from the command line to tell?

Char Jackson wrote, on Sat, 06 Sep 2014 01:05:29 -0500:

I hadn't known this!

The only way to stop the ISP from knowing that you are using what traffic is to use a proxy that is at your end. If you use a remote proxy the ISP can see it is your IP that is connecting to the proxy and the IP of that proxy. The destination IP still can still be seen. Proxies only change the IP of where the traffic came from and only after that traffic connects to that proxy. Unless you use TOR as they don't know where it is going or where it came from only TOR knows that because TOR uses it's own bridges.

Jasen Betts wrote, on Fri, 05 Sep 2014 23:14:39 +0000:

My mistake for not being clear. The user doesn't switch ports - the VPN does it. I think you've explained it adequately, with the concept of a full tunnel.

The only thing I don't know is how to tell if you're on a full tunnel or only a split tunnel from the Linux/Windows command line.

VPN's only encrypt the traffic they don't hide IPs or ports.

At the VPN's end. The traffic is aimed at whatever port your browser is using.

Yes.

Only if you use the same browser window or tab that is connected to the VPN. Your Email does not go through the VPN, as it doesn't go through your browser, unless you are the VPN and then only if the VPN is configured to encapsulate whatever, full/split tunnel. Same goes for VOIP or anything that connects to the internet.

It really doesn't matter unless you originate from that VPN. As only your traffic that is aimed at the VPN connects to that VPN. So if you aim the window and tab at the VPN, and only use those specific ones, then only the browsers traffic goes through the VPN.

Caver1 wrote, on Sat, 06 Sep 2014 07:46:03 -0400:

Oh oh. Now I'm confused again.

Always assuming "full tunnel" VPN, if someone opens Firefox and then points to google.com, does that web (http) traffic goes out on a semi- random port between 1025-65535 and then it goes to port 80 at Google's IP address 74.125.239.33.

Or, does that web traffic go out on the whatever the port the VPN tunnel is using (eg port 5000), and, only *after* it gets through the VPN server, does it then go out on a semi-random port between 1025-65535 of the VPN server and then it goes to port 80 at Google's IP address

74.125.239.33.

Caver1 wrote, on Sat, 06 Sep 2014 07:41:43 -0400:

This is confusing so I will ask for clarification by way of example. Always assuming full-tunnel VPN, if someone went to three web sites, say, google.com, yahoo.com, and apple.com, are you saying that the ISP can see all three web sites when the user is using VPN?

Caver1 wrote, on Sat, 06 Sep 2014 07:22:10 -0400:

This is counter intuitive and can't possibly be true.

Remember, nobody here is talking about a web-based VPN solution; that would be (almost) silly, since Tor will do that for you alone, at least to the exit node.

We're always talking about a full-tunnel VPN solution, probably something that is negotiated at bootup time, and which has to, by necessity, handle

*all* traffic coming out of the PC to the Internet.

So, if you open another window of that browser, or another browser, it shouldn't make any difference whatsoever. If it did, that would be a really lousy implementation, and would just be silly.

I'm so confused by these answers because it would be crazy to have just one browser tab on VPN. It *must* be either the whole machine, or nothing.

So, the entire quoted paragraph is confusing.

Caver1 wrote, on Sat, 06 Sep 2014 07:08:53 -0400:

This is so confusing, since you start the VPN session from the command line, and it has *nothing* whatsoever to do with what program you plan on running, since *all traffic* in this full-VPN solution must, by necessity, be encrypted.

So, it makes no sense to have only one tab of one browser session encrypted. I've never heard of such a thing, and, while it might very well exist, it's so useless that I can't imagine "me" ever using such a limited implementation.

That would be no different than just pointing that one tab to a proxy server, which would be useless because it wouldn't handle all the other ports, which, by necessity, a full VPN solution must do.

The traffic from the VPN goes through the port that is assigned to port

80 at Google., If your company allows you to connect to the internet for reasons other than company business then they could still block certain sites. The web traffic still goes out of the assigned port of the VPN. Example my wife's company uses a VPN we can connect to it from home. When she is at work a big majority of sites she cannot connect to but there are a few. From home we can only connect the internet through their program/browser not ours. So it depends on how the VPN is configured.

No it only connects through one port as the VPN is the server.