What does the Wireless ISP (WISP) "see" when I'm using VPN from home?

Caver1 wrote, on Sat, 06 Sep 2014 07:59:16 -0400:

I'm very sorry, but I don't understand this "one-browser-one-tab" VPN stuff, since we're always talking about what has been called "full-VPN" where every program and every port is supposed to be encrypted.

Anything less would be crazy because you're bound to make a mistake.

To see what's going on, I installed vpnoneclick on 64-bit Ubuntu:

sudo dpkg -i vpnoneclick_ubuntu64.deb gksudo vpn1click &

A window popped up, saying: Your public ip address is 198.143.153.42 - United States Your real ip address is: [it had my real ip address there] Expiring date 2014-09-13

I opened up Firefox, and pointed it to whatismyipaddress and it reported my IP address is 198.143.153.42.

I opened a second Firefox tab, and it still reported that VPN IP address!

I opened up a second browser (Chrome), and it still reported the same VPN IP address!

I ran "inxi -i" and it still reported the same VPN address!

So, you're totally confusing me when you insist that one browser tab is encrypted while other browser tabs and other browsers and other apps are not.

It seems to me that this full-VPN solution (which is the only kind we're discussing here), absolutely *has* to encrypt all traffic, or it would be (essentially) useless.

If a window/tab is aimed at the VPN then and only then will the traffic go through the VPN. If the traffic originates from said VPN then all traffic goes through the VPN as it has no other way to get out. Say I connect to a companies VPN in one tab/window then all traffic goes to that VPN in that tab/window only. If I open another tab/window and type in google.com then that tab's traffic goes straight to Google not through the VPN because you did not connect that tab/window to the VPN. It's just like if you open your browser and go to Google then open another tab/window and go to Yahoo the second tab's/window's traffic doesn't go through Google to get to Yahoo.

Caver1 wrote, on Sat, 06 Sep 2014 07:52:54 -0400:

That paragraph makes no sense to me, given how "I" understand a full-vpn solution.

I just installed, as a test, vpnoneclick.

sudo dpkg -i vpnoneclick_ubuntu64.deb gksudo vpn1click &

A window popped up, saying: Your public ip address is 198.143.153.42 - United States Your real ip address is: [it had my real ip address there] Expiring date 2014-09-13

When I go to the command line and type "inxi -i", it shows me the VPN address of 198.143.153.42.

When I bring up Firefox and point it to whatismyipaddress, it shows me the VPN address of 198.143.153.42.

When I open another Firefox tab, and point it to whatismyipaddress, it shows me the VPN address of 198.143.153.42.

I don't know how to tell if my email (Thunderbird) is going to that IP address, but I sure *hope* it is.

Likewise with my torrenting. And my nntp. etc.

If *every* port wasn't encrypted, that would be a really lousy VPN implementation (IMHO), and (to me), it would be nearly worthless if only one tab in one browser were encrypted.

So, every time you say that only one tab in one browser is protected, it confuses me.

Caver1 wrote, on Sat, 06 Sep 2014 08:27:08 -0400:

Well, if that's the case, full VPN is (nearly) useless.

In fact, I think, nobody would use it if that's how full VPN really works.

I'm not saying "I" know how it (does, or) should work, but if full VPN really allows the adversary to see every IP address you're going to, then full VPN is (nearly) useless.

It depends on the address not the port in general I believe.

It depends on how you have set it up.

Not necessarily.

No. Your PC always knows what port the trafffic goes out on. It after all puts the little tag on the packet telling the remote address what port it came from and what port it is going to.

The port is a software thing. It is a tag in the address of the packet which the computer at the other end reads so it knows what program to send the packet to.

>

True but only in that instance that was used. Your Email,RSS,VOIP, etc are not part of that instance.

Two or more open tabs are not pointed at the same destination so only the one that is aimed at the VPN is encrypted by the VPN. Now if you aimed them all to the VPN first then the VPN would encrypt them. How would the VPN encrypt traffic that it never receives?

That is a different situation as the browser is set up to use a proxy not individual tabs. The browser is not set up to use a VPN. Unless you originate from that VPN. Then it's still not the browser that is set up to only go through that VPN it's the VPN that is set up to either to make all traffic go /not go through it.Full tunnel/split tunnel. A VPN cannot control traffic that does not originate from it unless that traffic is connected to it.

Only traffic that originates from that VPN or is connected to it. VPN has no control over outside traffic unless it is connected to it. A VPN has no control over your traffic that you don't aim at that VPN.

Caver1 wrote, on Sat, 06 Sep 2014 08:39:24 -0400:

This conversation, while I appreciate you trying to help me, is the most confusing I've ever had on Usenet.

If full VPN worked only in a single tab of a single browser, it would be next to worthless.

I can't even fathom what you mean by "aiming" a browser tab at a VPN????

What is that?

You *start* VPN from the Linux command line (at least I do). It *should* encrypte *all* traffic. Whether that traffic comes from a browser or a mail user agent or a bittorrent client or an nntp news client, etc., shouldn't matter.

Why you keep insisting that someone "points" a browser tab at VPN is unfathomable, to me, since I've *never* experienced that type of VPN. I'm sure it exists, but, to me, *that* type of VPN would be (nearly) useless.

I just went to my Windows machine, and installed cyberghost.

You download their file, and then you reboot, and it runs automatically.

I open up Internet Explorer, and I point it to whatismyipaddress, and it says I'm some IP address in Germany.

I open up another tab in Internet Explorer, and it *still* says I'm that IP address in Germany.

I open up Firefox and it *still* says I'm that IP address in Germany.

I don't know how to ask, from the Windows command line, what my IP address is, nor how to ask from the mail user agent or nntp client, but, I'm sure *hoping* that it would still indicate that my IP address is some IP address in Germany.

If full VPN didn't work that way, it would be (nearly) useless. So, it *must* work that way, despite you keep telling me full-VPN only works for a single tab in a single browser window.

route -n

The first step of learning.

The vpn is another net connection, like eth0, wlan0,... The routing tables in your computertell your computer which of those routes should be used for the particular address your packet is destined for. If it is one of the addresses the routing tables say should go over the vpn, it will then be encrypted, and the vpn address and port tacked on. The packet will have those addresses stripped off at the other end, the real address and ports revealed and the now unencrypted packet sent on at the other end, but repackaged with NAT to have any replies come back to the vpn server, which then redirects them throught he vpn to you.

YOur employer does NOT want all your movie watching, tor downloads,etcclogging up his network, so will only wnat enployment related stuff going through the vpn.

It means that the address the packet is destined for is an address listed in your computer as having to go through the vpn.

no

It is the destination that is important, not the source.

They have obviously set up their program to have it tell your machine to send all traffic to that address in GErmany, so the NSA/GErman equivalent can more easily monitor all your internet traffic.:-)

Ie, therouting tables have been set up to route all traffic through the vpn. Your employer may well have different desires. Note that your employer would ve very very unhappy if you used cyberghost, since the traffic is easily readable by that ISP in Germany.

William Unruh wrote, on Sat, 06 Sep 2014 13:01:34 +0000:

OK. I will try to see how "route -n" tells me if I'm running a full or split VPN tunnel when I established a connection to vpnoneclick using: $ gksudo vpn1click &

After about a minute, "inxi" tells me my IP address is "198.143.153.42", which is apparently a USA VpnOneClick server: $ inxi -i | grep eth0 WAN IP: 198.143.153.42 IF: eth0 ip: N/A IF: tun0 ip: 10.43.0.210 IF: wlan0 ip: 192.168.1.3

Here is what the "route -n" reports: $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0 10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0

I'm not sure how to interpret those "route -n" results. Is this a full-VPN solution? And, what is that IP address for "108.178.54.10" which seems to resolve to "kryptotel", whatever that is?

I recognize 192.168.1.1 as my home broadband router. I recognize 198.143.153.42 as the VPN server. But, all the rest, I don't know how to interpret.

It encrypts all traffic that goes through it and only that traffic. With Vpnoneclick you downloaded that VPN's software and installed it so you are part of that VPN so your traffic from browsers is seen as originating from that VPN you are that VPN. That software is not coded for mail, unless you use webmail, RSS,unless your browser is set up to be the RSS reader, VOIP or anything else. They can go through that VPN only if they go through the connection you have with that VPN or if you configure all of your internet programs to go through the VPN you now have. If you go to a remote VPN, that does not provide software to install that makes you part of that VPN, none of your traffic that is not aimed at it is encrypted because that VPN has no control over any traffic that does not originate from it or is not aimed at it. If aVPN could encrypt all traffic it doesn't have a connection to it then all traffic on the internet would be encrypted. If you connect to that remote VPN then it sees that traffic as coming from itself as you are now part of that VPN in that one window/tab and only that one window/tab. With a companies VPN or another remote VPN are you not part of that VPN except for the connection that you created to that VPN. Not traffic that doesn't go through that connection because unless the rest of your traffic goes through that connection that VPN does it know that traffic even exists. Now if you want to set up a VPN for yourself then all of your traffic can be encrypted.

Let me try againasmy message does not seem to have gotten out.

Your computer has arouting table which tells it whic output from the computer to use for which addresses. Some addresses (127.x.x.x) should be handled locally, some should go out on your ethernet, some on your wireless, and some on your vpn tunnel. You can read that table by typing route -n

Now, if an address is listed as going through the vpn it is encrypted (incliding its destination address and port and source address and port) a new destination/source address and port tacked on(the dest being the vpn server) and shipped out. If the address is listed as going through some other route, it will be shipped out directly on the approriate vehicle (eth0, wlan0,...)

YOur employer is almost certainly not interested in clogging up his network with your movie downloads, your tor downloads, etc. So He will want you to have your routing table set up to send only employer addresses down the vpn. Or maybe not.

Now run route -n

and show us what it says.

Remember that you are not part of your company's VPN until you login. Then only that connection is part of it. Any traffic that does not go through your company's VPN is even seen by that VPN. If you open another tab it is not part of that connection unless you make another connection for it to the VPN and if your companies VPN is setup to accept more than one login from one person at the same time. You are not covered by that VPN until you login and only for the window/tab that you login with. If all windows/tabs were seen by the VPN it would be like you having to go through Google in all windows/tabs because the first window/tab connected to Google. You well know that is not the case unless you set up your home page to be Google's site and it you configure your browser to have it's tabs to connect to Google when opening. Also you don't decide if the VPN is full tunneled or not the VPN does. And then only if the traffic originates from from that VPN or only for the connections that are made with it because they become part of the VPN.

If you set up your own VPN then full tunning is very useful. Remember you have to be part of the VPN from the start to take advantage of full tunneling not just connected to the VPN from somewhere else. Then also only if the "outside" place is also connected your VPN. The "outside" connection is made by that site that wants to become part of it. The VPN cannot connect to anything "outside" of it on it's own. The full/split tunneling is for the benefit of the VPN not for the connection that is made from outside of the VPN. Only the connection that you make is covered with the protection of the VPN. If your company lets you connect to other places that are outside of the VPN then you are protected there also only if that site is also connected to the same VPN.

The connection to Google.com would show everything unless Google.com is connected to the VPN. By being connected Google.com would be part of the VPN. A VPN is set up only for the company's protection as it will only let those allowed to become part of it.

Yes. They couldn't route your traffic there, otherwise!

Yes.

Not completely. It's unlikely [by god I hope it is] that a given VPN service will be using it's own homebrew crypto system. As such, an eavesdropper will at least be able to tell what type of encryption it is. For example, if HTTPS is used, the certificate serial number/thumbprint should be unique, and the Common Name of the certificate will be visible, and should equal the hostname of the service. For an example of this, capture some of your own encrypted traffic with Wireshark and drill down into it.

If it's encapsulated inside the tunnel, yes. Note that even if it's all encrypted, certain patterns of traffic will be unique and leave you vulnerable to traffic analysis:

I would have thought that traffic analysis would be beyond what an ISP would be doing, but with the ever-decreasing cost of processing power, network equipment vendors could well [or already are] integrating traffic analysis into their products for the purposes of logging, traffic shaping or blocking. I bet there are some nasty governments out there who would lap this stuff right up.