ISTM that Caver1 has, all this time, been talking about a simple https connection for logging into a company's network and calling the company's internal network a VPN. I think that explains the fixation with browsers and tabs and what other software at the local end cannot do under this circumstance.
Char Jackson wrote, on Sat, 06 Sep 2014 16:42:15 -0500:
Thanks! Yours is the answer that makes sense.
...
Well, not really as far as I know. Your routing table needs root permissions to change. If setting up a vpn allowed some other system-- the remote vpn server-- root permission on your system, it would be a horribly insecure system. It is you, in setting up your vpn client, that sets up the routing table. Now that may be via software provided by that server, which will rewrite your routing table for you. But it would be far more secure for you to rewrite your own routing table. Otherwise you download software provided by these wonderful people who offer you full tunneling vpn service, and now they have root on your machine, and can install whatever tracker/hacker software they want. Shudder.
Note in the case of the routing table that Yaroslav posted there was a really weird thing. The default route was wlan0. The tun0 (vpn tunnel I assume) had a routing entry of
0.0.0.0 but with a genmask of 128.0.0.0 which suggests that only traffic with an IP address greater than 128 in the first octet would be directed down the tunnel. That is just weird.That is how I understand it too.
Well, it confuses me as well.
>
Tell me how your connections are kept when the tunnel is closed.
I know what a full tunnel is. All traffic from the connection goes to who owns the tunnel.
See my explanation of it elsethread.
What corrections. All you or the others say is no and it mostly you. Show one place where you posted a correction.
Why not? Explain yourself.
Explain yourself. Where am i confused/wrong and if so why. You know nothing about my motivations.
Why does it matter when either type of tunnel is closed. The connection is broken nothing else. the effects are the same. I never said that a full tunnel is the same as a split tunnel, anywhere.
Show one place where he explained anything.
William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:
This is the key detail that other people were confusing me on, and which I'm glad is clearly described by you.
So, we can lay to rest the question of whether the ISP can see the port out or into the destination, and the destination. They can't.
The VPN solution I'm testing over this weekend, to get a flavor for how it works, is this full-VPN freeware one, which only lasts a week, but which is long enough to test it out:
William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:
They already shipped a blue hardware VPN box, so, I think *everything* will be going through the VPN.
Sending traffic to a through a tunnel is the same thing as sending your traffic/data is the same thing as sending the traffic/data to the VPN. A VPN is nothing more than a safe way to send traffic/data to the network. Basically once you connect you are part of that network with limited permissions which are set up by the company. They can be more or less depending on what the owner of that network will allow you. Nobody can see that traffic but the end points can be seen if someone is looking for them. Which was also stated by someone else in this thread.
/sbin/route
but then you have to understand what it saya.
You do not know as much as you think you do. You would not get any correct information for the IP that is "shown". Hell most places including Whois doesn't show my correct location from my real IP.
[I deleted some spaces to re-join the lines]
yeah it's full.
the route to half the internet goes through tun0: (which is the VPN)
and so does the other half:
the exceptions being those routes with more bits set in the genmask (these will have higher numbers)
not this one , it was your route before starting the VPN.
these two are explicitly routed via the original internet connection
198.143.153.42 is kryptotel too,
No I said they could see the domains or the end point but they do not know who it is or where it came from unless they put some time into it, which I doubt. You also never asked if the ISP could tell (see) if it was you. I said yes they can see those domains but don't know anything about the traffic going there. Unless it's the Gov't and if it really desires that information they will find the end points and depending on the encryption used maybe even the data that is being sent. If the Gov't can do it do you really think no one else can. How do you think hackers are getting into company networks. Sometimes it is by direct hammering against the network whether or not if the company is using a VPN for internet connection or not. I also never said the ISP could see the port being used. Go back and look. I will save you the trouble>
"This is confusing so I will ask for clarification by way of example. Always assuming full-tunnel VPN, if someone went to three web sites, say, google.com, yahoo.com, and apple.com, are you saying that the ISP can see all three web sites when the user is using VPN?"
My answer was> Yes. also> They can see all three web sites but not that it is you that is connected or what data you are carrying with you. The question asked if the ISP can see all web sites not you/him/whatever.
Show me where those answers are wrong. Nothing even mentioned about Ports. Even if it is encapsulated by the network it still has to show where it is going if you want to get there. That is also true using TOR. The only difference is that TOR's servers and bridges are the only ones that see your traffic until you leave the TOR web to get to your final destination. Even if the contents are encrypted the starting and ending points are known, except if you are using the TOR browser, then only the end point is seen by anyone other than the TOR network. which has to know your IP, and remember it because you are not in the TOR network for the final "step" to your destination, so the TOR network can pass any kind of response back to you.
Caver1 wrote, on Sat, 06 Sep 2014 13:48:48 -0400:
I'm not sure if I understand the question, but, the VPN I just tested has no "login" per se.
a) You boot your Linux laptop, and nothing is encrypted yet. b) You run "gksudo vpn1click &" and now you send *everything* to the VPN. c) You kill the vpn process, and then you're back to step (a) above.
I'm not sure what this is asking, but, the connection to the VPN is initiated with the following command, with the routes as shown below.
Here's the route -n after rebooting but before connecting to the VPN server:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route. 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0.$ gksudo vpn1click & $ inxi -i | grep eth0 WAN IP: 198.143.153.42 IF: eth0 ip: N/A IF: tun0 ip: 10.43.0.210 IF: wlan0 ip: 192.168.1.3
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 0.0.0.0 to 127.255.255.254. This is the 1st half of the Internet split by the VPN provider. 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route. 10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0 Unsure what the significance of this is. 10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 This means that 10.43.0.209 can be reached by a packet out of tun0. 198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 These two are static routes added by the VPN client software. The only traffic that doesn't traverse tun0 is traffic to these two IP addresses. 128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 128.0.0.0.1 to 255.255.255.254. This is the 2nd half of the Internet split by the VPN provider. 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0.Note: The fact that lo0 doesn't appear in the routing table, accounts for 127.0.0.0 - 127.255.255.255.
I recognize 192.168.1.1 as my home broadband router. I recognize 198.143.153.42 as the VPN server.
'Iface' is the interface on which the gateway IP address can be reached.
Then, when I kill the vpn, here's the route:
$ ps -elfww|grep vpn
0 S usr 3170 1701 0 80 0 - 58576 hrtime 13:15 pts/0 00:00:01 gksudo vpn1click 4 S root 3175 3170 0 80 0 - 17214 poll_s 13:15 ? 00:00:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click 4 S root 3176 3175 2 80 0 - 36051 poll_s 13:15 ? 00:00:16 vpn1click 5 S root 3331 1701 0 80 0 - 8266 poll_s 13:15 ? 00:00:05 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon$ sudo kill -9 3170 3175 3176 3331 $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0I notice that the VPN server of "198.143.153.42" is *still* in the route.
----------------------------------------------------------------------------
I am not trying to confuse anyone. There is no gibberish there. At least none that you have corrected.
I asked nothing. Your home ISP cannot "see" the destination unless that site also uses that ISP. But whatever does the final handoff does. Your ISP does know where you are going as you "tell" it. You tell it to every ISP, switch, Bridge, whatever you pass through.
Yes you initiated the connection not the VPN. My answers are for you connecting to and using your company's VPN not a public one. The scenarios are totally different.
Ok.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.