What does the Wireless ISP (WISP) "see" when I'm using VPN from home?

You basically tell every switch or whatever that you connect with where you are going. That can't be encrypted. The new destination that is tacked on by the VPN is not encrypted and has to be the correct one if you want to get to your destination. Notice this does not include ports. The ISP doesn't need to know what ports are used. Only the browser has to know. Because at that point you are no longer going through the tunnel that you are connect to the VPN with. You are in no tunnel at that point. There can't be a tunnel to any web sites as they aren't connected to any VPN. The destination can't read your encryption unless it has the key. If you want to go to say Netflix to have a movie streamed to you encryption will not help you it will only hinder you. What is Netflix going to do with whatever is encrypted? So that traffic can't be encrypted regardless whether or not it's a public or private VPN or if it is a full tunnel that you are connected to the VPN in. A Public VPN can only hid who you are, your IP, nothing else. If it did encrypt your traffic how is Netflix going to handle it? There are no tunnels created by a public VPN except maybe between you and it. The other sites you go to do not connect to that VPN. That VPN can only hide your real IP. Remember you were asking about going through your companies VPN to browse the web. You are doing the same thing with any VPN public or private. Will your company even let you go to those sites through it's network? Only you and your company knows that. Which is what you would have to do to use a full tunnel.

Reply to
Caver1
Loading thread data ...

By using that box you are part of their network and not just connected to it. If you had to have hardware to just connect to a VPN you would never connect to your company's VPN through the internet. So you paid for their full service? They didn't send anything to me for the week trial period. Why would they. Just for a week? Good for you if they did. :)

Reply to
Caver1

No I am talking about VPN's. We connect to my wife's company's VPN several times a week. Nobody here has explained how they work just that they do or don't. We cannot connect to the internet through their network.

Reply to
Caver1

No simple https conection, we have to have the Citrix client installed or we can't connect. Not just not able to login can't connect at all. It is a VPN

Reply to
Caver1

Caver1 wrote, on Sat, 06 Sep 2014 20:51:28 -0400:

I think the way it works with the full VPN solution is that the VPN is *always* where you are going, at least for the first hop.

From there, I agree, it's no longer encrypted, as it goes to the next hop(s) to the final destination.

The part that is critical is only the first hop, because that's where the ISP lies.

Well, the first hop to the VPN is encrypted, and that's all that matters for this purpose. The next hop(s) are not encrypted, as they go *out* of the VPN server, to Netflix, and back. Then, the last hop on the return is encrypted again, which is from the VPN server back to my PC, where, again, the WISP is blissfully unaware of my eclectic movie selection! :)

  1. The first outgoing hop is encrypted from the PC to the VPN server somewhere on the Internet (e.g., to vpnoneclick at 198.143.153.42).
  2. The next hop(s) to Netflix are not encrypted, but they don't matter for the purpose of the WISP knowing what is going on.
  3. Netflix then sends unencrypted data back to the VPN server at
198.143.153.42 for the return communication path.
  1. The final hop, from the VPN server at 198.143.153.42 back to my PC at home, will be encrypted again.

So, only #1 and #4 need to be encrypted in order to keep the details of the Netflix domain and port "secret" from the WISP.

At least, that's how I currently understand the process to be. :)

Reply to
Yaroslav Sadowski

Caver1 wrote, on Sat, 06 Sep 2014 20:56:27 -0400:

I think two unrelated things are mixed up in that paragraph, so, it may be my fault for not being clear. I apologize.

The company sent me the blue vpn hardware box. They said they already configured it so that I can plug it into my network, and told me to call the IT guy on Monday if I have a problem with it.

The free vpn solution from

formatting link
was just a Debian file which I installed with $ sudo dpkg -i vpnoneclick_ubuntu64.deb

And then I ran it using: $ gksudo vpn1click &

Reply to
Yaroslav Sadowski

Char Jackson wrote, on Sat, 06 Sep 2014 13:34:11 -0500:

Hi Char Jackson, Is this how it works for the tested vpnoneclick server application?

  1. I install and run the vpnoneclick solution: $ sudo dpkg -i vpnoneclick_ubuntu64.deb $ gksudo vpn1click & NOTE: This part works, I'm just explaining to be complete.
  2. With VPN now running, my newsreader client tries to connect to the nntp newsserver freenews.netfront.net at port 119.
  3. That traffic is encrypted and routed to the VPN server on the Internet at 198.143.153.42 (let's ignore the fact that the VPN server seems to break up the Internet into two pieces).
  4. From that VPN server 198.143.153.42, the traffic is unencrypted, and then sent to nntp newsserver freenews.netfront.net at port 119.
  5. The nntp newsserver freenews.netfront.net at port 119 sends the unencrypted response back to the VPN server at 198.143.153.42.
  6. That VPN server at 198.143.153.42 encrypts that response, and sends it back to my laptop.
  7. My laptop vpnoneclick software unencrypts the information and sends it to the nntp newsreader client application.

I'm not sure if that's full tunnel VPN, or not, but, it appears to be full tunnel for the critical hop between #2 and #3 since all applications and all ports send data which is encrypted by the vpn1click software.

Likewise, it appears to be full tunnel for the return hop between #6 and #7. Am I using the term "full tunnel" correctly though?

Reply to
Yaroslav Sadowski

Caver1 wrote, on Sat, 06 Sep 2014 20:08:33 -0400:

I agree they are probably totally different (I don't really know).

All I'm trying to do, at first, is *understand* how the VPN works that I have some control over, which is the public VPN server at vpnoneclick (or cyberghost or vpnreactor, or whatever).

Reply to
Yaroslav Sadowski

Char Jackson wrote, on Sat, 06 Sep 2014 11:17:37 -0500:

Good. That's exactly what I was *hoping* would happen.

a) I point three different applications to three different domains using three different ports ...

b) They all get "tunneled" into one encrypted data stream on a single port on the VPN server at 198.143.153.4.

That way, the WISP can't "see" exactly what it is.

The WISP just sees 3 bursts of "activity" on the one port that connects to the VPN server at 198.143.153.4 (I think).

So, the WISP, I think, can 'see' only three things: a) Three bursts of activity, b) To VPN server 198.143.153.4, c) On some random port (chosen by the VPN software client on my machine).

Reply to
Yaroslav Sadowski

Well, no, however many hops it takes to get to the vpn server. It is encrypted all that way. Once at the server, the encrypted contents of the package are decrypted, the destination address/port of the packet are used to route the packet, the source address/port are replaced by the VPN server source and a random port number, with a record kept of which address/port that random port is supposed to map to so that the return packet can be directed to the right place, and thepacket sent on.

Of course the vpn server knows exactly what your eclectic movie selection is. Are you more worried about your boss or about some ISP knowing about you?

But again, while it hides it from your WISP it does not hide it from the vpn server. Which do you trust more?

Reply to
William Unruh

Not necessarily at all. That box may well encrypt stuff to your employees network and not to the anywhere else. It may ship stuff only to your employer through the tunnel. Remember everything does go through your ISP. The difference is just some packets are pa ckaged, some not.

Reply to
William Unruh

That "box" is just a computer with an input and an output. That output connects through your ISP to the net and finally to your employer. It is perfectly possible that that box only ships stuff directed to the employers address through the vpn. Ie, it has an internal, company designed routing table ( and spyware?) which you cannot change, but that routing table could have anything in it. The box is there just so they have control over the routing table, not you. (And so they can keep track of your net activity?)

Reply to
William Unruh

I suspect that is to make sure that there is no "default route" contention. You already have a default route through wlan0. If they put in another default through tun0 there would be an ambiguity as to which would be used. By making two specific routes which cover all of the rest of the net, they are making sure that the effective default is always tun0. I misread the 128.0.0.0 line in my original analysis.

Which means someone at 198.143.153.42 can read all your traffic. Why is it better that they can read it, rather than that your WISP can read it?

You forgot the NAT. The return address from that packet is replaced with

198.143.153.42 and a random port number. And the server keeps a table which tells it what the mapping is from that port number to the address/port of your machine, so it can replace them when it sends the return packet down the vpn.

By reading the port number. Your computer keeps a table which maps return port numbers ( which were the source port number on the outgoing packet) and the program which sent the packet.

Not quite. As I pointed out neither 127.x.x.x nor 198.143.153.42 traffic is encrypted and packaged. Ie, the vpn traffic itself does not go via the vpn, or you would have an infinite regress.

Reply to
William Unruh

Congratulations on the new job. Let's see if I can read between your lines.

200 messages in this thread and only one (by amdx) correctly suggests that you use Wireshark to sniff your own traffic. Wireshark might be a bit premature as you probably don't have a login on the new company server yet, but you can probably find another system with which to experiment. It would probably have taken less time to sniff than to manage this threads multiple diversions.

The problem will be what type of VPN? PPTP, IPsec, LT2P, or MPLS. In order for your packets to be routed to the terminating server, the destination IP address and port number has to be exposed and NOT encrypted. If you're using PPTP, there will be traffic on port 1723. For IPsec, port 500. For L2TP, port 1701. For MPLS, ports 646 and

711. If your WISP sees substantial traffic or connect time on these ports, it will assume that their service is being used for commercial purposes. You'll soon receive an email or call from their sales department describing the merits of upgrading to a higher priced commercial service.

Of course, it is possible to use non-standard ports to avoid this problem, but that will require the collusion of your new employer, which might be problematic. Even that doesn't always work. Depending on the mode of operation, specifically whether the IP header is encapsulated or not, the underlying protocols might also be exposed. For example, IPsec uses IP protocol numbers 50 and 51 on port 500 which can be easily detected if exposed. Or, a sniffer could simply look for an authentication header, which is required in order to setup a tunnel.

They could also ping the terminating server. For example, PPTP is very helpful by responding to probes. Fire up NMAP, point it to your employers PPTP server, and run this script: If your WISP is curious why you spend so much time connected to a single IP address and port number, that should answer their question as to what you're doing.

Lots of other tricks all of which will show that you're using a VPN for commercial purposes and should probably upgraded to a higher cost WISP rate.

More:

Reply to
Jeff Liebermann

Exactly. You've got it.

Reply to
Char Jackson

Yes, that's correct.

Reply to
Char Jackson

Caver1 wrote, on Sat, 06 Sep 2014 11:15:55 -0400:

Nope. All you do is execute the software, where a "ps" shows four processes running simultaneously: PID1 gksudo vpn1click PID1 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click PID3 vpn1click PID4 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon

Why is vpnoneclick called "vpn" one click, if it's a proxy & not VPN?

I'm almost never using a browser. I use nntp, ftp, smtp, etc., but I only use http for google news and google searches, so I don't really understand why you're always talking about a 'browser'.

Almost all the time, I'm *not* using http.

This confuses me, considering vpnoneclick is supposed to be a VPN solution. So, all my traffic, on all ports, should be encrypted between me and the VPN server on the net at 198.143.153.42.

I use the tor browser bundle when I need to. It's not even close to the same thing as a VPN, which encrypts all ports.

Are you sure about saying "anyone can see your real IP address" when you use Tor. I doubt that's true. The only one who can see your "real" IP address is the first hop on Tor.

And, if I use the TBB on top of VpnOneClick, then even the first hop doesn't see my real IP address.

So, I understand things totally differently than you seem to.

I don't understand that statement.

Reply to
Yaroslav Sadowski

alexd wrote, on Sat, 06 Sep 2014 21:58:05 +0100:

Thanks for that tip. I was unaware of the existence of the "killall" command!

$ man killall killall sends a signal to all processes running any of the specified commands.

Reply to
Yaroslav Sadowski

The only difference between a full tunnel and a split tunnel is that with a full tunnel all traffic goes through the network you are connecting to. Private VPNs do control and limit their outside of network connections. Public VPNs don't. With a split tunnel only the traffic that is sent to the VPN goes through the tunnel the rest of your traffic does not. A public VPN provider has no need for a split tunnel. I hope that this is not anywhere as confusing as my previous attempts at explaining this. As far as a couple of technicalities I was wrong but I was correct about the ways a VPN tunnel works. With a split tunnel your other programs that use the internet, or even the browser's traffic does not use the tunnel that you are connected with unless that traffic is for the network that the VPN is protecting. Research it. With a full tunnel you can't get out except through the owners network and then only if the owner lets you. Case in point> We connect to my wife's company's network through their VPN. When we do we connect to anyother sites that we want to at the same time. When she is at work, inside the company's network she can connect to very few of those sites because the company doesn't want to take the risk to its network.

Maybe for a public VPN as you are using their software to connect to them. Is even possible to have a tunnel created for a temporary tunnel to be created before you even connect to the private VPN, or even a public VPN? That would be the only way to stop your ISP from knowing that you are connecting to. Then they would only know from the type of traffic you are sending. If they even look. The full tunnel only works after the tunnel is created. After your request to be connected to that network.

The first hop is only encrypted by a VPN's tunnel after you request that connection not before.

Why would the ISP even look at where you are going, let alone really care? Probably only if the Gov't is investigating you a wants that information. Even if you are using the ISP for commercial use that you didn't pay for they wouldn't care where you are going, just that you are using quite a lot of traffic for a noncommercial plan. Then the ISP has to find out. Only the big ISP's have that capability on staff all the time. The smaller ones can't afford the the cost of the extra staff needed for an occasional task. But there are third party business's that provide that service to ISPs. There is big money being made by them as the cost is passed back to the Gov't. the contents of any traffic is revealable, even a VPN's encrypted traffic. All of your traffic goes through your ISP even your VPN connections. The only difference is your ISP can't see what that traffic contains but they do see where your destination is. Which for the first hop is the VPN's IP.

Your ISP could careless where you go. It is mainly concerned with your traffic load and if it is correctly routed. Once you leave the VPN then anyone that really wants to will know where you are from by your IP. Unless you hide your real IP with a fake one. The only ones that would want to know where you are from are rouge hackers and the Gov't, so I doubt that hiding your real IP would work to stop them. By your traffic load the may want to know if you are running commercially then they may start looking. Even a VPN's traffic is hackable. Whether or not your ISP has that capability is questionable. Why would you want to hide from your ISP your normal usage of the internet? Why would they care? Maybe you want to use the internet for nefarious reasons? :)

Reply to
Caver1

That's because you can't connect without their software, which is the reason. With a private you can't connect without the client software but you still have to login. The private networks make you login because someone else that is not suppose to have access is using your computer. Public VPNs don't care as they have nothing to protect from the user.

Even not using your browser all traffic that is not sent to the network that you are connected to whether you use nntp,ftp,smtp or whatever does not go through a a tunnel if it is split and more than likely can't get out of the network if a full tunnel. You didn't say if you were using a browser or not. So I assumed that scenario. You never corrected it.

there is no encryption from the VPN until after you connect. Also I believe that statement was pertaining to your traffic that is not sent to the VPN's network. Which would imply a split tunnel or that the tunnel is not connected to the ports that the particular program is configured to use. A VPN only uses a couple of ports and that depends on the type of VPN. The VPN may not use the port that a specific program needs.

No it doesn't. It only encrypts the traffic sent to the VPN's network. Not the ports. It will encrypt the data as to which ports is being using but not the ports themselves, and only for the ports that are used by the VPN.

They can all see it. Your IP is never hidden whether real or fake unless it is encrypted and TOR does not use encryption. Even then your real IP can only be hidden if you are using something to hide it. The Tor network always see's your real IP or they wouid not be able to get your traffic that you request back to you. The person that that is providing that particular relay point of the network can't see anything but the network has to. If the network can see it then it is recoverable by those that have the means and the desire. How do you thick the NSA got in? TOR did fix that weakness but not until after it was exploited. What's the next next weakness? I guarantee you the NSA is looking for it. The FBI busted a person that used only TOR. It took them awhile but they figured out how. Who knows if that technique can be used again?

!click has to see your real IP, first hope or not.If 1click can see it then others that have the desire can. The TOR network does, has to, and anyone who wants to after you leave the TOR network. The only real difference between TOR and A VPN is that with TOR you start as part of the network so you are not remotely connected. With a VPN you don't start out as part of the network if remotely connected. The NSA proved that they could. Maybe not now but when will they figure out another way? I agree that if you aren't using a VPN or TOR for illegal purposes then the risk is slim that the Gov't will even look. What needs to be protected when you are just surfing the web? That is what you stated for the reason for your use of the VPN. There are hacker groups in existence that have the same capabilities as the Gov't Some capabilities they created themselves some were leaked from the Gov't or even given to some orginnizations then leaked. Even other Gov'ts have the same potential capabilties and some of them do want in for other purposes than the US gov't says it has.

Your understading is slightly wrong.

Reply to
Caver1

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.