What does the Wireless ISP (WISP) "see" when I'm using VPN from home?

^^^^^^^ in case?

I think you need to know what the routing on his vpn is before you make statements like this.

????

Right from the beginning he said he was using all kinds of programs.

Anyway you need to know his routing table before making statements about what can and cannot get out the tunnel.

You say that why?

If the vpn is not running then no there is no encryption. Once it is, then everything that goes down that tunnel is encrypted. Since it relies of proprietary software it seems, you have no assurance that that encryption is not backdoored of course. Again you need to trust the vpn server more than others (your ISP)

vpn as I understand them, do not tunnel ports, they tunnel addresses. (although with the new ip routing it may be possible to set up the routing table based on ports as well).

The vpn tunnels all ports.

Yes, it does encrypt the ports as well. It encrypts the full packet, inclusing source address and ports and dest address and ports, as I understand it. The only port visible to the ISP is the address and port of the vpn server.

...

Reply to
William Unruh
Loading thread data ...

That last sentence above makes no sense. More below.

I sense another round of misunderstanding there. The port used by the VPN itself has nothing to do with the ports used by the various applications that a person chooses to use.

If you expect to be able to communicate on the Internet, then there's no such thing as a fake IP. That has been explained to you before.

His understanding is head and shoulders above yours, it seems.

Reply to
Char Jackson

I used the wrong words when I was trying to explain. I have that problem. I very rarely am able to explain what I am thinking properly. What I meant was that 1click gives you no more anonymity than a proxy does. Proxies can only hide your real IP. Not where you started from and where you are going as far as your IP or the internet network is concerned. Your ISP sees your real IP so does any of the places on the internet network that you pass through on your way to your destination. When you get to your destination they have no idea where you came from unless they have capability to "unhide" your real IP. There are sites that are capable of doing that. Your real IP cannot be encrypted or not used, only hidden, if you want to receive anything that you request. The internet network sees your real IP and so can anyone that really has the wants the information about you. The normal person on the internet has no way of seeing your real IP if it is hidden. Don't say it wont happen. There are many sites that have bits of code implanted in them that can read your IP and your browsers header, not necessarily by the site owner but by advertisement agencies, hackers... And these bits, I can't think of what they are all called right now, are not cookies. One of these is called ETags. There is also man in the middle attacks. Your IP also knows where your traffic started and where you are going, if not your final destination then at least that your first stop is the VPN. Your IP knows the beginning and end of the tunnel that the VPN creates. Since your ISP knows where the tunnel starts it also know it is you. After all your ISP is the one that gave you your IP. All your ISP would have to do is look up who is at the starting point. That tunnel is only a route to the VPN that nobody can "see" what is inside the tunnel. A public IP has you protected until you arrive at their site. Once you leave you are not "protected" by the VPN. All the public VPN can do for you is hide your real IP not replace it. Your real IP is always available to whoever has to have it to service your route. So your location is always known by the internet network and can be determined, if the need arises, by those who controls those points. I don't think they or your ISP normally even look at any traffic. Only the traffic loads and to make sure everything is working properly. The public VPN gives you no more anonymity than a proxy does.

Reply to
Caver1

Char Jackson wrote, on Sat, 06 Sep 2014 11:28:35 -0500:

This is a wonderfully enlightening point!

Reply to
Yaroslav Sadowski

William Unruh wrote, on Sat, 06 Sep 2014 13:17:08 +0000:

OK. The "route -n" seems to be what tells me which IP address goes to the VPN that I ask a browser (or any smtp, pop, nntp, etc.) client to go to.

But, didn't we already determine, from the "route -n" of the vpnoneclick test session, that *all* internet addresses were going to the tunnel, in two halves?

1st half: 0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 2nd half: 128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
Reply to
Yaroslav Sadowski

Caver1 wrote, on Sat, 06 Sep 2014 14:51:32 -0400:

Most of the time, I'm not even using a (web) browser, so, I have trouble understanding the 'tab-in-a-browser' style VPN.

I'm using nntp clients, mail user agents, ftp clients, telnet clients, bittorrent clients, etc., but rarely a browser.

If I needed to hide my activities from the WISP and all I was using was a (web) browser, I'd use the TBB anyway.

So, I have never seen this concept of a 'tab-in-a-browser' style VPN, nor does it appear to apply for this thread. (I'm sure it exists, it's just about as relevant to this thread as the vote for Scottish independence is.)

Reply to
Yaroslav Sadowski

Caver1 wrote, on Sat, 06 Sep 2014 07:08:53 -0400:

I have no idea what that means to 'aim' my email to the VPN.

Before I start VPN, I can start Thunderbird, which is "aimed" at a google SMTP and IMAP port for sending & receiving email.

Then, I start vpnoneclick, which appears to be a "full" VPN implementation, based on these routing table entries: 0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 0.0.0.0 to 127.255.255.254

128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 128.0.0.0.1 to 255.255.255.254

Then, I can again start Thunderbird, which is *still* aimed at the same google SMTP & IMAP ports as before, but, now, we can presume, their traffic goes through the VPN "tunnel" tun0.

Reply to
Yaroslav Sadowski

No you don't need to know anything about the routing table. No matter if it is a "split" or a full tunnel,the only traffic that goes through the tunnel is that which is addressed/sent to the VPN's network. No other traffic is accepted. I never said that anything gets out of the tunnel. I said that not all of the users traffic goes through the tunnel. Doesn't matter whether if it is split or full. Once some traffic/data is inside the tunnel the only way it gets out is at one end or the other.

If I remember correctly it was in reference to your first connection to the VPN as no tunnel has been created so no encryption yet. The tunnel is not created until you login, no matter how long you stay at the login page. This only applies to private VPNs. Now that I think about it I would think that it would also apply to public VPNs as they have no idea when you want to connect until you arrive there asking to get in.

Only those ports that are used between you and the VPN, so all ports between you and the VPN are controlled by the VPN. The VPN only stops traffic except that between it and you from using those ports, It cannot encrypt a port. VPNs only use a couple of ports not anywhere near all of them. Anyone that has the know how can see the beginning and end of the tunnel just not inside it.

I never said the ports were tunneled. I said that the VPN controls the ports that the tunnel is connected to.

No ports are tunneled just controlled. A tunnel does not control all ports.

Your statement implied that you wanted to use a VPN, specifically your company's. Then your further statements were that you wanted to use that VPN so your ISP would not be able to tell that it was you. Being that you start out in the TOR network nobody but the TOR network and you know that it is you until after you leave the network. Being you are in the TOR network nobody can see your traffic except the TOR network itself. No encryption is need nor does any port/s need to be controlled. But that is even questioned now. With the VPN your traffic is encrypted in the tunnel. Neither the tunnel or the encryption is started until after you connect to the VPN and request to be let in. So your ISP knows that you went to that network to begin with. After the tunnel is created the starting and end points can be seen. Since you are the end point the ISP knows that it is you using that tunnel. Your ISP knows that it is a tunnel by the type of traffic that goes through it. Your ISP just can't read that traffic. Once you get to the VPN's network(private) where outside of that network are you capable of going? No matter what you are using if it's not that networks program you go nowhere once accepted by that network using your system's programs. You only use the VPNs network programs to get to where you are allowed to go. I have yet to see a private protected network that would let you use it's browser,if it has one that you can access, to get out of its network. So what good would the tiny bit of anonymity from your ISP that that would give you.

The packets that go through the tunnel are not ports and only the packets are encrypted.

The TOR network has to see your real IP so it can deliver all of your requests back to you. If you want to download something or view something how are those packets suppose to get back to you if it has no idea what your real IP is? The individual bridges or whatever do not know who passed you to them. That way the route cannot be followed. Has nothing to do with the network seeing your IP. The network still knows who you are.

Reply to
Caver1

So let us keep talking about the same thing, a VPN

While a vpn is sort of like a proxy, it is also different. The only thing your ISP (which I assume is what you meant by IP just below) sees is your address and the port that you talk to the VPN on, and the address of the VPN server, and the port of the VPN server software on the server. Your isp cannot see the address the encrypted packet is eventually going to go to, nor the port at that address that packet will eventually go to.

True if you mean your VPN server, false if you mean say google, or pinkworld.

Once the packet arrives at the vpn server, it unencrypts the packet, looks at the header, replaces the source IP/port in that header with its own IP and a high number port that it records as meaning anything coming to that port is to be forwarded over the vpn to your address.

The ONLY machine anywhere that knows that traslation from the vpn server's address and high random port to your IP and your port is on that vpn server. Noone else can "unhide" it. There are no sites, except the vpn server who can do it.

Your real ip is no longer part of the packet. Only the vpn server's ip is part of the packet. All delivers go back to the server. It then translates tresponse port to your IP/port.

Nope Only during the delivery of that encrypted packet ( which hides the destination IP/port header in the encrypted packet.

Nope. There is nothing in the packet sent to the final source (eg

formatting link
that contains your adddress/port. Nothing. There is just the VPN IP/port.

Nope.

ISP again? No it knows that you delivered a packet to the vpn server but that is all. It does NOT see the final destination where you want it to go.

Yes, it does see that you are sending a packet to the VPn server.

No idea what "a pulic IP" means. After the packet leaves the vpn server, there is nothing in the packet that traces it back to you, except a random source port number which can be translated only by that vpn server.

The server replaces your real IP.

Nope. it is not. That that packet content relates to you is known only by the vpn server. That you sent an encrypted packet to the vpn server IS known by the ISP, but neither the contents nor the ultimate address is known by them. And after it leaves the vpn server nothing in the packet points back to you.

No idea what you mean by anonymity.

ISp knows you sent and received packets from the vpn server. Noone else knows you sent and received packets since their return (source) address is that of the vpn server.

>
Reply to
William Unruh

That's right and I never said that it did. It only applies to those programs themselves.

You know nothing about using a fake IP or refuse to accept what is correct. You can use a fake IP as your real IP is only hidden not replaced. The internet network can still see your real IP but most other sites or networks cannot. Your real IP is still used to route you but only your Fake IP is shown. How that is accomplished I do not know, I just know that it works. What do you think a proxy does?

No.

Reply to
Caver1

For that one vpn tunnel yes. That does NOT mean that your employers will work the same way. In fact you will be unable to determine the routing table there since that box will be what is doing the routing and you will not have access to it, except to sent network packets to it and receive them

You could put a sniffer on the output to the box, then try to access various things-- like

formatting link
and see where the packets coming out of the box go to (what the destination IP/port of those outgoing packets is).

Reply to
William Unruh

William Unruh wrote, on Sat, 06 Sep 2014 22:36:33 +0000:

Here's the summary, of what has been said about that routing table ... Here's a route -n after rebooting but before connecting to the VPN server:

formatting link

$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route. A destination of 0.0.0.0 with mask 0.0.0.0 matches all addresses so it's the least specific and what it says is wlan0 is the default. 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0.

$ gksudo vpn1click & $ inxi -i | grep eth0 WAN IP: 198.143.153.42 IF: eth0 ip: N/A IF: tun0 ip: 10.43.0.210 IF: wlan0 ip: 192.168.1.3

$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface .....

0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 the route to half the internet goes through tun0: (which is the VPN) Any address with a 1 bit inthe most significant bit of the address will be sent to tun0 This covers a destination of 0.0.0.0 to 127.255.255.254. This is the 1st half of the Internet split by the VPN provider. if 10.43.0.209 it is sent directly on tun0 (the tunnel) If 10.43.0.1 it is sent to 10.43.0.209 on tun0 if 128.x.x.x it is sent to 10.43.0.209 on tun0 if 1bbbbbb.x.x.x it is sent to 10.43.0.209 on tun0 128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 128.0.0.0.1 to 255.255.255.254. This is the 2nd half of the Internet split by the VPN provider. and so does the other half go to tun0: ..... 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route. A destination of 0.0.0.0 with mask 0.0.0.0 matches all addresses so it's the least specific and what it says is wlan0 is the default. This was your route before starting the VPN. 10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0 10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 This means that 10.43.0.209 can be reached by a packet out of tun0. 198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 These two are static routes added by the VPN client software. The only traffic that doesn't traverse tun0 is traffic to these two IP addresses. This is probably the VPN server. These two are explicitly routed via the wlan0 connection 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0. if 192.168.1.x it is sent directly to wlan0 if 108.178.54.10 it is sent to 192.168.1.1on wlan0 if 192.143.153.42 it is sent to 192.168.1.1 on wlan0 anything else is sent on wlan0.

Thus if you go to 56.23.44.8 it will go on wlan0(not vpn) If you go to 142.103.234.23 it will go via tun0 (vpn)

Note: The fact that lo0 doesn't appear in the routing table, accounts for 127.0.0.0 - 127.255.255.255. Note: tun0 is the VPN tunnel.

All the traffic on wlan0 is going to/from either 198.143.153.42 or on 108.178.54.10, or both.

I recognize 192.168.1.1 as my home broadband router. I recognize 198.143.153.42 as the VPN server.

'Iface' is the interface on which the gateway IP address can be reached.

Then, when I kill the vpn, here's the route:

$ ps -elfww|grep vpn

0 S usr 3170 1701 0 80 0 - 58576 hrtime 13:15 pts/0 00:00:01 gksudo vpn1click 4 S root 3175 3170 0 80 0 - 17214 poll_s 13:15 ? 00:00:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click 4 S root 3176 3175 2 80 0 - 36051 poll_s 13:15 ? 00:00:16 vpn1click 5 S root 3331 1701 0 80 0 - 8266 poll_s 13:15 ? 00:00:05 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon

$ sudo kill -9 3170 3175 3176 3331 (or killall vpn1click) $ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface

0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0

I notice that the VPN server of "198.143.153.42" is *still* in the route.

Reply to
Yaroslav Sadowski

Only to the VPN's network no where else. Unless you are originating from within that network. Then that is also not the case. How is the tunnel created to a site that has no client software? It can't. that's one reason why the network blocks accesses to other places.

Reply to
Caver1

Jeff Liebermann wrote, on Sat, 06 Sep 2014 20:38:08 -0700:

Hi there Jeff,

I have wireshark running: $ sudo apt-get install wireshark $ wireshark &

Up pops a blue & white Wireshark version 1.10.2 (SVN Rev 51934) window which says on the left "Capture" side:

No interface can be used for capturing in this system with the current configuration.

So, I'm going to have to figure out how to put the wlan0 card into the right mode for the Wireshark program to sniff it, I think???

The Google inxi program reports the wlan0 card is: Network: Card-1: Intel Centrino Ultimate-N 6300 driver: iwlwifi

Reply to
Yaroslav Sadowski

Yes.

Reply to
William Unruh

Jeff Liebermann wrote, on Sat, 06 Sep 2014 20:38:08 -0700:

Key statements from that nice article are ... The data that goes across a VPN connection, while it is totally encrypted, has two things about it that are important and that are visible. 1) It is clear where the VPN data, that packet of data, is going. It has to go to the VPN's service. 2) Similarly, VPN services tend to use specific ports. So even if this ISP doesn't recognize the destination of the VPN packet of data, it can potentially detect the fact that it's a VPN by the port numbers that are being used.

What it cannot tell is what you're doing with the VPN. You may be using the VPN to connect to websites A, B, and C and send all sorts of interesting information to those websites; or send email; or whatever. Your ISP can see none of that. All they can see is encrypted data that they can't decrypt. So they know you're using a VPN, but they don't know what you're using it for.

Reply to
Yaroslav Sadowski

Nope. Any address with a 0 bit in the most significant bit.

Yes, those all have 0 in their MSbit.

128.0.0.0 to 255.255.255.255

I got this wrong. It was covered by the first of the tun0 rules.

nope. 192.168.1.x traffic also goes directly to the relevant computer via wlan0. It is assumed that any such address is on the local network, and packets will be delivered via arp/mac not via IP address. (arp is the local tables that translate IP addresses to mac addresses for the local network).

It does no harm All this says is that if something sends a packet to this address it should go via the wlan0 gateway. But the default route would have sent it that way anyway.

Reply to
William Unruh

William Unruh wrote, on Sun, 07 Sep 2014 20:43:00 +0000:

That's a good point.

I hook up the box tomorrow, so, we'll see what happens to my traffic at that point, and whether their net nanny blocks anything.

I asked the IT guys about the company nntp newserver and he said there wasn't one.

Reply to
Yaroslav Sadowski

Jeff Liebermann wrote, on Sat, 06 Sep 2014 20:38:08 -0700:

Yeah, It's in Santa Cruz, near where you hail. We'll see what their net nanny does to my nntp traffic! :)

It seems these main programs tell me something nice about the network traffic when using VPN:

route -n

sudo apt-get install iftop sudo iftop -n -i wlan0

sudo apt-get install wireshark wireshark &

Reply to
Yaroslav Sadowski

Groan. I should have guessed by the deluge and formatting. Yet another nym?

Current stable version is 1.12.0. Which Linux mutation are you using?

If my memory is still functional, I vaguely recall that you have a Ubiquiti M2 wireless client radio sitting on your roof with a dish pointed at your friendly local WISP. If that's correct, you don't want to sniff the radio. You want to sniff the ethernet card that's driving the radio. The only time you want to sniff the wireless card is when it's inside the computah or plugged in via USB. All that radio link does is gift wrap your ethernet packets inside 802.11 packets for transport (layer 2), and unwrap them at the destination end resulting in the original ethernet packets.

Ok, maybe you don't have a Ubiquiti M2, PoE cable, and rooftop radio. If you're using an inside router to connect to your rooftop Ubiquiti radio, make our lives easier by running some CAT5 between the ethernet port of your Linux box, and one of the LAN ports on your inside router. That takes a 2nd Wi-Fi link out of the picture.

If you must sniff the inside wi-fi link, try: Ignore any mention of Windoze and WinPcap. Pay attention to the difference between monitor and promiscuous model. However, I would run the CAT5 and forget about sniffing your inside wi-fi traffic.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.