ISTM that Caver1 has, all this time, been talking about a simple https connection for logging into a company's network and calling the company's internal network a VPN. I think that explains the fixation with browsers and tabs and what other software at the local end cannot do under this circumstance.
Well, not really as far as I know. Your routing table needs root permissions to change. If setting up a vpn allowed some other system-- the remote vpn server-- root permission on your system, it would be a horribly insecure system. It is you, in setting up your vpn client, that sets up the routing table. Now that may be via software provided by that server, which will rewrite your routing table for you. But it would be far more secure for you to rewrite your own routing table. Otherwise you download software provided by these wonderful people who offer you full tunneling vpn service, and now they have root on your machine, and can install whatever tracker/hacker software they want. Shudder.
Note in the case of the routing table that Yaroslav posted there was a really weird thing. The default route was wlan0. The tun0 (vpn tunnel I assume) had a routing entry of
0.0.0.0 but with a genmask of 128.0.0.0 which suggests that only traffic with an IP address greater than 128 in the first octet would be directed down the tunnel. That is just weird.
Why does it matter when either type of tunnel is closed. The connection is broken nothing else. the effects are the same. I never said that a full tunnel is the same as a split tunnel, anywhere.
William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:
This is the key detail that other people were confusing me on, and which I'm glad is clearly described by you.
So, we can lay to rest the question of whether the ISP can see the port out or into the destination, and the destination. They can't.
The VPN solution I'm testing over this weekend, to get a flavor for how it works, is this full-VPN freeware one, which only lasts a week, but which is long enough to test it out:
Sending traffic to a through a tunnel is the same thing as sending your traffic/data is the same thing as sending the traffic/data to the VPN. A VPN is nothing more than a safe way to send traffic/data to the network. Basically once you connect you are part of that network with limited permissions which are set up by the company. They can be more or less depending on what the owner of that network will allow you. Nobody can see that traffic but the end points can be seen if someone is looking for them. Which was also stated by someone else in this thread.
You do not know as much as you think you do. You would not get any correct information for the IP that is "shown". Hell most places including Whois doesn't show my correct location from my real IP.
No I said they could see the domains or the end point but they do not know who it is or where it came from unless they put some time into it, which I doubt. You also never asked if the ISP could tell (see) if it was you. I said yes they can see those domains but don't know anything about the traffic going there. Unless it's the Gov't and if it really desires that information they will find the end points and depending on the encryption used maybe even the data that is being sent. If the Gov't can do it do you really think no one else can. How do you think hackers are getting into company networks. Sometimes it is by direct hammering against the network whether or not if the company is using a VPN for internet connection or not. I also never said the ISP could see the port being used. Go back and look. I will save you the trouble>
"This is confusing so I will ask for clarification by way of example. Always assuming full-tunnel VPN, if someone went to three web sites, say, google.com, yahoo.com, and apple.com, are you saying that the ISP can see all three web sites when the user is using VPN?"
My answer was> Yes. also> They can see all three web sites but not that it is you that is connected or what data you are carrying with you. The question asked if the ISP can see all web sites not you/him/whatever.
Show me where those answers are wrong. Nothing even mentioned about Ports. Even if it is encapsulated by the network it still has to show where it is going if you want to get there. That is also true using TOR. The only difference is that TOR's servers and bridges are the only ones that see your traffic until you leave the TOR web to get to your final destination. Even if the contents are encrypted the starting and ending points are known, except if you are using the TOR browser, then only the end point is seen by anyone other than the TOR network. which has to know your IP, and remember it because you are not in the TOR network for the final "step" to your destination, so the TOR network can pass any kind of response back to you.
I'm not sure if I understand the question, but, the VPN I just tested has no "login" per se.
a) You boot your Linux laptop, and nothing is encrypted yet. b) You run "gksudo vpn1click &" and now you send *everything* to the VPN. c) You kill the vpn process, and then you're back to step (a) above.
I'm not sure what this is asking, but, the connection to the VPN is initiated with the following command, with the routes as shown below.
Here's the route -n after rebooting but before connecting to the VPN server:
formatting link
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route.
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0.
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 0.0.0.0 to 127.255.255.254. This is the 1st half of the Internet split by the VPN provider.
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 This is your original default route.
10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0 Unsure what the significance of this is.
10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 This means that 10.43.0.209 can be reached by a packet out of tun0.
198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0 These two are static routes added by the VPN client software. The only traffic that doesn't traverse tun0 is traffic to these two IP addresses.
128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0 This covers a destination of 128.0.0.0.1 to 255.255.255.254. This is the 2nd half of the Internet split by the VPN provider.
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0 This is a route to your LAN out of wlan0.
Note: The fact that lo0 doesn't appear in the routing table, accounts for 127.0.0.0 - 127.255.255.255.
I recognize 192.168.1.1 as my home broadband router. I recognize 198.143.153.42 as the VPN server.
'Iface' is the interface on which the gateway IP address can be reached.
I am not trying to confuse anyone. There is no gibberish there. At least none that you have corrected.
I asked nothing. Your home ISP cannot "see" the destination unless that site also uses that ISP. But whatever does the final handoff does. Your ISP does know where you are going as you "tell" it. You tell it to every ISP, switch, Bridge, whatever you pass through.
Yes you initiated the connection not the VPN. My answers are for you connecting to and using your company's VPN not a public one. The scenarios are totally different.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.