What does the Wireless ISP (WISP) "see" when I'm using VPN fromhome?

I start a new job next Monday, and my new company requires me to use
their VPN server but my wireless ISP contract was for personal use only.

I realize that the WISP can see all my unencrypted traffic, but, what
does any future VPN /encrypted/ traffic look like to my WISP?

Specifically, can the WISP tell I'm using VPN?
Or does everything just look like https encrypted traffic to the WISP?

 

It might be, if you connect to the appropriate port (443, I think) on
hosts (IP addresses) which are conceivably HTTPS servers. Figuring that
last bit out includes some amount of discretionary decision-making on the
part of WISP (i.e. is this usage pattern consistent with someone who uses
a lot of video steaming from a single HTTPS server during work hours or
is there something fishy going on?).

 

You need your ISPs definition of personal.

Net traffic being sent to and from you personally strikes me a being
personal, in that it is to and from you personally. If someone is
paying you to participate is that any business of your ISP?

If they care to look it's a persistent encrypted stream to a single
endpoint. what it resembles most is traffic to a VPN node.

If they probe the VPN node or reason from it's IP address they could
be pretty sure. dunno what lawyers would make of that.

they can't read the content, but they can examine the frequency and
size of the transfers.

 

Connecting to one's employer's VPN via a residential "personal use only"
internet service is commonplace. Don't worry about it. Your ISP just
doesn't want you running a Web store or a paid subscription newsletter
service or somesuch.

 

Aleksandar Kuktin wrote, on Fri, 05 Sep 2014 00:32:45 +0000:

What does my VPN traffic look like that "tells" them I'm
using VPN?

 

Jasen Betts wrote, on Fri, 05 Sep 2014 12:18:19 +0000:

I've never "seen" encrypted traffic, but I assume it's just a
bunch of numbers to an IP address (presumably of the VPN server).

Does the WISP see that IP address of that VPN provider?

 

Yes

 

Caver1 wrote, on Fri, 05 Sep 2014 12:35:01 -0400:

I was afraid of that.

So, just so that I understand, what you're telling me is that
the WISP can "see" that I'm going to go to a certain IP address,
on various ports, which he can reverse DNS to figure out that
this IP address corresponds to a VPN provider.

The various ports would include everything, such as nntp, smtp,
http, ssh, telnet, https, pop, imap, etc.

Can the ISP also tell what PORT that traffic is on, or does all
traffic to a VPN go over a single encrypted port?

 

I don't think they see the port. When you first connect it is
unencrypted. More then likely it is encrypted once you login. They can
see your IP and the IP that you are connecting to. WISP probably doesn't
look at your traffic unless there is a problem, In which case they look
at the load of traffic not necessarily the IPs unless they narrow it
down to a certain user. Or if the Gov't comes after it.

 

Well, there is a lot of it, it is encrypted, and the remote end is on a
hostort pair that is "unusual".

When browsing through SSL, there is normally only little data coming from
your machine and a lot of data coming from the remote machine. Your VPN
connection will probably be more symmetrical.

Encryption of traffic gets all sorts of fascists worked up. It is also a
normal part of VPN operation.

Hostort pair is not necessarily specific to VPNs, but it will probably
be unusual enough that any sane admin in your WISP will suspect a VPN.
Provided he cares enough about it.

There may also be other things: maybe the VPN setup is dead giveaway,
maybe link teardown.

 

Aleksandar Kuktin wrote, on Fri, 05 Sep 2014 18:37:03 +0000:

I am unfamiliar with VPN, so, may I just ask if the VPN connection uses
a particular port (such as 23, or 443, or whatever), or, if they use
any port that they want?

 

There are standard ports [eg 4500 for IPsec NAT traversal], but really, any
port they want.

--
<http://ale.cx/> (AIM:troffasky) ()
21:19:03 up 5 days, 11:34, 7 users, load average: 0.28, 0.38, 0.40
"If being trapped in a tropical swamp with Anthony Worral-Thompson and
Christine Hamilton is reality then I say, pass the mind-altering drugs"
-- Humphrey Lyttleton

 

And if your ISP notices and starts to hassle you (which I also doubt
that they are going to do) , switch ISPs or
persuade you company to buy you the commercial use service.

 

Once the connection is made, it looks like random garbage. It is in the
making of the connection there there may be enough info for them to
decide it is a VPN connection attempt. (for example for ssh, you connect
to port 22-- although you can change that, to, for example, port 80 in
which case it will look like encrypted http data. For openvpn it is prot
1194.)

 

Of course. They have to deliver the packets to the right place.

 

No. He can figure out that that address is your company's address. He
has not idea what they provide.

Depends. There are "standard"ports for those, but you and they can agree
on any port you want.

It goes over a single port. Remember each packet has to be delivered by
your ISP and others along the route, to the right computer, and that
computer has to figure out what to do with that packet (port). It has to
differentiate between a packet which is supposed to go to the VPN and
which goes to ntpd say.

 

alexd wrote, on Fri, 05 Sep 2014 21:24:20 +0100:

Just to be clear, does that mean that, say, if I'm on port 119 on the
computer while connected to the VPN server, that the WISP has no idea
that I'm on port 119 because they only "see" the VPN server port?

Likewise, if I then switched to port 1000 or to port 2000 (or whatever),
is the switchover likewise invisible to the WISP because all they see is
the VPN port (whatever that may be)?

I think that answered the question above.
Is this summary correct?

1. The WISP can "see" the IP address of the VPN server.
2. The WISP can "see" the port of the VPN server.
3. All "traffic" is garbage to the WISP.

 

William Unruh wrote, on Fri, 05 Sep 2014 20:34:18 +0000:

That confuses me since, it seemed, people said that the way VPN works is
that all traffic (no matter which port it's on) is all on a *single* port
to and from the VPN server.

So, that would mean that nntp, smtp, http, ssh, telnet, https, pop, imap,
etc. traffic, on my side, would be on whatever single port the VPN
connection was on, from the standpoint of the WISP in the middle.

Is that not correct?

 

In this case, "the right place" is the next hop.

 

William Unruh wrote, on Fri, 05 Sep 2014 20:31:05 +0000:

Given all these answers, it seems the WISP sees this:
1. The IP address of the VPN server.
2. The (single) port used by the VPN server.
3. The sheer amount of bits to and from that VPN server.

It seems, I think, from the answers, that the WISP does not see:
a. The port (e.g., nntp, smtp, http, ssh, telnet, https, pop, imap, etc.).

Is that correct yet?