What does the Wireless ISP (WISP) "see" when I'm using VPN fromhome?

Why does it matter when either type of tunnel is closed. The connection
is broken nothing else. the effects are the same. I never said that a
full tunnel is the same as a split tunnel, anywhere.

 

Show one place where he explained anything.

 

William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:

This is the key detail that other people were confusing me on, and
which I'm glad is clearly described by you.

So, we can lay to rest the question of whether the ISP can see the
port out or into the destination, and the destination. They can't.

The VPN solution I'm testing over this weekend, to get a flavor for
how it works, is this full-VPN freeware one, which only lasts a week,
but which is long enough to test it out:
https://www.vpnoneclick.com/

 

William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:

They already shipped a blue hardware VPN box, so, I think *everything*
will be going through the VPN.

 

Sending traffic to a through a tunnel is the same thing as sending
your traffic/data is the same thing as sending the traffic/data to the
VPN. A VPN is nothing more than a safe way to send traffic/data to the
network. Basically once you connect you are part of that network with
limited permissions which are set up by the company. They can be more or
less depending on what the owner of that network will allow you. Nobody
can see that traffic but the end points can be seen if someone is
looking for them. Which was also stated by someone else in this thread.

 

/sbin/route

but then you have to understand what it saya.

 

You do not know as much as you think you do. You would not get any
correct information for the IP that is "shown". Hell most places
including Whois doesn't show my correct location from my real IP.

 

[I deleted some spaces to re-join the lines]

yeah it's full.

the route to half the internet goes through tun0: (which is the VPN)

and so does the other half:

the exceptions being those routes with more bits set in the genmask
(these will have higher numbers)

not this one , it was your route before starting the VPN.

these two are explicitly routed via the original internet connection

198.143.153.42 is kryptotel too,

 

No I said they could see the domains or the end point but they do not
know who it is or where it came from unless they put some time into it,
which I doubt. You also never asked if the ISP could tell (see) if it
was you. I said yes they can see those domains but don't know anything
about the traffic going there. Unless it's the Gov't and if it really
desires that information they will find the end points and depending on
the encryption used maybe even the data that is being sent. If the Gov't
can do it do you really think no one else can. How do you think hackers
are getting into company networks. Sometimes it is by direct hammering
against the network whether or not if the company is using a VPN for
internet connection or not. I also never said the ISP could see the port
being used. Go back and look.
I will save you the trouble>

"This is confusing so I will ask for clarification by way of example.
Always assuming full-tunnel VPN, if someone went to three web sites,
say, google.com, yahoo.com, and apple.com, are you saying that the ISP
can see all three web sites when the user is using VPN?"

My answer was> Yes.
also>
They can see all three web sites but not that it is you that is
connected or what data you are carrying with you.
The question asked if the ISP can see all web sites not you/him/whatever.

Show me where those answers are wrong. Nothing even mentioned about
Ports. Even if it is encapsulated by the network it still has to show
where it is going if you want to get there. That is also true using TOR.
The only difference is that TOR's servers and bridges are the only ones
that see your traffic until you leave the TOR web to get to your final
destination. Even if the contents are encrypted the starting and ending
points are known, except if you are using the TOR browser, then only the
end point is seen by anyone other than the TOR network. which has to
know your IP, and remember it because you are not in the TOR network for
the final "step" to your destination, so the TOR network can pass any
kind of response back to you.

 

Caver1 wrote, on Sat, 06 Sep 2014 13:48:48 -0400:

I'm not sure if I understand the question, but, the VPN I just tested
has no "login" per se.

a) You boot your Linux laptop, and nothing is encrypted yet.
b) You run "gksudo vpn1click &" and now you send *everything* to the VPN.
c) You kill the vpn process, and then you're back to step (a) above.

I'm not sure what this is asking, but, the connection to the VPN is
initiated with the following command, with the routes as shown below.

Here's the route -n after rebooting but before connecting to the VPN server:
https://www.vpnoneclick.com

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
This is your original default route.
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
This is a route to your LAN out of wlan0.

$ gksudo vpn1click &
$ inxi -i | grep eth0
WAN IP: 198.143.153.42 IF: eth0 ip: N/A IF: tun0 ip: 10.43.0.210 IF: wlan0 ip: 192.168.1.3

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
This covers a destination of 0.0.0.0 to 127.255.255.254.
This is the 1st half of the Internet split by the VPN provider.
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
This is your original default route.
10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0
Unsure what the significance of this is.
10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
This means that 10.43.0.209 can be reached by a packet out of tun0.
198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
These two are static routes added by the VPN client software.
The only traffic that doesn't traverse tun0 is traffic to these
two IP addresses.
128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
This covers a destination of 128.0.0.0.1 to 255.255.255.254.
This is the 2nd half of the Internet split by the VPN provider.
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
This is a route to your LAN out of wlan0.

Note: The fact that lo0 doesn't appear in the routing table,
accounts for 127.0.0.0 - 127.255.255.255.

I recognize 192.168.1.1 as my home broadband router.
I recognize 198.143.153.42 as the VPN server.

'Iface' is the interface on which the gateway IP address can be reached.

Then, when I kill the vpn, here's the route:

$ ps -elfww|grep vpn
0 S usr 3170 1701 0 80 0 - 58576 hrtime 13:15 pts/0 00:00:01 gksudo vpn1click
4 S root 3175 3170 0 80 0 - 17214 poll_s 13:15 ? 00:00:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click
4 S root 3176 3175 2 80 0 - 36051 poll_s 13:15 ? 00:00:16 vpn1click
5 S root 3331 1701 0 80 0 - 8266 poll_s 13:15 ? 00:00:05 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon

$ sudo kill -9 3170 3175 3176 3331
$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0

I notice that the VPN server of "198.143.153.42" is *still* in the route.
----------------------------------------------------------------------------

 

I am not trying to confuse anyone. There is no gibberish there. At least
none that you have corrected.

I asked nothing.
Your home ISP cannot "see" the destination unless that site also uses
that ISP. But whatever does the final handoff does. Your ISP does know
where you are going as you "tell" it. You tell it to every ISP, switch,
Bridge, whatever you pass through.

 

Yes you initiated the connection not the VPN. My answers are for you
connecting to and using your company's VPN not a public one. The
scenarios are totally different.

Ok.

 

You basically tell every switch or whatever that you connect with where
you are going. That can't be encrypted. The new destination that is
tacked on by the VPN is not encrypted and has to be the correct one if
you want to get to your destination.
Notice this does not include ports. The ISP doesn't need to know what
ports are used. Only the browser has to know. Because at that point you
are no longer going through the tunnel that you are connect to the VPN
with. You are in no tunnel at that point. There can't be a tunnel to any
web sites as they aren't connected to any VPN. The destination can't
read your encryption unless it has the key. If you want to go to say
Netflix to have a movie streamed to you encryption will not help you it
will only hinder you. What is Netflix going to do with whatever is
encrypted? So that traffic can't be encrypted regardless whether or not
it's a public or private VPN or if it is a full tunnel that you are
connected to the VPN in.
A Public VPN can only hid who you are, your IP, nothing else. If it did
encrypt your traffic how is Netflix going to handle it? There are no
tunnels created by a public VPN except maybe between you and it. The
other sites you go to do not connect to that VPN. That VPN can only hide
your real IP.
Remember you were asking about going through your companies VPN to
browse the web. You are doing the same thing with any VPN public or private.
Will your company even let you go to those sites through it's network?
Only you and your company knows that. Which is what you would have to do
to use a full tunnel.

 

By using that box you are part of their network and not just connected
to it. If you had to have hardware to just connect to a VPN you would
never connect to your company's VPN through the internet.
So you paid for their full service? They didn't send anything to me for
the week trial period. Why would they. Just for a week?
Good for you if they did.

 

No I am talking about VPN's. We connect to my wife's company's VPN
several times a week. Nobody here has explained how they work just that
they do or don't. We cannot connect to the internet through their network.

 

No simple https conection, we have to have the Citrix client installed
or we can't connect.
Not just not able to login can't connect at all. It is a VPN

 

Caver1 wrote, on Sat, 06 Sep 2014 20:51:28 -0400:

I think the way it works with the full VPN solution is that the VPN
is *always* where you are going, at least for the first hop.

From there, I agree, it's no longer encrypted, as it goes to the next
hop(s) to the final destination.

The part that is critical is only the first hop, because that's where
the ISP lies.

Well, the first hop to the VPN is encrypted, and that's all that matters
for this purpose. The next hop(s) are not encrypted, as they go *out* of
the VPN server, to Netflix, and back. Then, the last hop on the return
is encrypted again, which is from the VPN server back to my PC, where,
again, the WISP is blissfully unaware of my eclectic movie selection!

1. The first outgoing hop is encrypted from the PC to the VPN server
somewhere on the Internet (e.g., to vpnoneclick at 198.143.153.42).
2. The next hop(s) to Netflix are not encrypted, but they don't
matter for the purpose of the WISP knowing what is going on.
3. Netflix then sends unencrypted data back to the VPN server at
198.143.153.42 for the return communication path.
4. The final hop, from the VPN server at 198.143.153.42 back to my
PC at home, will be encrypted again.

So, only #1 and #4 need to be encrypted in order to keep the details of
the Netflix domain and port "secret" from the WISP.

At least, that's how I currently understand the process to be.

 

Caver1 wrote, on Sat, 06 Sep 2014 20:56:27 -0400:

I think two unrelated things are mixed up in that paragraph, so, it
may be my fault for not being clear. I apologize.

The company sent me the blue vpn hardware box. They said they
already configured it so that I can plug it into my network, and told
me to call the IT guy on Monday if I have a problem with it.

The free vpn solution from https://www.vpnoneclick.com/ was just a
Debian file which I installed with
$ sudo dpkg -i vpnoneclick_ubuntu64.deb

And then I ran it using:
$ gksudo vpn1click &

 

Char Jackson wrote, on Sat, 06 Sep 2014 13:34:11 -0500:

Hi Char Jackson,
Is this how it works for the tested vpnoneclick server application?

0. I install and run the vpnoneclick solution:
$ sudo dpkg -i vpnoneclick_ubuntu64.deb
$ gksudo vpn1click &
NOTE: This part works, I'm just explaining to be complete.

2. With VPN now running, my newsreader client tries to connect to the nntp
newsserver freenews.netfront.net at port 119.

3. That traffic is encrypted and routed to the VPN server on the Internet
at 198.143.153.42 (let's ignore the fact that the VPN server seems to
break up the Internet into two pieces).

4. From that VPN server 198.143.153.42, the traffic is unencrypted, and then
sent to nntp newsserver freenews.netfront.net at port 119.

5. The nntp newsserver freenews.netfront.net at port 119 sends the unencrypted
response back to the VPN server at 198.143.153.42.

6. That VPN server at 198.143.153.42 encrypts that response, and sends it
back to my laptop.

7. My laptop vpnoneclick software unencrypts the information and sends it to
the nntp newsreader client application.

I'm not sure if that's full tunnel VPN, or not, but, it appears to be full
tunnel for the critical hop between #2 and #3 since all applications and all
ports send data which is encrypted by the vpn1click software.

Likewise, it appears to be full tunnel for the return hop between #6 and #7.
Am I using the term "full tunnel" correctly though?

 

Caver1 wrote, on Sat, 06 Sep 2014 20:08:33 -0400:

I agree they are probably totally different (I don't really know).

All I'm trying to do, at first, is *understand* how the VPN works
that I have some control over, which is the public VPN server at
vpnoneclick (or cyberghost or vpnreactor, or whatever).