What does the Wireless ISP (WISP) "see" when I'm using VPN fromhome?

Discussion in 'Wireless Internet' started by Yaroslav Sadowski, Sep 5, 2014.

  1. Yaroslav Sadowski

    Caver1 Guest

    Why does it matter when either type of tunnel is closed. The connection
    is broken nothing else. the effects are the same. I never said that a
    full tunnel is the same as a split tunnel, anywhere.
     
    Caver1, Sep 6, 2014
    1. Advertisements

  2. Yaroslav Sadowski

    Caver1 Guest

    Show one place where he explained anything.
     
    Caver1, Sep 6, 2014
    1. Advertisements

  3. William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:
    This is the key detail that other people were confusing me on, and
    which I'm glad is clearly described by you.

    So, we can lay to rest the question of whether the ISP can see the
    port out or into the destination, and the destination. They can't.

    The VPN solution I'm testing over this weekend, to get a flavor for
    how it works, is this full-VPN freeware one, which only lasts a week,
    but which is long enough to test it out:
    https://www.vpnoneclick.com/
     
    Yaroslav Sadowski, Sep 6, 2014
  4. William Unruh wrote, on Sat, 06 Sep 2014 13:30:25 +0000:
    They already shipped a blue hardware VPN box, so, I think *everything*
    will be going through the VPN.
     
    Yaroslav Sadowski, Sep 6, 2014
  5. Yaroslav Sadowski

    Caver1 Guest

    Sending traffic to a through a tunnel is the same thing as sending
    your traffic/data is the same thing as sending the traffic/data to the
    VPN. A VPN is nothing more than a safe way to send traffic/data to the
    network. Basically once you connect you are part of that network with
    limited permissions which are set up by the company. They can be more or
    less depending on what the owner of that network will allow you. Nobody
    can see that traffic but the end points can be seen if someone is
    looking for them. Which was also stated by someone else in this thread.
     
    Caver1, Sep 7, 2014
  6. Yaroslav Sadowski

    Jasen Betts Guest

    /sbin/route

    but then you have to understand what it saya.
     
    Jasen Betts, Sep 7, 2014
  7. Yaroslav Sadowski

    Caver1 Guest

    You do not know as much as you think you do. You would not get any
    correct information for the IP that is "shown". Hell most places
    including Whois doesn't show my correct location from my real IP.
     
    Caver1, Sep 7, 2014
  8. Yaroslav Sadowski

    Jasen Betts Guest

    [I deleted some spaces to re-join the lines]
    yeah it's full.

    the route to half the internet goes through tun0: (which is the VPN)
    and so does the other half:
    the exceptions being those routes with more bits set in the genmask
    (these will have higher numbers)

    not this one , it was your route before starting the VPN.
    these two are explicitly routed via the original internet connection
    198.143.153.42 is kryptotel too,
     
    Jasen Betts, Sep 7, 2014
  9. Yaroslav Sadowski

    Caver1 Guest


    No I said they could see the domains or the end point but they do not
    know who it is or where it came from unless they put some time into it,
    which I doubt. You also never asked if the ISP could tell (see) if it
    was you. I said yes they can see those domains but don't know anything
    about the traffic going there. Unless it's the Gov't and if it really
    desires that information they will find the end points and depending on
    the encryption used maybe even the data that is being sent. If the Gov't
    can do it do you really think no one else can. How do you think hackers
    are getting into company networks. Sometimes it is by direct hammering
    against the network whether or not if the company is using a VPN for
    internet connection or not. I also never said the ISP could see the port
    being used. Go back and look.
    I will save you the trouble>

    "This is confusing so I will ask for clarification by way of example.
    Always assuming full-tunnel VPN, if someone went to three web sites,
    say, google.com, yahoo.com, and apple.com, are you saying that the ISP
    can see all three web sites when the user is using VPN?"

    My answer was> Yes.
    also>
    They can see all three web sites but not that it is you that is
    connected or what data you are carrying with you.
    The question asked if the ISP can see all web sites not you/him/whatever.

    Show me where those answers are wrong. Nothing even mentioned about
    Ports. Even if it is encapsulated by the network it still has to show
    where it is going if you want to get there. That is also true using TOR.
    The only difference is that TOR's servers and bridges are the only ones
    that see your traffic until you leave the TOR web to get to your final
    destination. Even if the contents are encrypted the starting and ending
    points are known, except if you are using the TOR browser, then only the
    end point is seen by anyone other than the TOR network. which has to
    know your IP, and remember it because you are not in the TOR network for
    the final "step" to your destination, so the TOR network can pass any
    kind of response back to you.
     
    Caver1, Sep 7, 2014
  10. Caver1 wrote, on Sat, 06 Sep 2014 13:48:48 -0400:
    I'm not sure if I understand the question, but, the VPN I just tested
    has no "login" per se.

    a) You boot your Linux laptop, and nothing is encrypted yet.
    b) You run "gksudo vpn1click &" and now you send *everything* to the VPN.
    c) You kill the vpn process, and then you're back to step (a) above.
    I'm not sure what this is asking, but, the connection to the VPN is
    initiated with the following command, with the routes as shown below.

    Here's the route -n after rebooting but before connecting to the VPN server:
    https://www.vpnoneclick.com

    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    This is your original default route.
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    This is a route to your LAN out of wlan0.

    $ gksudo vpn1click &
    $ inxi -i | grep eth0
    WAN IP: 198.143.153.42 IF: eth0 ip: N/A IF: tun0 ip: 10.43.0.210 IF: wlan0 ip: 192.168.1.3

    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use
    Iface
    0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
    This covers a destination of 0.0.0.0 to 127.255.255.254.
    This is the 1st half of the Internet split by the VPN provider.
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    This is your original default route.
    10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0
    Unsure what the significance of this is.
    10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    This means that 10.43.0.209 can be reached by a packet out of tun0.
    198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
    108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
    These two are static routes added by the VPN client software.
    The only traffic that doesn't traverse tun0 is traffic to these
    two IP addresses.
    128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
    This covers a destination of 128.0.0.0.1 to 255.255.255.254.
    This is the 2nd half of the Internet split by the VPN provider.
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    This is a route to your LAN out of wlan0.

    Note: The fact that lo0 doesn't appear in the routing table,
    accounts for 127.0.0.0 - 127.255.255.255.

    I recognize 192.168.1.1 as my home broadband router.
    I recognize 198.143.153.42 as the VPN server.

    'Iface' is the interface on which the gateway IP address can be reached.

    Then, when I kill the vpn, here's the route:

    $ ps -elfww|grep vpn
    0 S usr 3170 1701 0 80 0 - 58576 hrtime 13:15 pts/0 00:00:01 gksudo vpn1click
    4 S root 3175 3170 0 80 0 - 17214 poll_s 13:15 ? 00:00:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click
    4 S root 3176 3175 2 80 0 - 36051 poll_s 13:15 ? 00:00:16 vpn1click
    5 S root 3331 1701 0 80 0 - 8266 poll_s 13:15 ? 00:00:05 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon

    $ sudo kill -9 3170 3175 3176 3331
    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0

    I notice that the VPN server of "198.143.153.42" is *still* in the route.
    ----------------------------------------------------------------------------
     
    Yaroslav Sadowski, Sep 7, 2014
  11. Yaroslav Sadowski

    Caver1 Guest


    I am not trying to confuse anyone. There is no gibberish there. At least
    none that you have corrected.

    I asked nothing.
    Your home ISP cannot "see" the destination unless that site also uses
    that ISP. But whatever does the final handoff does. Your ISP does know
    where you are going as you "tell" it. You tell it to every ISP, switch,
    Bridge, whatever you pass through.
     
    Caver1, Sep 7, 2014
  12. Yaroslav Sadowski

    Caver1 Guest

    Yes you initiated the connection not the VPN. My answers are for you
    connecting to and using your company's VPN not a public one. The
    scenarios are totally different.

    Ok.
     
    Caver1, Sep 7, 2014
  13. Yaroslav Sadowski

    Caver1 Guest

    You basically tell every switch or whatever that you connect with where
    you are going. That can't be encrypted. The new destination that is
    tacked on by the VPN is not encrypted and has to be the correct one if
    you want to get to your destination.
    Notice this does not include ports. The ISP doesn't need to know what
    ports are used. Only the browser has to know. Because at that point you
    are no longer going through the tunnel that you are connect to the VPN
    with. You are in no tunnel at that point. There can't be a tunnel to any
    web sites as they aren't connected to any VPN. The destination can't
    read your encryption unless it has the key. If you want to go to say
    Netflix to have a movie streamed to you encryption will not help you it
    will only hinder you. What is Netflix going to do with whatever is
    encrypted? So that traffic can't be encrypted regardless whether or not
    it's a public or private VPN or if it is a full tunnel that you are
    connected to the VPN in.
    A Public VPN can only hid who you are, your IP, nothing else. If it did
    encrypt your traffic how is Netflix going to handle it? There are no
    tunnels created by a public VPN except maybe between you and it. The
    other sites you go to do not connect to that VPN. That VPN can only hide
    your real IP.
    Remember you were asking about going through your companies VPN to
    browse the web. You are doing the same thing with any VPN public or private.
    Will your company even let you go to those sites through it's network?
    Only you and your company knows that. Which is what you would have to do
    to use a full tunnel.
     
    Caver1, Sep 7, 2014
  14. Yaroslav Sadowski

    Caver1 Guest

    By using that box you are part of their network and not just connected
    to it. If you had to have hardware to just connect to a VPN you would
    never connect to your company's VPN through the internet.
    So you paid for their full service? They didn't send anything to me for
    the week trial period. Why would they. Just for a week?
    Good for you if they did. :)
     
    Caver1, Sep 7, 2014
  15. Yaroslav Sadowski

    Caver1 Guest


    No I am talking about VPN's. We connect to my wife's company's VPN
    several times a week. Nobody here has explained how they work just that
    they do or don't. We cannot connect to the internet through their network.
     
    Caver1, Sep 7, 2014
  16. Yaroslav Sadowski

    Caver1 Guest


    No simple https conection, we have to have the Citrix client installed
    or we can't connect.
    Not just not able to login can't connect at all. It is a VPN
     
    Caver1, Sep 7, 2014
  17. Caver1 wrote, on Sat, 06 Sep 2014 20:51:28 -0400:
    I think the way it works with the full VPN solution is that the VPN
    is *always* where you are going, at least for the first hop.

    From there, I agree, it's no longer encrypted, as it goes to the next
    hop(s) to the final destination.

    The part that is critical is only the first hop, because that's where
    the ISP lies.
    Well, the first hop to the VPN is encrypted, and that's all that matters
    for this purpose. The next hop(s) are not encrypted, as they go *out* of
    the VPN server, to Netflix, and back. Then, the last hop on the return
    is encrypted again, which is from the VPN server back to my PC, where,
    again, the WISP is blissfully unaware of my eclectic movie selection! :)
    1. The first outgoing hop is encrypted from the PC to the VPN server
    somewhere on the Internet (e.g., to vpnoneclick at 198.143.153.42).
    2. The next hop(s) to Netflix are not encrypted, but they don't
    matter for the purpose of the WISP knowing what is going on.
    3. Netflix then sends unencrypted data back to the VPN server at
    198.143.153.42 for the return communication path.
    4. The final hop, from the VPN server at 198.143.153.42 back to my
    PC at home, will be encrypted again.

    So, only #1 and #4 need to be encrypted in order to keep the details of
    the Netflix domain and port "secret" from the WISP.

    At least, that's how I currently understand the process to be. :)
     
    Yaroslav Sadowski, Sep 7, 2014
  18. Caver1 wrote, on Sat, 06 Sep 2014 20:56:27 -0400:
    I think two unrelated things are mixed up in that paragraph, so, it
    may be my fault for not being clear. I apologize.

    The company sent me the blue vpn hardware box. They said they
    already configured it so that I can plug it into my network, and told
    me to call the IT guy on Monday if I have a problem with it.

    The free vpn solution from https://www.vpnoneclick.com/ was just a
    Debian file which I installed with
    $ sudo dpkg -i vpnoneclick_ubuntu64.deb

    And then I ran it using:
    $ gksudo vpn1click &
     
    Yaroslav Sadowski, Sep 7, 2014
  19. Char Jackson wrote, on Sat, 06 Sep 2014 13:34:11 -0500:
    Hi Char Jackson,
    Is this how it works for the tested vpnoneclick server application?

    0. I install and run the vpnoneclick solution:
    $ sudo dpkg -i vpnoneclick_ubuntu64.deb
    $ gksudo vpn1click &
    NOTE: This part works, I'm just explaining to be complete.

    2. With VPN now running, my newsreader client tries to connect to the nntp
    newsserver freenews.netfront.net at port 119.

    3. That traffic is encrypted and routed to the VPN server on the Internet
    at 198.143.153.42 (let's ignore the fact that the VPN server seems to
    break up the Internet into two pieces).

    4. From that VPN server 198.143.153.42, the traffic is unencrypted, and then
    sent to nntp newsserver freenews.netfront.net at port 119.

    5. The nntp newsserver freenews.netfront.net at port 119 sends the unencrypted
    response back to the VPN server at 198.143.153.42.

    6. That VPN server at 198.143.153.42 encrypts that response, and sends it
    back to my laptop.

    7. My laptop vpnoneclick software unencrypts the information and sends it to
    the nntp newsreader client application.

    I'm not sure if that's full tunnel VPN, or not, but, it appears to be full
    tunnel for the critical hop between #2 and #3 since all applications and all
    ports send data which is encrypted by the vpn1click software.

    Likewise, it appears to be full tunnel for the return hop between #6 and #7.
    Am I using the term "full tunnel" correctly though?
     
    Yaroslav Sadowski, Sep 7, 2014
  20. Caver1 wrote, on Sat, 06 Sep 2014 20:08:33 -0400:
    I agree they are probably totally different (I don't really know).

    All I'm trying to do, at first, is *understand* how the VPN works
    that I have some control over, which is the public VPN server at
    vpnoneclick (or cyberghost or vpnreactor, or whatever).
     
    Yaroslav Sadowski, Sep 7, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.