What does the Wireless ISP (WISP) "see" when I'm using VPN fromhome?

Discussion in 'Wireless Internet' started by Yaroslav Sadowski, Sep 5, 2014.

  1. Char Jackson wrote, on Sat, 06 Sep 2014 11:17:37 -0500:
    Good. That's exactly what I was *hoping* would happen.

    a) I point three different applications to three different domains using
    three different ports ...

    b) They all get "tunneled" into one encrypted data stream on a single
    port on the VPN server at

    That way, the WISP can't "see" exactly what it is.

    The WISP just sees 3 bursts of "activity" on the one port that connects
    to the VPN server at (I think).

    So, the WISP, I think, can 'see' only three things:
    a) Three bursts of activity,
    b) To VPN server,
    c) On some random port (chosen by the VPN software client on my machine).
    Yaroslav Sadowski, Sep 7, 2014
    1. Advertisements

  2. Well, no, however many hops it takes to get to the vpn server. It is
    encrypted all that way. Once at the server, the encrypted contents of
    the package are decrypted, the destination address/port of the packet
    are used to route the packet, the source address/port are replaced by
    the VPN server source and a random port number, with a record kept of
    which address/port that random port is supposed to map to so that the
    return packet can be directed to the right place, and thepacket sent on.
    Of course the vpn server knows exactly what your eclectic movie
    selection is. Are you more worried about your boss or about some ISP
    knowing about you?

    But again, while it hides it from your WISP it does not hide it from the
    vpn server. Which do you trust more?
    William Unruh, Sep 7, 2014
    1. Advertisements

  3. Not necessarily at all. That box may well encrypt stuff to your
    employees network and not to the anywhere else. It may ship stuff only
    to your employer through the tunnel. Remember everything does go through
    your ISP. The difference is just some packets are pa ckaged, some not.
    William Unruh, Sep 7, 2014
  4. That "box" is just a computer with an input and an output. That output
    connects through your ISP to the net and finally to your employer. It is
    perfectly possible that that box only ships stuff directed to the
    employers address through the vpn. Ie, it has an internal, company
    designed routing table ( and spyware?) which you cannot change, but that
    routing table could have anything in it.
    The box is there just so they have control over the routing table, not
    you. (And so they can keep track of your net activity?)
    William Unruh, Sep 7, 2014
  5. I suspect that is to make sure that there is no "default route"
    contention. You already have a default route through wlan0. If they put
    in another default through tun0 there would be an ambiguity as to which
    would be used. By making two specific routes which cover all of the rest
    of the net, they are making sure that the effective default is always
    I misread the line in my original analysis.

    Which means someone at can read all your traffic. Why is
    it better that they can read it, rather than that your WISP can read it?

    You forgot the NAT. The return address from that packet is replaced with and a random port number. And the server keeps a table
    which tells it what the mapping is from that port number to the
    address/port of your machine, so it can replace them when it sends the
    return packet down the vpn.
    By reading the port number. Your computer keeps a table which maps
    return port numbers ( which were the source port number on the outgoing
    packet) and the program which sent the packet.
    Not quite. As I pointed out neither 127.x.x.x nor traffic
    is encrypted and packaged. Ie, the vpn traffic itself does not go via
    the vpn, or you would have an infinite regress.
    William Unruh, Sep 7, 2014
  6. Congratulations on the new job. Let's see if I can read between your

    200 messages in this thread and only one (by amdx) correctly suggests
    that you use Wireshark to sniff your own traffic. Wireshark might be
    a bit premature as you probably don't have a login on the new company
    server yet, but you can probably find another system with which to
    experiment. It would probably have taken less time to sniff than to
    manage this threads multiple diversions.

    The problem will be what type of VPN? PPTP, IPsec, LT2P, or MPLS.
    In order for your packets to be routed to the terminating server, the
    destination IP address and port number has to be exposed and NOT
    encrypted. If you're using PPTP, there will be traffic on port 1723.
    For IPsec, port 500. For L2TP, port 1701. For MPLS, ports 646 and
    711. If your WISP sees substantial traffic or connect time on these
    ports, it will assume that their service is being used for commercial
    purposes. You'll soon receive an email or call from their sales
    department describing the merits of upgrading to a higher priced
    commercial service.

    Of course, it is possible to use non-standard ports to avoid this
    problem, but that will require the collusion of your new employer,
    which might be problematic. Even that doesn't always work. Depending
    on the mode of operation, specifically whether the IP header is
    encapsulated or not, the underlying protocols might also be exposed.
    For example, IPsec uses IP protocol numbers 50 and 51 on port 500
    which can be easily detected if exposed. Or, a sniffer could simply
    look for an authentication header, which is required in order to setup
    a tunnel.

    They could also ping the terminating server. For example, PPTP is
    very helpful by responding to probes. Fire up NMAP, point it to your
    employers PPTP server, and run this script:
    If your WISP is curious why you spend so much time connected to a
    single IP address and port number, that should answer their question
    as to what you're doing.

    Lots of other tricks all of which will show that you're using a VPN
    for commercial purposes and should probably upgraded to a higher cost
    WISP rate.

    Jeff Liebermann, Sep 7, 2014
  7. Yaroslav Sadowski

    Char Jackson Guest

    Exactly. You've got it.
    Char Jackson, Sep 7, 2014
  8. Yaroslav Sadowski

    Char Jackson Guest

    Yes, that's correct.
    Char Jackson, Sep 7, 2014
  9. Caver1 wrote, on Sat, 06 Sep 2014 11:15:55 -0400:
    Nope. All you do is execute the software, where a "ps" shows
    four processes running simultaneously:
    PID1 gksudo vpn1click
    PID1 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click
    PID3 vpn1click
    PID4 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon
    Why is vpnoneclick called "vpn" one click, if it's a proxy & not VPN?
    I'm almost never using a browser. I use nntp, ftp, smtp, etc., but I
    only use http for google news and google searches, so I don't really
    understand why you're always talking about a 'browser'.

    Almost all the time, I'm *not* using http.
    This confuses me, considering vpnoneclick is supposed to be a VPN solution.
    So, all my traffic, on all ports, should be encrypted between me and the
    VPN server on the net at
    I use the tor browser bundle when I need to.
    It's not even close to the same thing as a VPN, which encrypts all ports.
    Are you sure about saying "anyone can see your real IP address" when
    you use Tor. I doubt that's true. The only one who can see your "real"
    IP address is the first hop on Tor.

    And, if I use the TBB on top of VpnOneClick, then even the first hop
    doesn't see my real IP address.

    So, I understand things totally differently than you seem to.
    I don't understand that statement.
    Yaroslav Sadowski, Sep 7, 2014
  10. alexd wrote, on Sat, 06 Sep 2014 21:58:05 +0100:
    Thanks for that tip.
    I was unaware of the existence of the "killall" command!

    $ man killall
    killall sends a signal to all processes running any of the specified commands.
    Yaroslav Sadowski, Sep 7, 2014
  11. Yaroslav Sadowski

    Caver1 Guest

    The only difference between a full tunnel and a split tunnel is that
    with a full tunnel all traffic goes through the network you are
    connecting to. Private VPNs do control and limit their outside of
    network connections. Public VPNs don't. With a split tunnel only the
    traffic that is sent to the VPN goes through the tunnel the rest of your
    traffic does not. A public VPN provider has no need for a split tunnel.
    I hope that this is not anywhere as confusing as my previous attempts at
    explaining this. As far as a couple of technicalities I was wrong but I
    was correct about the ways a VPN tunnel works. With a split tunnel your
    other programs that use the internet, or even the browser's traffic does
    not use the tunnel that you are connected with unless that traffic is
    for the network that the VPN is protecting. Research it. With a full
    tunnel you can't get out except through the owners network and then only
    if the owner lets you.
    Case in point> We connect to my wife's company's network through their
    VPN. When we do we connect to anyother sites that we want to at the
    same time. When she is at work, inside the company's network she can
    connect to very few of those sites because the company doesn't want to
    take the risk to its network.

    Maybe for a public VPN as you are using their software to connect to
    them. Is even possible to have a tunnel created for a temporary tunnel
    to be created before you even connect to the private VPN, or even a
    public VPN? That would be the only way to stop your ISP from knowing
    that you are connecting to. Then they would only know from the type of
    traffic you are sending. If they even look. The full tunnel only works
    after the tunnel is created. After your request to be connected to that

    The first hop is only encrypted by a VPN's tunnel after you request that
    connection not before.

    Why would the ISP even look at where you are going, let alone really
    care? Probably only if the Gov't is investigating you a wants that
    information. Even if you are using the ISP for commercial use that you
    didn't pay for they wouldn't care where you are going, just that you are
    using quite a lot of traffic for a noncommercial plan. Then the ISP has
    to find out. Only the big ISP's have that capability on staff all the
    time. The smaller ones can't afford the the cost of the extra staff
    needed for an occasional task. But there are third party business's that
    provide that service to ISPs. There is big money being made by them as
    the cost is passed back to the Gov't. the contents of any traffic is
    revealable, even a VPN's encrypted traffic.
    All of your traffic goes through your ISP even your VPN connections. The
    only difference is your ISP can't see what that traffic contains but
    they do see where your destination is. Which for the first hop is the
    VPN's IP.
    Your ISP could careless where you go. It is mainly concerned with your
    traffic load and if it is correctly routed.
    Once you leave the VPN then anyone that really wants to will know where
    you are from by your IP. Unless you hide your real IP with a fake one.
    The only ones that would want to know where you are from are rouge
    hackers and the Gov't, so I doubt that hiding your real IP would work to
    stop them. By your traffic load the may want to know if you are running
    commercially then they may start looking. Even a VPN's traffic is
    hackable. Whether or not your ISP has that capability is questionable.
    Why would you want to hide from your ISP your normal usage of the
    internet? Why would they care? Maybe you want to use the internet for
    nefarious reasons? :)
    Caver1, Sep 7, 2014
  12. Yaroslav Sadowski

    Caver1 Guest


    That's because you can't connect without their software, which is the
    reason. With a private you can't connect without the client software but
    you still have to login. The private networks make you login because
    someone else that is not suppose to have access is using your computer.
    Public VPNs don't care as they have nothing to protect from the user.
    Even not using your browser all traffic that is not sent to the network
    that you are connected to whether you use nntp,ftp,smtp or whatever does
    not go through a a tunnel if it is split and more than likely can't get
    out of the network if a full tunnel. You didn't say if you were using a
    browser or not. So I assumed that scenario. You never corrected it.
    there is no encryption from the VPN until after you connect. Also I
    believe that statement was pertaining to your traffic that is not sent
    to the VPN's network. Which would imply a split tunnel or that the
    tunnel is not connected to the ports that the particular program is
    configured to use. A VPN only uses a couple of ports and that depends on
    the type of VPN. The VPN may not use the port that a specific program needs.
    No it doesn't. It only encrypts the traffic sent to the VPN's network.
    Not the ports. It will encrypt the data as to which ports is being using
    but not the ports themselves, and only for the ports that are used by
    the VPN.
    They can all see it. Your IP is never hidden whether real or fake unless
    it is encrypted and TOR does not use encryption. Even then your real IP
    can only be hidden if you are using something to hide it. The Tor
    network always see's your real IP or they wouid not be able to get your
    traffic that you request back to you. The person that that is providing
    that particular relay point of the network can't see anything but the
    network has to. If the network can see it then it is recoverable by
    those that have the means and the desire. How do you thick the NSA got
    in? TOR did fix that weakness but not until after it was exploited.
    What's the next next weakness? I guarantee you the NSA is looking for
    it. The FBI busted a person that used only TOR. It took them awhile but
    they figured out how. Who knows if that technique can be used again?
    !click has to see your real IP, first hope or not.If 1click can see it
    then others that have the desire can. The TOR network does, has to, and
    anyone who wants to after you leave the TOR network. The only real
    difference between TOR and A VPN is that with TOR you start as part of
    the network so you are not remotely connected. With a VPN you don't
    start out as part of the network if remotely connected. The NSA proved
    that they could. Maybe not now but when will they figure out another
    way? I agree that if you aren't using a VPN or TOR for illegal purposes
    then the risk is slim that the Gov't will even look. What needs to be
    protected when you are just surfing the web? That is what you stated for
    the reason for your use of the VPN. There are hacker groups in existence
    that have the same capabilities as the Gov't Some capabilities they
    created themselves some were leaked from the Gov't or even given to some
    orginnizations then leaked. Even other Gov'ts have the same potential
    capabilties and some of them do want in for other purposes than the US
    gov't says it has.

    Your understading is slightly wrong.
    Caver1, Sep 7, 2014
  13. ^^^^^^^
    in case?
    I think you need to know what the routing on his vpn is before you make
    statements like this.
    Right from the beginning he said he was using all kinds of programs.

    Anyway you need to know his routing table before making statements about
    what can and cannot get out the tunnel.

    You say that why?

    If the vpn is not running then no there is no encryption. Once it is,
    then everything that goes down that tunnel is encrypted. Since it relies
    of proprietary software it seems, you have no assurance that that
    encryption is not backdoored of course. Again you need to trust the
    vpn server more than others (your ISP)
    vpn as I understand them, do not tunnel ports, they tunnel addresses.
    (although with the new ip routing it may be possible to set up the
    routing table based on ports as well).

    The vpn tunnels all ports.
    Yes, it does encrypt the ports as well. It encrypts the full packet,
    inclusing source address and ports and dest address and ports, as I
    understand it. The only port visible to the ISP is the address and port
    of the vpn server.

    William Unruh, Sep 7, 2014
  14. Yaroslav Sadowski

    Char Jackson Guest

    That last sentence above makes no sense. More below.
    I sense another round of misunderstanding there. The port used by the VPN
    itself has nothing to do with the ports used by the various applications
    that a person chooses to use.
    If you expect to be able to communicate on the Internet, then there's no
    such thing as a fake IP. That has been explained to you before.
    His understanding is head and shoulders above yours, it seems.
    Char Jackson, Sep 7, 2014
  15. Yaroslav Sadowski

    Caver1 Guest

    I used the wrong words when I was trying to explain. I have that
    problem. I very rarely am able to explain what I am thinking properly.
    What I meant was that 1click gives you no more anonymity than a proxy
    does. Proxies can only hide your real IP. Not where you started from
    and where you are going as far as your IP or the internet network is
    concerned. Your ISP sees your real IP so does any of the places on the
    internet network that you pass through on your way to your destination.
    When you get to your destination they have no idea where you came from
    unless they have capability to "unhide" your real IP. There are sites
    that are capable of doing that. Your real IP cannot be encrypted or not
    used, only hidden, if you want to receive anything that you request. The
    internet network sees your real IP and so can anyone that really has the
    wants the information about you. The normal person on the internet has
    no way of seeing your real IP if it is hidden. Don't say it wont happen.
    There are many sites that have bits of code implanted in them that can
    read your IP and your browsers header, not necessarily
    by the site owner but by advertisement agencies, hackers... And these
    bits, I can't think of what they are all called right now, are not
    cookies. One of these is called ETags. There is also man in the middle
    Your IP also knows where your traffic started and where you are going,
    if not your final destination then at least that your first stop is the
    VPN. Your IP knows the beginning and end of the tunnel that the VPN
    creates. Since your ISP knows where the tunnel starts it also know it is
    you. After all your ISP is the one that gave you your IP. All your ISP
    would have to do is look up who is at the starting point. That tunnel is
    only a route to the VPN that nobody can "see" what is inside the tunnel.
    A public IP has you protected until you arrive at their site. Once you
    leave you are not "protected" by the VPN. All the public VPN can do for
    you is hide your real IP not replace it. Your real IP is always
    available to whoever has to have it to service your route. So your
    location is always known by the internet network and can be determined,
    if the need arises, by those who controls those points. I don't think
    they or your ISP normally even look at any traffic. Only the traffic
    loads and to make sure everything is working properly.
    The public VPN gives you no more anonymity than a proxy does.
    Caver1, Sep 7, 2014
  16. Char Jackson wrote, on Sat, 06 Sep 2014 11:28:35 -0500:
    This is a wonderfully enlightening point!
    Yaroslav Sadowski, Sep 7, 2014
  17. William Unruh wrote, on Sat, 06 Sep 2014 13:17:08 +0000:
    OK. The "route -n" seems to be what tells me which IP address goes
    to the VPN that I ask a browser (or any smtp, pop, nntp, etc.) client
    to go to.

    But, didn't we already determine, from the "route -n" of the
    vpnoneclick test session, that *all* internet addresses were
    going to the tunnel, in two halves?

    1st half: UG 0 0 0 tun0
    2nd half: UG 0 0 0 tun0
    Yaroslav Sadowski, Sep 7, 2014
  18. Caver1 wrote, on Sat, 06 Sep 2014 14:51:32 -0400:
    Most of the time, I'm not even using a (web) browser, so, I have trouble
    understanding the 'tab-in-a-browser' style VPN.

    I'm using nntp clients, mail user agents, ftp clients, telnet clients,
    bittorrent clients, etc., but rarely a browser.

    If I needed to hide my activities from the WISP and all I was using
    was a (web) browser, I'd use the TBB anyway.

    So, I have never seen this concept of a 'tab-in-a-browser' style VPN,
    nor does it appear to apply for this thread. (I'm sure it exists, it's
    just about as relevant to this thread as the vote for Scottish independence
    Yaroslav Sadowski, Sep 7, 2014
  19. Caver1 wrote, on Sat, 06 Sep 2014 07:08:53 -0400:
    I have no idea what that means to 'aim' my email to the VPN.

    Before I start VPN, I can start Thunderbird, which is "aimed" at
    a google SMTP and IMAP port for sending & receiving email.

    Then, I start vpnoneclick, which appears to be a "full" VPN
    implementation, based on these routing table entries: UG 0 0 0 tun0
    This covers a destination of to UG 0 0 0 tun0
    This covers a destination of to

    Then, I can again start Thunderbird, which is *still* aimed at
    the same google SMTP & IMAP ports as before, but, now, we can
    presume, their traffic goes through the VPN "tunnel" tun0.
    Yaroslav Sadowski, Sep 7, 2014
  20. Yaroslav Sadowski

    Caver1 Guest

    No you don't need to know anything about the routing table.
    No matter if it is a "split" or a full tunnel,the only traffic that goes
    through the tunnel is that which is addressed/sent to the VPN's network.
    No other traffic is accepted. I never said that anything gets out of the
    tunnel. I said that not all of the users traffic goes through the
    tunnel. Doesn't matter whether if it is split or full. Once some
    traffic/data is inside the tunnel the only way it gets out is at one end
    or the other.
    If I remember correctly it was in reference to your first connection to
    the VPN as no tunnel has been created so no encryption yet. The tunnel
    is not created until you login, no matter how long you stay at the login
    page. This only applies to private VPNs. Now that I think about it I
    would think that it would also apply to public VPNs as they have no idea
    when you want to connect until you arrive there asking to get in.

    Only those ports that are used between you and the VPN, so all ports
    between you and the VPN are controlled by the VPN. The VPN only stops
    traffic except that between it and you from using those ports, It cannot
    encrypt a port. VPNs only use a couple of ports not anywhere near all of
    Anyone that has the know how can see the beginning and end of the tunnel
    just not inside it.
    I never said the ports were tunneled. I said that the VPN controls the
    ports that the tunnel is connected to.
    No ports are tunneled just controlled. A tunnel does not control all ports.

    Your statement implied that you wanted to use a VPN, specifically your
    company's. Then your further statements were that you wanted to use that
    VPN so your ISP would not be able to tell that it was you.
    Being that you start out in the TOR network nobody but the TOR network
    and you know that it is you until after you leave the network. Being you
    are in the TOR network nobody can see your traffic except the TOR
    network itself. No encryption is need nor does any port/s need to be
    controlled. But that is even questioned now.
    With the VPN your traffic is encrypted in the tunnel. Neither the tunnel
    or the encryption is started until after you connect to the VPN and
    request to be let in. So your ISP knows that you went to that network to
    begin with. After the tunnel is created the starting and end points can
    be seen. Since you are the end point the ISP knows that it is you using
    that tunnel. Your ISP knows that it is a tunnel by the type of traffic
    that goes through it. Your ISP just can't read that traffic.
    Once you get to the VPN's network(private) where outside of that network
    are you capable of going? No matter what you are using if it's not that
    networks program you go nowhere once accepted by that network using your
    system's programs. You only use the VPNs network programs to get to
    where you are allowed to go. I have yet to see a private protected
    network that would let you use it's browser,if it has one that you can
    access, to get out of its network. So what good would the tiny bit of
    anonymity from your ISP that that would give you.
    The packets that go through the tunnel are not ports and only the
    packets are encrypted.

    The TOR network has to see your real IP so it can deliver all of your
    requests back to you. If you want to download something or view
    something how are those packets suppose to get back to you if it has no
    idea what your real IP is? The individual bridges or whatever do not
    know who passed you to them. That way the route cannot be followed. Has
    nothing to do with the network seeing your IP. The network still knows
    who you are.


    * Japanese - detected
    * English
    * Polish
    * Spanish
    * Russian
    * Portuguese (Portugal)
    * Japanese
    * Italian
    * German
    * Chinese (Simplified)
    * Chinese
    * Chinese (Traditional)
    * French
    * Yiddish
    * Welsh
    * Vietnamese
    * Ukrainian
    * Turkish
    * Thai
    * Swedish
    * Swahili
    * Slovenian
    * Slovak
    * Serbian
    * Romanian
    * Portuguese
    * Persian
    * Norwegian
    * Maltese
    * Malay
    * Macedonian
    * Lithuanian
    * Latvian
    * Korean
    * Irish
    * Indonesian
    * Icelandic
    * Hungarian
    * Hindi
    * Hebrew
    * Haitian Creole
    * Greek
    * Galician
    * Finnish
    * Filipino
    * Estonian
    * Dutch
    * Danish
    * Czech
    * Croatian
    * Catalan
    * Bulgarian
    * Belarusian
    * Arabic
    * Albanian
    * Afrikaans

    * English
    * Polish
    * Spanish
    * Russian
    * Portuguese (Portugal)
    * Japanese
    * Italian
    * German
    * Chinese (Simplified)
    * Chinese
    * Chinese (Traditional)
    * French
    * Yiddish
    * Welsh
    * Vietnamese
    * Ukrainian
    * Turkish
    * Thai
    * Swedish
    * Swahili
    * Slovenian
    * Slovak
    * Serbian
    * Romanian
    * Portuguese
    * Persian
    * Norwegian
    * Maltese
    * Malay
    * Macedonian
    * Lithuanian
    * Latvian
    * Korean
    * Irish
    * Indonesian
    * Icelandic
    * Hungarian
    * Hindi
    * Hebrew
    * Haitian Creole
    * Greek
    * Galician
    * Finnish
    * Filipino
    * Estonian
    * Dutch
    * Danish
    * Czech
    * Croatian
    * Catalan
    * Bulgarian
    * Belarusian
    * Arabic
    * Albanian
    * Afrikaans

    Caver1, Sep 7, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.