What does the Wireless ISP (WISP) "see" when I'm using VPN fromhome?

Discussion in 'Wireless Internet' started by Yaroslav Sadowski, Sep 5, 2014.

  1. You were talking about your employer requiring to use their VPN for
    work. They would not allow you to use anyone else's vpn since the
    traffic into the business would then be unencrypted. So what is in use
    depends on what the employer wants. They almost certainly do not want
    everything you do from home routed through their site-- imagine their
    liability when stuff from their network were involved in a crime.

    Not imaginary, encapsulated.

    and your employer would want that exposure for your posts etc?
     
    William Unruh, Sep 6, 2014
    1. Advertisements

  2. Yaroslav Sadowski

    Char Jackson Guest

    Well please stop! :) Because that's not how VPNs work.
    If you have a VPN connection established and you open additional connections
    to various places, and now you close your VPN connection without all of the
    others stalling, then you've just proved to yourself that you were using a
    split tunnel VPN.

    The OP is asking about a full tunnel VPN, so your description and advice
    doesn't apply.
     
    Char Jackson, Sep 6, 2014
    1. Advertisements

  3. Yaroslav Sadowski

    Char Jackson Guest

    Cute. :) A little obvious, though.
    Traffic to localhost doesn't "go" anywhere. By definition, it's local.
     
    Char Jackson, Sep 6, 2014
  4. Yaroslav Sadowski

    Char Jackson Guest

    I did. :)
     
    Char Jackson, Sep 6, 2014
  5. Yaroslav Sadowski

    Caver1 Guest


    It applies whether a full tunnel or a split tunnel, unless you are
    within the network not just remotely connected to it. If within the VPN
    then the VPN has control over everything you do when you are connected
    to the outside. When you logout the tunnel is gone, so the other tabs
    connections should disappear but they don't, as their route is gone.
     
    Caver1, Sep 6, 2014
  6. Yaroslav Sadowski

    Caver1 Guest


    Doesn't matter whether it is a full or split tunnel.
     
    Caver1, Sep 6, 2014
  7. Yaroslav Sadowski

    Char Jackson Guest

    None of that made sense, but I'm certain that it doesn't apply.
     
    Char Jackson, Sep 6, 2014
  8. Yaroslav Sadowski

    Char Jackson Guest

    That tells me that you don't know the difference. Not knowing the difference
    can be a problem.
     
    Char Jackson, Sep 6, 2014
  9. Yaroslav Sadowski

    Caver1 Guest

    It is true whether a full or split tunnel. Only the traffic that is
    using the connection made to the VPN is connected to the VPN. If the
    traffic is using anyplace/thing else other then that connection they are
    not using the tunnel. Doesn't matter if a different tab or program.
    Example, your torrent program does not use the browser at all. It can be
    running at the same time as your connection to the VPN. Your torrent
    program is not going through the tunnel that is established between you
    and the VPN. If the torrents were going through the tunnel when you
    logout of the VPN the tunnel is closed so then the torrents should lose
    their connections,no matter how fast it picks them up again, the routes
    were broken.. But the torrents never lose their connection when the
    tunnel is closed.The VPN does not have control over all your ports or
    connections, just the ones it is using.
     
    Caver1, Sep 6, 2014
  10. Yaroslav Sadowski

    Caver1 Guest

    It doesn't matter if a full or split tunnel is used. With a split tunnel
    then they other opened connections still use the tunnel from what you
    are saying. When the tunnel is closed the routes the connections that
    those other tabs/whatever would be gone. The complete tunnel is gone no
    matter if it is full or split.
    The only computers that have the complete benefit of a full tunnel is
    the computers within the network, not those outside that are just
    connecting for a period of time.
    I am to. As I said it doesn't matter whether a full or split tunnel, a
    different browser or tab, or even a different program. The affects are
    the same when the tunnel is closed. Only those which were using the
    original connection lose their connection, the others don't.
     
    Caver1, Sep 6, 2014

  11. agreed. They never care. They deliver a packet to the wireless software
    and say "send this to this address" with often an implicit port. They do
    not care how that delivery is accomplished. It could even be sent by
    carrier pigeon for all the software cares (Mind you the latency might be
    a bit severe).
    Ie, firefos NEVER cares how the message is sent.
     
    William Unruh, Sep 6, 2014
  12. Yaroslav Sadowski

    Caver1 Guest

    Doesn't matter which type of tunnel is used. The tunnel is the VPN's Is
    not controlled by the computer that is connected. The affects are the
    same no matter which type of tunnel is used as it is still one tunnel.
    When the tunnel is closed the whole tunnel is closed. The split that
    bypasses the VPN is not separate and is closed when the rest of the
    tunnel is closed. You will not lose your connections to other places
    when the tunnel is closed unless they are using the same connection. It
    is different for connections that originate from the VPN.

    Caver1
     
    Caver1, Sep 6, 2014
  13. Yaroslav Sadowski

    Caver1 Guest


    That is exactly the question that the OP asked. Why shouldn't the email
    program also be controlled by the VPN. He thinks that a VPN is useless
    if it doesn't. I told him that it doesn't and gave him two reasons why.
    One it only completely controls the connection to itself and whatever
    uses that connection. The VPN does not control a connection that goes
    somewhere else then itself.
    I should have used a different program, not the mail program.
    Remember we are not talking about anything that originates from within
    the network only that which is from a temporary connection to the VPN.
    It is understandable if it doesn't make sense if you don't follow the
    complete thread. :)
     
    Caver1, Sep 6, 2014
  14. Yaroslav Sadowski

    Caver1 Guest

    Yes there is one tab/browser is connected to the VPN the other is not.
    How else is he going to connect to the VPN then his browser? Doesn't
    matter if its a CLI or a GUI browser. So browser is a given.
    It can be either a full or split tunnel, only the data that is sent to
    the VPN is is accepted by the VPN no mater what kind of tunnel. Just
    because you have a tunnel connecting you to the VPN doesn't mean that
    everything that connects to the internet from your computer is connected
    to the VPN. Can be but doesn't have to be.
    If a split tunnel, that tunnel is still connected to the VPN but only
    the traffic sent to it is accepted,the rest of your traffic goes
    elsewhere, it doesn't go through the VPN. If you used the connection
    that is connected to the VPN to go somewhere else it is sent down the
    other "split". If you connect to the internet from anyother connection
    then the one established with the VPN, no matter split or full, the VPN
    has nothing to do with that connection.
    Remember this is connecting from a remote computer for a period of time.
     
    Caver1, Sep 6, 2014
  15. Yaroslav Sadowski

    Caver1 Guest

    It applies no matter what type of connection. Not all of your internet
    traffic has to go through the connection to the VPN. If you are remotely
    connected for a period of time.
     
    Caver1, Sep 6, 2014
  16. Yaroslav Sadowski

    Caver1 Guest

    He hasn't proved it. No matter if you are connected with a full or split
    tunnel does all of your connections have to go through that tunnel. Only
    the traffic that is sent to the VPN has to.
    How else is he going to connect to that VPN except through his browser?
    If one tab in that browser is connected to the VPN the other is not
    unless directed at the VPN. Since it is a different connection how are
    you going to connect the second tab to the tunnel?
     
    Caver1, Sep 6, 2014
  17. alexd wrote, on Sat, 06 Sep 2014 16:19:51 +0100:
    I installed iftop:
    $ sudo apt-get install iftop

    And then ran it with a video streaming in the background:
    $ iftop -n -i wlan0
    interface: wlan0
    IP address is: 192.168.1.3
    MAC address is: 00:24:b2:a0:4a:f3
    pcap_open_live(wlan0): wlan0: You don't have permission to capture on that device (socket: Operation not permitted)

    $ sudo iftop -n -i wlan0

    Wow. That gives an interactive chart, with Mbps on the top along
    the x axis, and IP addresses inside the interactive chart.

    I'll have to read up on iftop to better understand how to
    interpret what I'm seeing happen, while I'm downloading files.

    Thanks for all the great advice!
    You're a life saver!
     
    Yaroslav Sadowski, Sep 6, 2014
  18. alexd wrote, on Sat, 06 Sep 2014 16:19:51 +0100:
    Thank you very much for that detailed analysis!

    I never would have, on my own, been able to conclude that.
    It's interesting that vpnoneclick splits the Internet into two
    halves, for example, as that's not intuitive.

    Here is the free VPN solution that I was/am using:
    http://216.185.105.35/vpnoneclick/
    It is interesting that "B" even exists, but, a clue that it does
    may be that when I "kill -9" the VPN process, instantly I am back to
    my old ISP static IP address when I immediately issue an "inxi -i" command.

    This reversion back to the old routes is so fast, that I don't think
    the network manager is all that involved.

    After rebooting, here is the route before running the VPN command:

    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    This is your original default route.
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    This is a route to your LAN out of wlan0.

    After running the vpn initialization command, here is the route:
    $ gksudo vpn1click &
    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use
    Iface
    0.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
    This covers a destination of 0.0.0.0 to 127.255.255.254.
    This is the 1st half of the Internet split by the VPN provider.
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    This is your original default route.
    10.43.0.1 10.43.0.209 255.255.255.255 UGH 0 0 0 tun0
    Unsure what the significance of this is.
    10.43.0.209 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
    This means that 10.43.0.209 can be reached by a packet out of tun0.
    198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
    108.178.54.10 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0
    These two are static routes added by the VPN client software.
    The only traffic that doesn't traverse tun0 is traffic to these
    two IP addresses.
    128.0.0.0 10.43.0.209 128.0.0.0 UG 0 0 0 tun0
    This covers a destination of 128.0.0.0.1 to 255.255.255.254.
    This is the 2nd half of the Internet split by the VPN provider.
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    This is a route to your LAN out of wlan0.

    Then, when I kill the vpn, here's the route:

    $ ps -elfww|grep vpn
    0 S usr 3170 1701 0 80 0 - 58576 hrtime 13:15 pts/0 00:00:01 gksudo vpn1click
    4 S root 3175 3170 0 80 0 - 17214 poll_s 13:15 ? 00:00:00 /usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- vpn1click
    4 S root 3176 3175 2 80 0 - 36051 poll_s 13:15 ? 00:00:16 vpn1click
    5 S root 3331 1701 0 80 0 - 8266 poll_s 13:15 ? 00:00:05 /usr/sbin/openvpn --config /etc/vpnoneclick/client.ovpn --daemon

    $ sudo kill -9 3170 3175 3176 3331
    $ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
    192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
    198.143.153.42 192.168.1.1 255.255.255.255 UGH 0 0 0 wlan0

    I notice that the VPN server of "198.143.153.42" is *still* in the route.
    Any insight into these results is appreciated!
     
    Yaroslav Sadowski, Sep 6, 2014
  19. Yaroslav Sadowski

    Caver1 Guest



    I and many others use a fake IP when surfing the internet and have no
    problems getting a response. Don't know how it works just know that it
    does. Always get my downloads and other stuff that gives me a response.
    There are several browser addons that will give you a fake IP that the
    internet sees.
    I have tested that everyone only sees the fake IP by going to different
    sites that tells you what your IP is. All of them show the fake IP not
    the real one. Don't bother testing anymore.
     
    Caver1, Sep 6, 2014
  20. Yaroslav Sadowski

    Char Jackson Guest


    You're missing a very basic premise of the concept of VPN.
    Right, so you're describing a split tunnel again. None of that applies to a
    full tunnel, which is what the OP asked about.
     
    Char Jackson, Sep 6, 2014
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.