VPN path question

Discussion in 'Networking & Security' started by lOCHLI, Jan 4, 2019.

  1. lOCHLI

    lOCHLI n00b

    Messages:
    20
    Joined:
    Aug 7, 2017
    So, I have read a decent amount online about this but all the info seems to be all over the place, and I have a few general questions if a guru doesn't mind...

    With regards to a VPN and the connection path, which is the correct:

    Computer -> VPN(encryption takes place prior to being sent) -> LAN/WAP -> Internet. In this scenario, which would be ideal, it appears that the data would be encrypted prior to reaching whatever AP and would be unable to be deciphered without the key by somebody packet snooping/IT teams/jesus...

    OR

    Computer -> (unencrypted traffic) LAN/WAP -> VPN (encryption takes place) -> Internet. This appears to be less than ideal because the "quarries" for lack of a better word, would be completely visible for somebody to intercept from the computer at the AP level prior to reaching the VPN for encryption.

    This is where I'm confused and want to pin down where the encryption takes place. Sure in option 2 you would be fine in the internet world, but completely open prior from the original destination to the AP. IE.., If i open firefox and type funny pics.com, the AP would easily see/log that quarry, right?

    What am I missing here?
     
  2. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,151
    Joined:
    Nov 16, 2009
    You're comparing a client VPN connection to an endpoint/site-to-site vpn connection. It depends on your needs, but hiding traffic from your own internal firewall isn't typically a concern. If it is, then you would probably want to replace it with a trusted device. Option A is best if you just need to connect a single device to the vpn. Option B is better if you want multiple devices to be able to use the vpn tunnel. Any decent firewall should be able to create rules to limit which devices can use the tunnel, so it's not an all or nothing thing if you set it up right.
     
    lOCHLI likes this.
  3. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,351
    Joined:
    Oct 4, 2007
    So basically you are talking about two different VPN designs and where encryption takes place is going to be determined where the VPN tunnel is terminated. And your assumptions are correct at a high level.

    Assuming you are talking about using a paid VPN service like Nord or PIA
    • VPN client on your computer:
      • Packets are encrypted on the endpoint prior to egressing the workstation physical NIC, but is encapsulated via a logical adapter that the client will install. The routing tables on your machine are updated usually to use the tunnel adapter for all destination traffic that is internet bound. This makes all of your internet traffic (webmail, http/s, FTP, etc.) invisible to your router and all other clients within your network and basiaclly anything in the path between you and the "other side" which will decrypt the IPSEC.
    • VPN on your router:
      • Works the same as above, but basically all traffic 'downstream' from your router will still be unencrypted (your router and other clients can see normal unencrypted traffic, such as non-https), but as it egresses the router, it will be encapsulated in IPSEC and shipped off the same was as above.
     
    lOCHLI likes this.
  4. lOCHLI

    lOCHLI n00b

    Messages:
    20
    Joined:
    Aug 7, 2017
    Thanks alot guys!!!

    Yea, I'm using a VPN client (PIA) on my laptop which I use everyday for work and personnel activities and connect to many open AP's, so I wanted to make sure my data was "protected" prior to ever reaching the AP. This was my main concern as some information could be considered "confidential" and don't want average snooping eyes able to intercept.
     
  5. ZeqOBpf6

    ZeqOBpf6 Gawd

    Messages:
    582
    Joined:
    Aug 24, 2014
    Yep. When I open my router's info table the pie chart shows 98% as "other" while it can show some really detailed stuff. The other 2% is just ICMP stuff and the occasional time I'm not connected.

    When I'm not connected it can show websites, IPs, with timelogs and data usage... everything really.
     
  6. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,151
    Joined:
    Nov 16, 2009

    If you need this vpn tunnel at multiple locations/networks, then a client VPN is the only option.

    The traffic between you and the AP is already encrypted using the wifi protocols, so outside people can't snoop. But this is starting to sound like you are trying to hide network traffic from an internal work network or something..... If that's the case, my only recommendation is don't try and bypass company security.
     
  7. lOCHLI

    lOCHLI n00b

    Messages:
    20
    Joined:
    Aug 7, 2017
    Yes and no. I'm an independent contractor using my own laptop at various locations throughout the US where work is being performed. I must use the clients AP's for internet as I dont have a mobile hotspot or cell data sometimes. My communications between my employer are "privileged" and some clients are not happy that they are not included in the information distribution. So... wanted to verify there was no way they can snoop my exchange. Edit to add: Between my computer and the AP. I understand after the AP, regardless of the VPN, it will be encrypted by then.
     
  8. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,361
    Joined:
    Jul 26, 2007
    If you are using a software VPN client like OpenVPN to connect to a remote network and it is set to TUN (which means send *ALL* Internet traffic thru the VPN, not just traffic meant specifically for the remote network you are connecting to) then everything coming in and out of your laptop is encrypted before it hits the AP. The only traffic not encrypted is data meant for the local network you are connected to.

    If your software VPN client is set to TAP then only traffic specifically directed to the remote network gets sent thru the VPN tunnel, anything like Internet browsing is not encrypted.

    If you are using a software VPN client just to encrypt data going thru the Internet eg. Windscribe then all Internet traffic is encrypted automatically regardless of destination between your laptop and the VPN server. On the Windscribe client you can go a step further and block local network access altogether when the client is connected, but that would also block you from local network assets like network printers and shares.
     
    lOCHLI likes this.
  9. lOCHLI

    lOCHLI n00b

    Messages:
    20
    Joined:
    Aug 7, 2017
    Thank you for this detail! PIA doesnt seem to have this option although I know it uses a TAP driver. Might have to look into OpenVPN.
     
  10. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,151
    Joined:
    Nov 16, 2009
    It could also be called split tunneling. Disabling that will do the same thing as the previous post mentioned and force all traffic through the tunnel, not just traffic destined for routes advertised by the vpn gateway.
     
  11. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,361
    Joined:
    Jul 26, 2007
    Are you using PIA to connect to a remote network or just to encrypt your Internet traffic?

    If it is to a remote network then you need to investigate further, but if it is only for Internet traffic ie. connect to the PIA servers then it should be fine and you don't have to do anything.

    Also, are you using a different VPN to connect to a remote network? I've had a few issues when trying to use both a VPN service (like PIA and Windscribe) and my own personal VPN server to connect to my network remotely.