VPN questions
in [Linux Networking]
|
From: Tim Frink on 28 May 2010 08:34 Hi, my university provides me with a vpn server that I would like to use in order to encrypt my data while using an open WiFi. In this context, I have couple of questions: 1) What is the general idea behind a vpn? Can this be basically seen as the following configuration ?: |ME| <--WLAN/unsafe--> |VPN SERVER| <--encrypted--> |Internet| That is, I connect via an unsafe connection (like open WLAN) with a vpn server. The data transfered here is not encrypted. The vpn server encrypts all data such that everything that I send/receive to/from the Internet is encrypted, hence there is no danger of sniffing data (since not useful for attacker). This way, I basically protect all my transmitted data even though an open, unsafe WLAN is used? 2) When I connect to the vpn server, an encrypted ssh connection is used. However, to log in to the server I have to use the open WLAN. Is this potentially not dangerous since someone can sniff my unencrypted vpn login data? 3) I am using vpnc (under Linux). After connecting to the open WLAN (via knetworkmanager), I use the vpnc-connect script that reads my configuration file. After typing my username and password, vpnc tells me "VPNC started in background (pid: 4162)...". When I use an Internet browser/e-mail client ... after this, will automatically all data be transmitted via the vpn server? Or is something else required to redirect data to the vpn server? 4) When I understand it correctly, the vpn server will still receive all my data in an unencrypted way. Does this mean that the provider of the vpn server has access to my raw data? If so, is there a way to avoid this? Thank you for your help. Best, Tim
From: David Schwartz on 28 May 2010 11:10 On May 28, 5:34 am, Tim Frink <plfr...(a)yahoo.de> wrote: > 1) What is the general idea behind a vpn? Can this be basically seen as > the > following configuration ?: > > |ME| <--WLAN/unsafe--> |VPN SERVER| <--encrypted--> |Internet| > > That is, I connect via an unsafe connection (like open WLAN) with a vpn > server. The data transfered here is not encrypted. The vpn server encrypts > all data such that everything that I send/receive to/from the Internet is > encrypted, hence there is no danger of sniffing data (since not useful for > attacker). This way, I basically protect all my transmitted data even > though an open, unsafe WLAN is used? No, you have it 100% backwards. It's You <-> WLAN/unsafe <-> VPN Server <-> unencrypted <-> Internet So the traffic between you and the VPN servre (which passes over the WLAN) is encrypted. > 2) When I connect to the vpn server, an encrypted ssh connection is used. > However, to log in to the server I have to use the open WLAN. Is this > potentially not dangerous since someone can sniff my unencrypted vpn login > data? The VPN login data is encrypted. All traffic between you and the VPN server is encrypted. > 4) When I understand it correctly, the vpn server will still receive all > my data in an unencrypted way. Does this mean that the provider of the > vpn server has access to my raw data? If so, is there a way to avoid this? That is correct. The VPN operator must decrypt all the data it receives from you and encrypt all your data to pass back to you over the VPN. The point of the VPN is strictly to protect against a stranger intercepting your WiFi traffic. It does not provide any protection from other threats. DS
From: Tim Frink on 28 May 2010 17:51 > You <-> WLAN/unsafe <-> VPN Server <-> unencrypted <-> Internet > > So the traffic between you and the VPN servre (which passes over the > WLAN) is encrypted. Thank you for your answer. Just to make sure that I understand the concept of VPN: Everything that I transmit via an unsafe WLAN connection can be theoretically sniffed by others, right? When I now connect to a VPN server, all the communication between me and the VPN server goes through the unsafe WLAN. So, all data that I send has to be already encrypted otherwise the raw data could be sniffed before reaching the VPN server. Thus, my understanding is that everything send to the VPN server is already encrypted, the VPN decrypts it and sends it to the Internet to allow the Web browsers on the Internet to interpret my data (since they don't understand the encrypted data). But this does not conform to your "diagram". So, where do I mistake? Tim
From: David Schwartz on 28 May 2010 19:36 On May 28, 2:51 pm, Tim Frink <plfr...(a)yahoo.de> wrote: > > You <-> WLAN/unsafe <-> VPN Server <-> unencrypted <-> Internet > > So the traffic between you and the VPN servre (which passes over the > > WLAN) is encrypted. > Thank you for your answer. Just to make sure that I understand the > concept of VPN: Everything that I transmit via an unsafe WLAN connection > can be theoretically sniffed by others, right? Correct. That's why you want to encrypt it. > When I now connect to > a VPN server, all the communication between me and the VPN server goes > through the unsafe WLAN. So, all data that I send has to be already > encrypted otherwise the raw data could be sniffed before reaching the > VPN server. Exactly. And it is. All data that travels over the VPN itself (the link between you and the VPN server) is encrypted by the end that is sending it. So it doesn't matter if it passes over the wireless. > Thus, my understanding is that everything send to the VPN > server is already encrypted, the VPN decrypts it and sends it to the > Internet to allow the Web browsers on the Internet to interpret my > data (since they don't understand the encrypted data). But this does > not conform to your "diagram". So, where do I mistake? I'm not sure why you think that doesn't conform. Maybe we're just using terms differently. Data sent from your computer over the VPN is encrypted by the VPN software. So it doesn't matter that it's not encrypted by the WiFi link or that someone can intercept it. Similarly, responses from the Internet are encrypted by the VPN server, so it doesn't matter that it's not encrypted by the WiFi link or that it can be intercepted. DS
From: unruh on 28 May 2010 21:45
On 2010-05-28, Tim Frink <plfriko(a)yahoo.de> wrote: > Hi, > > my university provides me with a vpn server that I would like to use in > order > to encrypt my data while using an open WiFi. > > In this context, I have couple of questions: > 1) What is the general idea behind a vpn? Can this be basically seen as > the > following configuration ?: > >|ME| <--WLAN/unsafe--> |VPN SERVER| <--encrypted--> |Internet| No Me->VPN software on my own computer->encrypted->Wireless card -> remote server->whatever. Just as with ssh, it is encrpted on the link out of your computer. That is why you have to install vpn software onto your machine. > > That is, I connect via an unsafe connection (like open WLAN) with a vpn > server. The data transfered here is not encrypted. The vpn server encrypts > all data such that everything that I send/receive to/from the Internet is > encrypted, hence there is no danger of sniffing data (since not useful for > attacker). This way, I basically protect all my transmitted data even > though an open, unsafe WLAN is used? > > 2) When I connect to the vpn server, an encrypted ssh connection is used. > However, to log in to the server I have to use the open WLAN. Is this > potentially not dangerous since someone can sniff my unencrypted vpn login > data? > > 3) I am using vpnc (under Linux). After connecting to the open WLAN (via > knetworkmanager), I use the vpnc-connect script that > reads my configuration file. After typing my username and password, vpnc > tells me "VPNC started in background (pid: 4162)...". When I use an > Internet browser/e-mail client ... after this, will automatically all > data be transmitted via the vpn server? Or is something else required to > redirect data to the vpn server? > > 4) When I understand it correctly, the vpn server will still receive all > my data in an unencrypted way. Does this mean that the provider of the > vpn server has access to my raw data? If so, is there a way to avoid this? > > Thank you for your help. > > Best, > Tim |