[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN security question

  • Subject: Re: [Openvpn-users] OpenVPN security question
  • From: Michael Heydon <michaelh@xxxxxxxxxxxxx>
  • Date: Tue, 15 Jan 2008 08:21:10 +0900

bart wrote:
> Hi David,
> 1) When I do IPCONFIG/ALL, I see three headings with information:
> Windows 2000 IP Configuration
> Ethernet adaptor openvpn
> Ethernet adaptor Local Area Connection
> If I have openvpn connected, then there is more information contained under the
> middle heading ("Ethernet adaptor openvpn"). This information is in the form of
> IP addresses.
Does the "Ethernet adaptor openvpn" list a value for "Default gateway". 
You mentioned before that whatismyip reported the same value regardless 
of whether or not you are connected, so I suspect you aren't using the 
vpn as a default gateway.

> 2) When I do nslookup www.google.com without openvpn, I can see that my ISP for
> my home internet connection is listed after "Server:"
> If I connect to openvpn and do the same thing, I can then see that a server from
> work is listed after "Server:"
But based on this you are using your work's name server.
> So I take it that this means that my employer has a record of every web page
> that have I viewed using my browser on my home PC whenever openvpn was
> connected. They never informed me of this, but I will be careful in the future.
> One more question: will the logs clearly show that I accessed these pages from
> my home PC, and not while physically on company premises?
> Thanks
When you connect to a website there are two stages. Say I want to go to 
http://openvpn.net/download.html first of all I connect to my name 
server and ask for the IP of openvpn.net ( I then make an 
outbound connection to that IP on port 80 and send "GET /download.html". 
If I look at other pages on openvpn.net I can skip the first step 
because I already know the IP address.

The procedure is similar for other types of connection.

So your employer can see that you are looking up openvpn.net but they 
can't see what you are doing with that information, you might be 
browsing the web, connecting to a Quake match, testing your connection 
with ping or just poking around with nslookup.

If they were your default gateway then they would be able to see (and 
possibly intercept) the second stage (the port 80 connection) and from 
that they could figure out what you were doing exactly.

Unless they are specifically trying to find out what you are doing at 
home, they are unlikely to go digging through DNS logs, logging at the 
gateway is much simpler.

*Michael Heydon - IT Administrator *
michaelh@xxxxxxxxxxxxx <mailto:michaelh@xxxxxxxxxxxxx>
OpenVPN mailing lists