[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN security question

  • Subject: Re: [Openvpn-users] OpenVPN security question
  • From: "Chris Buechler" <openvpn@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 15 Jan 2008 21:43:33 -0500

On 1/15/08, bart <batm947@xxxxxxxxx> wrote:
> Just to clarify: this means that when I requested web pages while connected with
> OpenVPN, the packet data containing the actual content of those web pages never
> went through the company's system, correct? All that happened was a hostname was
> sent and an IP address was sent back.


> I have been concerned about this because all this time that I have been using
> OpenVPN I was using Remote Desktop, and didn't realize my employer could see
> what sites I visit using my home PC's browser. There are sites that I access
> from home that would cause problems for me if I visited them from work (not
> necessarily adult sites, I mean job search sites, competitors that are courting
> me, etc).

If they know your personal email address, I'd be careful what you post
on things such as this that are forever archived in multiple
locations.  :)

> I have just two last questions:
> 1)  Previous posts indicate that my employer is less likely to notice my surf
> history if only the company DNS is used and not the company gateway. Can you
> please describe this a bit more to someone who doesn't have a sys admin
> background? Why is it easier for them or more likely for them to examine gateway
> traffic than DNS lookups?

This is probably true, but we're just guessing since we don't know any
detail of the network. Your employer very well could report on DNS
logs, but on most networks, the reporting capabilities of who goes
where utilize something other than DNS. Most commonly this comes from
proxy server logs, or content filtering software that ties into the
firewall, amongst other possibilities.  I've seen a ton of networks
over the years in consulting gigs and I can't recall a single one that
reported on Internet usage from DNS logs. I'm sure some do, but it's
not very common.

Note it may be possible for your browser to use your employer's proxy
server while connected to OpenVPN. One situation that comes to mind is
WPAD on Windows and Internet Explorer, if your IE is configured to
automatically obtain connection information and your employer uses
WPAD, it's possible your browser will auto configure itself to use
their proxy. You can be guaranteed that won't happen if you use

> 2) If they were to examine DNS logs and find something they didn't like, would
> these logs definitively show that I accessed these sites from my home PC and not
> from work? Would they even definitely know it had been from my home PC, and not
> from someone else using OpenVPN?

Yes. They would show up as originating from the IP of your OpenVPN
connection, which can be tied to you on your home PC.

One thing you might want to consider is using VMware Player and a
virtual appliance with a browser for surfing while connected to the
VPN. That'll go out directly on your home network and you won't have
to worry about any of these possibilities.
OpenVPN mailing lists