Jump to content

OpenVPN Encryption

Infatuas

By Infatuas
in Everything Else

 Share

Recommended Posts

Infatuas Newbie

Infatuas

Posted
Posted (edited)

Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers.

Edited by Infatuas
Link to comment
Share on other sites
newbi3 Newbie

newbi3

Posted
Posted

Encrypting your packets doesn't encrypt your IP address. It encrypted the payload of the packet. So if you are browsing the net for example going to google.com people can still tell what site you are visiting but if they try to look at the content of the page they can not see that. You should preform a man in the middle attack while you're connected to your VPN, open wireshark and follow the packet flow you should see that you cannot read the contents of the packets if you can read the packets I suggest you get a different VPN service!

Hope this helps you!

Link to comment
Share on other sites
Infatuas Newbie

Infatuas

Posted
  • Author
Posted

I understand IP isn't encrypted but since my exit node is no longer my personal firewall my IP is "masked" because I'm NATing through a different firewall.

Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

Why does adding vpn under https add more security? To my knowlege you cannot read ssl encrypted traffic, or the encapsulated packets of ssl headers. This is why firewalls offer deep ssl inspection where the firewall proxies traffics and uses its own ssl cert so it can then read the ssl headers.

Correct, you can't read SSL encrypted traffic. But with the right software and hardware, it's possible to read SSL encrypted traffic.

Now, the reason why adding a VPN under HTTP(s) add more security, is because you are adding an additional layer of encryption.

You now have two different layers of encryption. Even if an attacker manages to break through the first layer, he still have to break through the second layer, which therefore increases your overall security but reduces your throughput and system performance.

Link to comment
Share on other sites
Infatuas Newbie

Infatuas

Posted
  • Author
Posted

So it is useful and necessary, because I'm adding another layer to the onion.

The problem I have with that is if I just use my personal exit node I'm a small target, I can control my own internal security and even build ssl/tls tunnels to my own firewall internally. I am forced to trust a network and company I know nothing about, technically. They could all be honey pots for all we know. Not to mention when using OpenVPN or like products, once I leave their exit node my packets enter plain text internet anyhow.

so I may be adding another layer of security. 1 for https and 1 for vpn = 2; I have to trust my isp 1 and now trust another provider whos network I don't control 1 = 2. seems to cancel out 2 pros 2 cons.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

So it is useful and necessary, because I'm adding another layer to the onion.

The problem I have with that is if I just use my personal exit node I'm a small target, I can control my own internal security and even build ssl/tls tunnels to my own firewall internally. I am forced to trust a network and company I know nothing about, technically. They could all be honey pots for all we know. Not to mention when using OpenVPN or like products, once I leave their exit node my packets enter plain text internet anyhow.

There is just one more challenge. Your traffic will only remain encrypted from point A (yourself) to point B (VPN server). Once your traffic leaves point B, it will once again become clear-text. So all the effort, you went through to ensure your traffic was heavily encrypted, will once again be travelling in clear-text.

If you're going to be transmitting data, just make sure you encrypt it before hand. This will make sure, that your data remains safe. You could then use PGP to self-sign it and even if it gets tempered with, you will know something happened along the way.

Edited by Infiltrator
Link to comment
Share on other sites
Infatuas Newbie

Infatuas

Posted
  • Author
Posted

So now I have protected from taps off my ISP/mitm, one would have to track/connect the dots from vpn to my real ip and decrypt data. This raises two more questions:

I've been successful in creating a 2 headed proxy chain by using my main os to connect to a paid/no log vpn then using vbox to spin up a vm and run a separate paid vpn (diff provider) through that. I cannot think of a way to use a third other than taking over a remote host through the second proxy to establish a 3rd. Any other ideas?

Also, what kind of encryption software could I use that requires use of private key? I know truecrypt can do this and it's proven open source code. Anything better? What about just using 7zip with aes-256 to encrypt files? No key though..

This is all for study btw.

Link to comment
Share on other sites
newbi3 Newbie

newbi3

Posted
Posted

I have an openvpn running on a server at my house I use this when I am on unstrusted networks. No I do not trust my ISP and no I do not trust any other ISP anymore than mine. However my reason for doing this is because I trust that at my house no one is sniffing the wire. I don't trust that at a coffee shop no one is sniffing the wire. If someone where to be running ssl strip for example on the coffee shops network I wouldn't be effected by that because my traffic is encrypted with another layer. Between my home and my ISP, my isp can still see all of my traffic but there really is no way to get around that. I could move my end point to a remote server but I don't trust them anymore then I trust my ISP. It is all a matter of who to trust really. I say the less people looking at my traffic the better.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted (edited)

I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency.

So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it.

Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself.

Edited by Infiltrator
Link to comment
Share on other sites
barry99705 Veteran

barry99705

Posted
Posted

I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency.

So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it.

Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself.

Which will encrypt anything between yourself and your house, once it leaves your house, then the isp can see it. I know you know that, just trying to highlight that for the OP. The only true way to use the internet anonymously is not to use it.

Link to comment
Share on other sites
newbi3 Newbie

newbi3

Posted
Posted

I don't trust any service provider, not even my own ISP. Don't forget they could be working along side with any government la w agency.

So running your own SSH, or OpenVPN server from your own house, and then tunnelling your traffic through it, makes it very safe. Because you own it and have control over it.

Your ISP on the other hand, can only see the IP addresses you access, but not the traffic itself.

Once the traffic leaves my server and goes out to the internet my ISP can see that. All I am being protected from is easedropping in the middle between where I am and my home. The encryption provided by your vpn only stretches to the end point of the vpn not all the way to the web server you are requesting information from. Now if the web server is on the same network as you are with your vpn you are fine. The encryption goes like this:

ME ----------------- COFFEE SHOPS ISP ------- HOME VPN ------ HOME ISP

gets encrypted ---------> encrypted ---------> gets decrypted --> plain-text

gets decrytped <-------- encrypted <--------- gets encrypted <---- plain-text

Link to comment
Share on other sites
Infatuas Newbie

Infatuas

Posted
  • Author
Posted

Yeah, I get all of that. Just trying to determine my own method is what is interesting. Security is way too dependent on trusting others. From software development, to ISP to VPN servers.

My two last questions still stand. :)

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

Also, what kind of encryption software could I use that requires use of private key? I know truecrypt can do this and it's proven open source code. Anything better? What about just using 7zip with aes-256 to encrypt files? No key though..

This is all for study btw.

Look into this one, http://www.gnupg.org/ if you haven't heard of.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...