Am I monitored through VPN?
August 21, 2007 4:47 PM   Subscribe

This may be a dumb question, but when I am connected to my work's vpn from home (I use a vpn/remote desktop combo), is all of my traffic, even the stuff outside of the server, going through my work? In other words, can they see everything or only what I do through remote desktop?
posted by jules1651 to Computers & Internet (14 answers total) 7 users marked this as a favorite
 
This is one way VPNs can work, yes. Try checking your route list after you've connected successfully to the VPN.

For Windows, choose Start > Run, type cmd and press OK. Then, in the resulting window, type ROUTE PRINT and post the results here.
posted by odinsdream at 4:53 PM on August 21, 2007


Unless your office is using a "Split VPN" then all of your traffic is going through work.

In a VPN context, split tunneling is the term used to describe a multiple-branch networking path. A tunnel is split when some network traffic is sent to the VPN server and other traffic is sent directly to the remote location without passing through the VPN server. (http://www.cites.uiuc.edu/vpn/splittunneling.html)

Are you using a VPN client? (Cisco, etc) or just the built in Windows VPN?

Each have their own way of enabling split VPN, I think your office has to support it as well, but I could be wrong there.

Non-Split VPNs are more common among all the VPNs I've seen.
posted by mattdini at 4:56 PM on August 21, 2007


You need to enable SPLIT-VPN, as everyone else says. If you haven't, likely they see all the traffic.
posted by SirStan at 4:59 PM on August 21, 2007


You don't need to get so fancy. They most assuredly employ a proxy server. Just unclick the little box in your browser which tells it to go through the proxy server. I am pretty sure this will get you out of the vpn connection on that browser and into the net straight through your isp. It won't prevent more sophisticated logging software etc., but most of the logging is done at the proxy server/firewall.
posted by caddis at 5:32 PM on August 21, 2007


A VPN doesn't happen at the browser. Even if there is an autoconfiguring proxy server, there's also a network route to that server, and that route either takes all traffic there (not split VPN) or some (split VPN).

So yes, there's the possibility that thanks to an enforced proxy, all of your web traffic goes through work even though you have a split VPN, but that would be pretty weird. Really it comes down to the split/not-split thing that was explained above.
posted by mendel at 6:17 PM on August 21, 2007


Thanks guys. I am currently using Mac OS 10.4 and the Cisco Client software 4.9. Odinsdream, could you tell me how to do that from a Mac? Also, any advice on configuring the Cisco client for split vpn would be great. Thanks for everyones help so far!
posted by jules1651 at 6:57 PM on August 21, 2007


"... Also, any advice on configuring the Cisco client for split vpn would be great. ..."

Check with your business IT people before trying this. Many businesses like to prevent split VPN operation, because it's a potential security hole, that would allow trojans or botware to use your machine as a proxy for attacking resources inside the corporate intranet. Attempting to connect to a VPN with enough security enforcement in place to detect and prevent that will be very frustrating for you. If you keep trying, they'll get annoyed, find you, log you, and have a chat with you, that may have unpleasant moments.
posted by paulsc at 7:09 PM on August 21, 2007


jules, open a terminal. (Apps, Utils)

$ netstat -r

Look for the interfaces. One of them represents your upstream ISP and one represents your VPN to work. "en1" is a common upstream, and "tap0" is a common VPN interface.

If the line labled for which the destination is "default" is "tap0" or like it, then all traffic is going to your VPN endpoint, and there may be exceptions for other traffic (but not likely). If it's "en1" or like it, then your network is mostly normal and as you expect, with some exceptions for networks that are at your company. Dig it?
posted by cmiller at 7:21 PM on August 21, 2007


this is incredible to me. Can someone please clarify? This is the scenario as I understand it:

I log on the internet from home, for home reasons, through my normal home browser, nothing to do with work. I'm happily browsing MeFi. Just an idle evening in the privacy of my home.

Suddenly I want to check my work email, so I open up another browser, go to my company's URL with the cisco link, launch the cisco tunneling application, and then choose the RDP link from my company's remote apps page.

Now I've got a virtual desktop going (can't copy/paste between them, etc.) and when I minimize that I'm back to my real desktop.

Suddenly ALL my websurfing traffic is going through work? My metafilter window is now going through my company's proxy? Every site I visit from my "home" browser is going through my company?

This sounds wrong, wrong wrong. Although I obviously have no expertise.

Would it prove anything if I could get to a site through my "home" browser that I know is filtered by my company?
posted by luser at 11:17 AM on August 22, 2007


luser, my guess with using RDP to a specific address is that only that specific address is added to your routing table. Of course, insanity or ignorance means it's at least possible that your company's IT department has it all screwed up.

It doesn't prove anything that you can visit some sites that your company normally filters. You don't know where the filter is, topologically speaking, I presume. It might not be between your VPN address and the big bad Internet.
posted by cmiller at 1:28 PM on August 22, 2007


Could someone explain what Windows users should look for in the ROUTE PRINT list described above? I've had the same question about my own VPN setup.

I use Nortel Contivity VPN software and then run a batch file that says "net use w: \\xxx.xx.xx.xx\drivename /user:myname" which together let me access the work drive, Outlook, etc.
posted by Yogurt at 3:04 PM on August 22, 2007


I'm not sure if it's significant, but if I tracert to, say, CNN, no work servers are listed in the hops (and indeed, the route stays with my ISP's network right out of Canada and into the U.S.).
posted by Yogurt at 3:12 PM on August 22, 2007


Yogurt, here's an example (it comes from a virtual machine, so it's going to look a little strange):
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      10.211.55.1     10.211.55.3       1
      10.211.55.0    255.255.255.0      10.211.55.3     10.211.55.3       1
      10.211.55.3  255.255.255.255        127.0.0.1       127.0.0.1       1
   10.255.255.255  255.255.255.255      10.211.55.3     10.211.55.3       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
        224.0.0.0        224.0.0.0      10.211.55.3     10.211.55.3       1
  255.255.255.255  255.255.255.255      10.211.55.3     10.211.55.3       1
Default Gateway:       10.211.55.1
This list shows how the operating system will route network requests. You may want to read a bit more about how subnets and IP addresses are related to one another in order to better understand what the list is saying.

Traffic whose destination matches the first column will be routed via the interface whose address is listed in the Gateway column. The first line above is a special case, in that it is the fallback for anything not matching another line. This is your default gateway, as clarified in the last line.

So, when I try to browse to metafilter, which is at 74.53.68.13, the computer won't find a match in any of the lines, so it will default to the route through 10.211.55.1.

In practice, if the address in the Default Gateway line is an address on your company's network, then your web browsing traffic is going through that path. If the Default Gateway is your home router, as it normally will be, you're fine.
posted by odinsdream at 7:31 AM on August 26, 2007


Thanks for following up my late piggyback on this question, Odinsdream. That explains it very clearly! (On my system, requests for my mapped drives go to the work server but all other requests go to my home router, which is how I would prefer things.)
posted by Yogurt at 8:36 AM on August 28, 2007


« Older Selling free stuff from work - ethical or not?   |   meandering through Bratislava Newer »
This thread is closed to new comments.