Is RDC traffic running through VPN?

[Big Ry]

Forgive my ignorance, as I'm sure this is probably a stupid question. I am very much a novice to networking.

I'm currently working from home every other day. My employer configured the means to do so by instructing us to download and connect to Palo Alto Networks Global Protect, then setup a Remote Desktop connection to our office computers via Windows RDC. They alluded to a lack of encryption in saying that this was "not a secure connection" but that it will have to do for now.

So I already have VPN service through ExpressVPN at my house. It's configured in Merlin on my RT68U, and I only have select clients running through it. If I set my PC to run through my VPN, will it encrypt all traffic to and from my office? Or only encrypt to and from VPN server, such that traffic between VPN server and office is unencrypted? Or does Global Protect and/or RDC just render my VPN useless?

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

So I already have VPN service through ExpressVPN at my house. It's configured in Merlin on my RT68U, and I only have select clients running through it. If I set my PC to run through my VPN, will it encrypt all traffic to and from my office?

No. ExpressVPN only encrypts the traffic between you and their own servers. After that, it goes "in the clear" between their servers and your final destination (your employer's server).

The only way to secure things properly is to have a VPN server at your employer's location.

Do note that RDP _is_ encrypted. The security warning you received was probably that the encryption certificate was not recognized, which is normal unless you are running within a domain and you deploy your own signed certificates throughout the network.

 

[Big Ry]

No. ExpressVPN only encrypts the traffic between you and their own servers. After that, it goes "in the clear" between their servers and your final destination (your employer's server).

The only way to secure things properly is to have a VPN server at your employer's location.

Do note that RDP _is_ encrypted. The security warning you received was probably that the encryption certificate was not recognized, which is normal unless you are running within a domain and you deploy your own signed certificates throughout the network.

Thanks for clarifying. So my employer just sees data coming to and from ExpressVPN servers? I wonder if that pisses them off lol. Obviously I'm logged in, so they know it's me regardless. But maybe they can't snoop on me with whatever I'm doing on my machine (not on RDC)? I ask because apparently global protect enables them to control my browsing. I tried to download some surveillance software for my home surveillance system, and a firewall prevented me from doing so. It was definitely my company's firewall, not my own.

Also, i didn't receive a computer error about the insecure connection. That came from an email or other internal communications from my employer. I just tried to find it again, but i was not able to.

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

Thanks for clarifying. So my employer just sees data coming to and from ExpressVPN servers? I wonder if that pisses them off lol.

Some corporations may chose to block IP addresses that come from some regions (for example, from outside of your country). That could cause issues connecting to them.

But maybe they can't snoop on me with whatever I'm doing on my machine (not on RDC)?

A VPN provider will have no effect on that. All it does is encrypt between you and ExpressVPN, and nothing more. So, the only ones you are "hiding" your traffic content from are your ISP, and whichever provider they use between themselves and ExpressVPN. The only change at the remote destination will be that the traffic will come from a different IP address than the one assigned to you by your ISP.

 

[Big Ry]

Ok now I'm confused. You seem to allude to the fact that the VPN server will in some way influence traffic between my home computer and my (remote) work computer. Is this not the case? In order for me to even use RDC, i need the service from my ISP to provide the means of communicating. So if traffic between me and the ISP is on VPN, doesn't that necessarily mean traffic between me and my work is on VPN at least part of the time? Doesn't it still have to funnel through the VPN server before getting to my remote computer?

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

I think you are missing some understanding on how the Internet works.

Basically, the Internet is a bunch of servers and routers talking to one another. You never talk directly to a server - you only talk to the next hop after you. So an hypothetical scenario:

home -> home router -> ISP router -> Level 3 router -> AT&T router -> work ISP router -> work router -> work server

(Level 3 and AT&T are just random backbone providers used as example, which will transit traffic between different providers)

If you use a VPN provider, it will look something like this. Note that "==" is encrypted, and "->" is not:

home -> home router + VPN client == Home ISP router == Level 3 router == VPN provider's ISP == VPN provider's server -> VPN provider's ISP -> work ISP router -> work router -> work server

So, your traffic will only get encrypted through half of its route. And from your work's point of view, the only difference is the traffic will seem to come from "VPN provider's ISP" instead of coming from "home ISP".

The short story: using a VPN provider will add ZERO security. As I wrote, all it does is hide your traffic from your ISP, and show a different source IP address to the remote end (your work's server).

 

[Big Ry]

I think you are missing some understanding on how the Internet works.

Basically, the Internet is a bunch of servers and routers talking to one another. You never talk directly to a server - you only talk to the next hop after you. So an hypothetical scenario:

home -> home router -> ISP router -> Level 3 router -> AT&T router -> work ISP router -> work router -> work server

(Level 3 and AT&T are just random backbone providers used as example, which will transit traffic between different providers)

If you use a VPN provider, it will look something like this. Note that "==" is encrypted, and "->" is not:

home -> home router + VPN client == Home ISP router == Level 3 router == VPN provider's ISP == VPN provider's server -> VPN provider's ISP -> work ISP router -> work router -> work server

So, your traffic will only get encrypted through half of its route. And from your work's point of view, the only difference is the traffic will seem to come from "VPN provider's ISP" instead of coming from "home ISP".

The short story: using a VPN provider will add ZERO security. As I wrote, all it does is hide your traffic from your ISP, and show a different source IP address to the remote end (your work's server).

I don't see how that's any different from what I said. Once the unencrypted traffic leaves the VPN for my work, it's using the VPN IP as you said. Isn't that in and of itself providing some level of security? You couldn't use that VPN IP address to try to infiltrate my network, because it's not an IP address in my network, right? So how would anyone identify the source of the traffic at that stage of transmission between VPN and work? Are there markers inside the individual packets that would identify the true source of the data?

And If a VPN doesn't provide any security at all, why do people use them for security? Why does virtually every company requiring remote access to servers run through a VPN? Surely they're not doing it just to hide from their ISP. I require remote access to my router to remotely monitor my surveillance system, but I need to use VPN to avoid having my devices used for DDoS attacks. At least that's what I've been told. By the way, I love the fact that Merlin can simultaneously configure clients to multiple VPN servers and be used as a VPN server itself!

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

I don't see how that's any different from what I said. Once the unencrypted traffic leaves the VPN for my work, it's using the VPN IP as you said. Isn't that in and of itself providing some level of security? You couldn't use that VPN IP address to try to infiltrate my network, because it's not an IP address in my network, right? So how would anyone identify the source of the traffic at that stage of transmission between VPN and work? Are there markers inside the individual packets that would identify the true source of the data?

The PRIMARY goal of a VPN is not to hide your IP address - it's to encrypt the content so nobody can steal your data while in transit.

And if you need to hide your IP address from your work, then you probably need a new job - these guys already have your social security number and such...

And If a VPN doesn't provide any security at all, why do people use them for security?

Don't confuse a VPN service provided by ExpressVPN with a VPN service implemented on your own (or your employer's) server. The first one is mostly for obfuscating your data from your ISP and forging your origin IP, the latter is to ensure that you can transmit data between both ends without anyone being able to steal that data. Again, I will refer you to my two charts to see the huge difference between both. Only an implementation where the VPN server is at the final destination will all of your data remain encrypted throughout the entire transit.

It's not about the VPN technology, it's about how it's implemented and how it's used.

 

[RMerlin]

Here is another illustration comparing a VPN server provided by ExpressVPN versus a VPN server running at your work's office. The bold part is encrypted.

With Express VPN:
Home -> ISP -> Internet -> ExpressVPN -> Internet -> Work ISP -> Work server

With a VPN server running at your work office:
Home -> ISP -> Internet -> Work ISP -> Work server

In the first case, your data can be stolen by anyone within the non-bold portion. That means that through half of the transit, your data is not secure, and is vulnerable to interception. In the second case, nobody can steal that data while in transit.


And to be of actuality, a VPN is like a face mask. Sure, it can protect you against sunburns or bad breath, but the primary goal is to protect against disease transmission. And if you go outside wearing one, after 15 mins you take it off, and spend another 15 mins outside without wearing it, then you aren't getting any real protection against diseases, since half of that time spent outside, you will be vulnerable to catching (or transmitting) a disease.

 

[Big Ry]

The PRIMARY goal of a VPN is not to hide your IP address - it's to encrypt the content so nobody can steal your data while in transit.

And if you need to hide your IP address from your work, then you probably need a new job - these guys already have your social security number and such...



Don't confuse a VPN service provided by ExpressVPN with a VPN service implemented on your own (or your employer's) server. The first one is mostly for obfuscating your data from your ISP and forging your origin IP, the latter is to ensure that you can transmit data between both ends without anyone being able to steal that data. Again, I will refer you to my two charts to see the huge difference between both. Only an implementation where the VPN server is at the final destination will all of your data remain encrypted throughout the entire transit.

It's not about the VPN technology, it's about how it's implemented and how it's used.

Don't confuse my attempts to understand the technology with me saying I'm trying to keep secrets from my employer or something along those lines. I'm well aware that they can probably see every single thing I do. I only asked about my employer in particular because they claimed the connection was insecure, and I thought i might actually be providing them a helpful service by running my data through a VPN. My company (though not my particular group) does classified work for the DoD, and those people in all likelihood have a completely different set of requirements for working remotely. But even our group sees regular and sometimes very sophisticated attacks from outside entities. They constantly harp on security and regularly give us phishing tests. So I thought, why not add some security if I can. Any other discussions about data between my employer and me were purely hypothetical so I can understand what's going on.

On that, I had no idea that services like ExpressVPN are functionally different than say a corporate VPN. I thought the basic premise was identical even if individual components and details may differ.

I get that VPN data between myself and my work computer would be encrypted the entire way. I also get that data between my remote devices and my home router will be encrypted while connected to openvpn.

But is there absolutely ZERO security benefits to running data through ExpressVPN servers (ISP anonymity aside)? If I'm connecting to ExpressVPN and visit say Amazon, that data is encrypted until it leaves ExpressVPN servers, right? At that point that it leaves their servers, anyone can see the website and what i bought or browsed for. But is there any direct link back to my public IP somewhere in that data? Short of form info, credit card data, etc. which might be contained within the data, is there any specific identifying information within that data that can tie said data to my name, IP address, or physical address? If the answer to that is no, then I say technically there is some level of security provided outside of the encrypted transit part of the transmission. Realistically, my name and other identifying info is probably plastered all over the packets, but again I'm talking about an idealized scenario here in which i do not have personally identifiable information embedded in the packets themselves.

This is probably most applicable to anyone trying to infiltrate my home network solely to use my devices for a DDoS attack. Assuming they have no desire to obtain my personal info for monetary gain or for attacking me directly, they would just want access to my devices. They would at a minimum need my public IP address to do so, correct? Wouldn't using ExpressVPN create an additional level of anonymity on top of my routers security making it more difficult for them to do this?

Sent from my Pixel 2 XL using Tapatalk

 

[Big Ry]

Here is another illustration comparing a VPN server provided by ExpressVPN versus a VPN server running at your work's office. The bold part is encrypted.

With Express VPN:
Home -> ISP -> Internet -> ExpressVPN -> Internet -> Work ISP -> Work server

With a VPN server running at your work office:
Home -> ISP -> Internet -> Work ISP -> Work server

In the first case, your data can be stolen by anyone within the non-bold portion. That means that through half of the transit, your data is not secure, and is vulnerable to interception. In the second case, nobody can steal that data while in transit.


And to be of actuality, a VPN is like a face mask. Sure, it can protect you against sunburns or bad breath, but the primary goal is to protect against disease transmission. And if you go outside wearing one, after 15 mins you take it off, and spend another 15 mins outside without wearing it, then you aren't getting any real protection against diseases, since half of that time spent outside, you will be vulnerable to catching (or transmitting) a disease.

To the facemask analogy, how is this the same as removing the facemask? I'm not talking about turning off the VPN. Wouldn't a better analogy be me (in a facemask) handing off a donor heart for a transplant to someone not wearing a facemask? In that scenario, i theoretically protected the heart when it was in my hands, the second person did not. But neither the second person nor the end recipient know who i am or where i got the heart from. They just know it's a heart and it could have been contaminated.

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

To the facemask analogy, how is this the same as removing the facemask?

Your traffic stops being encrypted mid-way during transit. So while your data cannot be stolen during the first half, it will once again be possible to steal it during the second half of transit.

 

[RMerlin]

Don't confuse my attempts to understand the technology with me saying I'm trying to keep secrets from my employer or something along those lines.

Don't read too much into what I wrote about that, it was mostly tongue-in-cheek.

But is there absolutely ZERO security benefits to running data through ExpressVPN servers (ISP anonymity aside)?

In your scenario there isn't, unless you have particular reasons to not trust your ISP and their immediate upstream providers. But there is little point in securing your data only for half of their transit - it does not provide a tangible security improvement.

I'm connecting to ExpressVPN and visit say Amazon, that data is encrypted until it leaves ExpressVPN servers, right? At that point that it leaves their servers, anyone can see the website and what i bought or browsed for.

No, because in this case, you have a separate layer of encryption between your web browser and Amazon's web server, through HTTPS. So in this case, the only thing ExpressVPN would do is hide your IP address from Amazon's servers (and possibly hide your DNS query for www.amazon.com from your ISP).

This is probably most applicable to anyone trying to infiltrate my home network solely to use my devices for a DDoS attack. Assuming they have no desire to obtain my personal info for monetary gain or for attacking me directly, they would just want access to my devices. They would at a minimum need my public IP address to do so, correct?

A large portion of modern attack vectors aren't related to hackers targeting you directly. They are caused by the use of social engineering techniques (like phishing emails) or infection of a remote web server, and the end-user actively visiting those compromised websites, clicking on a malicious email attachment, etc... That leads to installation of malware software within your network, and that software then issues an outbound call to a remote server, giving the attacker complete control over your network, without the need of knowing your real IP address. A VPN provider cannot protect you against that.

 

[RMerlin]

The problem is, a lot of VPN service providers are (deliberately or not) misleading when promoting their service. Since a lot of their potential customers do not understand what a VPN does exactly, they just associate VPN with Security, and assume that it will secure all of their Internet traffic. It does not.

Bottom line is, if you need to ensure that all of your Internet traffic is properly encrypted, secured and cannot be eavesdropped or stolen, you need a VPN server running directly at the final destination (i.e. the office network you want to connect to, or your home network if you want to access it while outside of home). Anything that uses a VPN server running anywhere between the two endpoints will NOT protect you against that.

 

[Big Ry]

If the vast majority of security issues result from phishing or inadvertently downloading infected files, then what's the point of even trying to secure the data at all? Even with end to end VPN? If you've already manually granted access to malicious persons, your VPN, https, and whatever other security you have implemented on the data transmission is pointless then, no? Is an encrypted drive even secure from ransomware in that case?

Sent from my Pixel 2 XL using Tapatalk

 

[Big Ry]

By the way, my original reason for using VPN was to enable me to watch NFL Game Pass in North America. I originally was using Smart DNS to trick it into streaming, but my ISP throttled the BS out of it. It was completely unwatchable; you could'nt see anything (and I have a 65" 4k TV!). I also noticed they were throttling Sling and Netflix pretty bad, though not nearly as bad as Game Pass. So i switched to Express VPN and didn't ever have any throttling again.

Sent from my Pixel 2 XL using Tapatalk

 

[RMerlin]

If the vast majority of security issues result from phishing or inadvertently downloading infected files, then what's the point of even trying to secure the data at all?

I didn't say all, I said the majority...

 

[Big Ry]

I didn't say all, I said the majority...

Yeah, i didn't say "all" either...

Sent from my Pixel 2 XL using Tapatalk