How do I know if my VPN connection is encrypted (router config)

[theNEOone]

I recently signed up for an account through StrongVPN and successfully configured my router to connect to the service to have all of my devices connect through the VPN without having to configure each one individually. I wanted to test out the connection to see if it was actually encrypted, but I'm not sure how to do that.

I've followed instructions using Wireshark and these instructions, but I believe that only detects encryption when the VPN is configured on the computer I'm using. I don't think it detects encryption if it's configured at the router. Can someone help my figure out whether my network activity is encrypted?


=|

 

[mxnerd]

PC or router will not modify your PC's packets if there is no encryption software / firmware run on them, they will only forward the packets. If Wireshark detected the packets were encrypted, then it's encrypted.

 

[theNEOone]

Does this mean anything? It's in my router's VPN config settings:

=|

 

[theNEOone]

Update: the last image was because I was connected through PP2P. I've changed to connect via an L2TP connection type.


=|

 

[Gryz]

If Wireshark detected the packets were encrypted, then it's encrypted.

This of course, is not true.

If the VPN terminates on the router, than the flow of packets is like this:
1) your PC creates a packet.
2) It sends it to its default-gateway. Which is the router.
3) The router receives the packet and wants to forward it. It sees that the outgoing interface is its tunnel to the VPN-provider.
4) The router encapsulates the packet in a tunnel-header. It will ALSO encrypt the original packet, if the tunnel-configuration requires this.
5) The router will send the encrypted packet, encapsulated in a tunnel-header, to the VPN-provider.
6) The VPN-provider will de-crypt the original packet, replace the source-address (to one of its own addresses, so that return traffic will go via the VPN-provider, and not directly to you. This is a type of NAT).
7) The VPN-provider will send the decrypted packet to the ultimate destination.

Note that you will see only the unencrypted packet going over your ethernet. So whether Wireshark sees encrypted packets or not, doesn't mean a thing. It's the router that encrypts (if that is the endpoint of the VPN). And you will see encrypted packets only on your ADSL-link, or your cable-connection, or the fiber-connection to your ISP. Not on your local ethernet.

In general it's hard for us end-users to look at traffic between your router and your ISP. Because it requires special hardware to sniff the dsl/cable/fiber connection to your ISP.

OP. Check to see if your router has a "debug packet" option. You might be able to see raw hexadecimal dumps of outgoing packets. And by looking at those, you might be able to see if traffic is encrypted or not.

 

[mxnerd]

This of course, is not true.

If the VPN terminates on the router, than the flow of packets is like this:
1) your PC creates a packet.
2) It sends it to its default-gateway. Which is the router.
3) The router receives the packet and wants to forward it. It sees that the outgoing interface is its tunnel to the VPN-provider.
4) The router encapsulates the packet in a tunnel-header. It will ALSO encrypt the original packet, if the tunnel-configuration requires this.
5) The router will send the encrypted packet, encapsulated in a tunnel-header, to the VPN-provider.
6) The VPN-provider will de-crypt the original packet, replace the source-address (to one of its own addresses, so that return traffic will go via the VPN-provider, and not directly to you. This is a type of NAT).
7) The VPN-provider will send the decrypted packet to the ultimate destination.

Note that you will see only the unencrypted packet going over your ethernet. So whether Wireshark sees encrypted packets or not, doesn't mean a thing. It's the router that encrypts (if that is the endpoint of the VPN). And you will see encrypted packets only on your ADSL-link, or your cable-connection, or the fiber-connection to your ISP. Not on your local ethernet.

In general it's hard for us end-users to look at traffic between your router and your ISP. Because it requires special hardware to sniff the dsl/cable/fiber connection to your ISP.

OP. Check to see if your router has a "debug packet" option. You might be able to see raw hexadecimal dumps of outgoing packets. And by looking at those, you might be able to see if traffic is encrypted or not.

My bad, you were right. My brain malfunctioned.

 

[Sean Kyle]

I think changing to a more secure protocol can really help you out. I don't use the one you do, but I have found this article about protocols on my provider's site which can help you out!
Plus i would suggest you to talk to the customer support of strongvpn and ask them if the auto thing is encryption-on!

 

[dave_the_nerd]

I recently signed up for an account through StrongVPN and successfully configured my router to connect to the service to have all of my devices connect through the VPN without having to configure each one individually. I wanted to test out the connection to see if it was actually encrypted, but I'm not sure how to do that

Normally, all VPN protocols use encryption - not all protocols are equally secure. If you're not using OpenVPN, you're probably using a "weak" protocol that somebody might be able to intercept and crack.

In six months, I'm sure OpenVPN will be obsolete and something else will be the thing to use. There's a bit of a treadmill here.

I've followed instructions using Wireshark and these instructions, but I believe that only detects encryption when the VPN is configured on the computer I'm using. I don't think it detects encryption if it's configured at the router.

You're correct.

 

[AnonymouseUser]

Can someone help my figure out whether my network activity is encrypted?

In order to do what you are asking, you need to capture the packets between the router and the VPN provider, and the only real place you can tap is between the router and the modem with something like the Throwing Star LAN Tap Pro.

Normally, all VPN protocols use encryption - not all protocols are equally secure. If you're not using OpenVPN, you're probably using a "weak" protocol that somebody might be able to intercept and crack.

This is true. If all you are doing is bypassing Geo restrictions then the others are fine, but if you need actual privacy you need OpenVPN.

 

[Red Squirrel]

A crude way if you can find an ethernet hub - yes a hub, not a switch, connect it between your router and your modem and then plug a computer running wireshark into another port. You should be able to see all the traffic. Then use a protocol that you know is plain text, like go to a regular HTTP site. Then see what the traffic looks like. I the VPN is operating correctly you should only really see one data stream, going to the VPN server.

Of course you still have to trust that the encryption is good, as just because it's scrambled and you can't make any sense of it does not mean someone (like the NSA) cannot decode it. But chances are decent that it is indeed encrypted if you see it scrambled. Basically it will just be a bunch of gibberish and you won't be able to make sense of it. You should not even be able to see basic meta data like DNS lookups.

There are other ways of doing this without a hub too, you can splice an ethernet cable a certain way to make a "spy" cable, or you can use a managed switch and the mirror a port. Lot of different ways. But basically you need to be looking at the traffic after the router.