If I’m connected to my work’s VPN so I can check my work email, does all my internet traffic go through their servers (or do the requests even hit their servers)?
Effectively, if I’m looking at porn from my home computer while I’m connected to the VPN, can my job tell?
It might, but it might not. In a “split-tunnel” configuration, only the traffic destined for your work network will go through the VPN server. In a configuration where a split tunnel is not used, all traffic goes through the VPN server.
With the number of different configurations that might exist, the easiest way to say for sure is by tracing the route. In Windows, open a command window and type:
tracert www.somenaughtyserver.com
In Unix (Linux, Mac OS X, etc.) use:
traceroute www.somenaughtyserver.com
Unless you see your traffic going work-like routers, you should be in the clear.
Note: This is a somewhat simplistic test, and is not guaranteed to completely answer your question.
Hmm. I do see one server in a different address block when I traceroute while connected to the VPN, but it doesn’t have a domain name associated with it, and I don’t know what IP blocks we have at work.
Well, I suppose I’ll assume that it does for now, and just be careful where I browse when I’m connected.
Last place I worked, I set up the Checkpoint box to define the encryption domain as our internal hosts only.
At my current job, where I’m no longer the VPN guy, everything appears to be routed via the corporate VPN. I only noticed because I got our web proxy login page the first time I tried to visit an external site.
You can use whois to find this information. In Unix:
> whois 66.39.3.7
This will tell you the owner of the netblock, which might or might not be your company. If it is your company, you know for sure. If not, it could be a company that provides IT services to your company. In the latter case, you could at least compare that to the owner of something you know to be your company.
> nslookup www.yourcompany.com
www.yourcompany.com has address 172.20.20.172
> whois 172.20.20.172
If you’re using Windows, and are without a whois program, use a web-based one.
One Day Fish Sale: In a VPN configuration, the only IP addresses he’ll see of his company servers are internal ones. So whois is useless. But that is a nice explanation of how to use whois.
Assuming Windows … With the VPN connected, do an >ipconfig /all & note the default gateway ip address assigned to your VPN tunnel. Compare that with the default gateway address asigned to your non-VPN connection.
Then do >tracert www.google.com . If the first stop is the default gateway of the non-VPN connection, you’re going out non-VPN. If the first stop is the default gateway of the VPN connection, you’re going out VPN.
The routing is not dependent on where you’re going once it’s off your local LAN, so www.google.com works as well as www.xxxhotbabes.com for testing & is less, shall we say, attention-attracting to IT snoops.
Actually, the situation described in that thread is the inverse of this one (the OP in that thread was inside his work LAN using a VPN to route out via his home internet connection).
Both posts illustrate the principle - identify the gateway address for the local and VPN adapters, then use tracert to see where traffic to google.com is going.
I’m at work now, so I’ll have to wait until tonight or tomorrow night to do more testing from home.
And I realize that I committed a cardinal sin of computer questions: Not specifying my system setup. I’m using a Macbook, so keep the Unixy suggestions coming.
Not having used OS X or BSD I can only guess, but ifconfig should display the network interfaces interfaces with default gateways, and traceroute will do the probing.
Not always so. While MOST companies use a private set of IP addresses internally, there are many companies out there that still have a large block of addresses which are publicly addressable.
List of assigned /8 IPv4 address blocks - Wikipedia gives a list of the Class A address assignments. You’ll see that these are all BIG companies. Smaller companies could have a class B, or class C to themselves. They don’t issue them like this any more, but it used to be common practice.
Ok, I connected back up and did the obvious test that I should have thought of in the first place. I did a traceroute to google.com, and then did a traceroute to an internal work server. The first hop to google is my local wireless router serving as gateway. The first hop to the internal server is “vpn-<company_name>-stuff”.
So it looks like my porn will not go through the company’s servers. I’m still going to be cautious, though.
In 1999 I supplied network services to a hospital in NZ that had a ClassB network. They were being offered silly money (in 1999) by ISPs who wanted the address block. I have no doubt that some asset-stripping management consultant has sold it off for a healthy slice.
And they did have a web filtering/firewall solution that meant that they only needed a few external addresses. I bet most of those big companies with Class A addresses don’t allow full access to the internet from all their IP’s, and I am also willing to bet that they get big offers for the address block.
In windows, I would just watch the notification area to see which of the network icons lit up when I went to a web page. If just the local connection did, I knew it wasn’t going through the VPN, since if it was the VPN icon would light up too.
I found that in my case, the DNS lookup was being done through the work server, although the actual connect was through the local connection. I forgot how I fixed it, but I did and the icons proved it.
Anyway, if you have a way to show similar network activity icons on your mac, give it a shot.