VPNs: in practice, how much info can the admins truly have access to?

A friend of mine asked me the other day about just how much info a network admin can gather from monitoring VPN access. Despite working on VPNs almost exclusively for many years now, I don’t know the answer so I pass it on to all you smart people.

I know when you connect to a VPN, all network traffic goes through it, so in theory, the answer is “everything.” In practice, I don’t see network admins digging through terrabytes of network traffice searching for that time you referred to a coworker as an asshole. And I’ve certainly never been confronted with doing stuff I shouldn’t do while connected, even though I’m certain that more than once I’ve said stuff on IM or ended up on a NSFW webpage or whatever.

So what’s the real answer? If I piss off a VPN higher-up, can they start watching my IMs? Find that message board where I called the CEO a dick? Figure out that I’m spending half my day playing that farm game on Facebook?

I suspect the answer to all of these is “yes, but it would take forever to dig through all the network traffic, so they probably won’t” but hell if I know the real answer. So what is it, smarties?

(and, for the record, I’m not looking to do anything bad on the VPN that I haven’t already done a gazillion times over the past 4-5 years. I’m just curious since the friend asked me and I truly didn’t know)

In practice, everything. And while it would take a long time to manually dig through all your traffic, there are tools that make it easy to isolate and filter certain aspects of your traffic. It’s very simple with a few commandline scripts to say, “look at all of Athena’s port 80 traffic and grep out all the URLs with the words ‘hot’ and ‘sex’ in them.”

Even https traffic can be observed, because your VPN admin can get clever with proxying SSL certificates, if they want. This is unlikely, but possible.

When you say VPN, you mean “company network”, right? VPN implies secure remote access, but in this case it probably doesn’t matter much where you access the network from because the admins are already inside that same network and can monitor traffic regardless of how you connected, correct?

In that case, it’s trivial to monitor these connections if they have the money and equipment for it. Even free consumer-grade software can search for keywords in a sea of packets, find your name, isolate your IP address, and then see a live history of everything that you browse and/or submit unless it’s end-to-end encrypted like in HTTPS. And even then, you’d have to assume that the company doesn’t have monitoring software on the computers themselves.

So in theory, the answer is “everything”. In practice, just go ask your IT people what their policies and monitoring procedures are.

Can you explain how this works?

Thanks for the answers - that pretty much confirmed what I thought.

I’m not really asking about a specific VPN, I’m talking about VPNs in general. Obviously some places are going to be tighter than others.

Not necessarily. It is quite common to configure VPN clients so that only traffic destined for that network, or networks designated as being behind it, goes via that connection, and other traffic goes via your usual internet connection. While this might be less than ideal from a security perspective, some people need to connect to more than one independent VPN at the same time, and it can be difficult or even impossible to connect to one VPN via another. Also, some organisations do not want all their remote users’ traffic passing through their own network and using their bandwidth.

What I meant is this is more a matter of company policy rather than technical feasibility.

Normally, when you connect to an SSL host, you receive a certificate which is cryptographically signed by a recognized certificate authority and which contains instructions for your browser to encrypt traffic to that site with the organization’s public key.

A VPN administrator could intercept this certificate before it gets to you, substitute it with their own fake certificate, and send that fake certificate to you. Your traffic is then encrypted with that fake certificate, decrypted by your VPN, stored somewhere for later blackmail purposes, re-encrypted with the real certificate, and then sent on to the actual website. This is a form of man-in-the-middle attack.

What about validating the fake certificate with the certificate authority? Well, to do that you need to make a request over the network. And if you’re on a VPN, they control your network.

I have seen examples of this type of mechanism put in place for nefarious (criminal) purposes, as well as for draconian monitoring of employee VPN activity.

I wouldn’t bet that your average employer actually does this, though. But since we’re only discussing possibilities, it’s possible.

Tell me about it - there’s been times in my career where I’m working for more than one client, each has their own VPN, and trying to get them to play together is next to impossible. I usually end up using Virtual PCs to get around VPNs-not-playing-nicely issues, or having to designate VPN #1 for morning work, VPN #2 for afternoon work or something (which is a pain because inevitably you need to go look at something on VPN #2 while you’re logged into VPN #1 because the client needs an answer RIGHT NOW!!!)

But that brings up a point - how do you tell which traffic goes through which network? Is there a good utility to monitor that? I’m wondering if I can solve some of my multiple VPN issues if I can see a conflict somewhere.

How would they generate a working certificate without a CA’s private key?

Pretty sure Wireshark can do this if your VPNs are set up as virtual network adapters… but it’s been a while, so don’t quote me. (And if they’re not, maybe you can do a few traceroutes?)

On second thought, in Windows, I think you can use the “route print” command in a command box to see where the connections are going.

It does need a little bit of network expertise, but with many VPN clients, you can do this: connect to the VPN, and do route print at a command line (Windows). The entries in the Gateway column of the routing table should indicate whether different gateways are used for different networks. If so, there’ll be the usual gateway on your home network, and another one for the VPN.

They can be their own CA.

But then they’d need to modify the default CA lists, no? At that point, why not just install a full-fledged keylogger on the clients?

I don’t remember if it’s possible to do it without updating the CA lists; but that can be done surreptitiously via group policies if needed.

They could certainly use a keylogger. But a keylogger won’t capture traffic in real time; you have to use it to steal passwords and log in later. So you can get into their pr0n site password, but you won’t know precisely what they were doing on the site when they were using it.

Yeah, the company installs a CA Authority certificate on the client computer (for access to internal and/or external resources, say, like WebMail). They then create a wildcard certificate using this company CA Certificate, and install it on the proxy server. Firewall rules redirect all port 80/443 traffic to the proxy.

When the client requests an HTTPS connection, the proxy responds with the wildcard certificate (or a specific site certificate just generated with the company CA), this validates against the company CA Certificate, and the client establishes the connection. The request is decrypted by the proxy, then the proxy reconnects via HTTPS to the destination, accepting any certificates and establishing the connection.

One way of detecting these MITM attacks is to monitor the installed certificates to ensure they match with known CAs. So if your client Certificate store has a Google.com certificate signed by
Thawde and not Thawte, you are probably a victim of a MITM. There are browser plugins that do this checking automatically.


Thanks. Learn something new every day.

Am I correct in believing that this would only affect users who join a domain, and only with IE? Meaning, not any random public hotspot operator?

And I just meant “keylogger” as a generic term for client-side monitoring suite, real-time or not. I was more worried that they would be able to change CA lists and other software without access to the client computer, and apparently group policy enables at least the former. Scary.

Are you sure you’re answering the question she was asking? I got the impression that she’s connecting through her home ISP, for example, to her company VPN, and she is concerned whether her ISP’s admin people can see her traffic that she sends to/from the company network.

The answer to that question is “nothing,” as long as your ISP hasn’t installed some wonky CAs on your computer.

Your VPN admin alone can’t do this – he would need some access to your machine, yes? Specifically he’d need to be able to pretend to be a CA, and he can’t do that without adding his Fake CA cert to your certificate store.

Or am I missing a trick?

I suppose he could ultimately luck out if the site you were using was an SSL 2.0 site, signed with md5. But as a general principle…?