VPN-lite idea to thwart ISP snooping

[Joe User]

Here's a VPN idea I've been toying with, hoping to get some expert opinions.

 

ISP's seem to be getting more aggressive with snooping, up to and including injecting messages into http streams. (Thanks Cox!)  The best solution, is obviously to just use a VPN, but things like Netflix and https, are already encrypted, piping them through the VPN is a bit wasteful and slow.

 

So, I'm wondering if we could use a router with IPTables and OpenVPN to route port 80 and 53 over the VPN, and leave everything else as-is.

 

I'm by no means an expert with either of those, so does anyone know if this is feasible?

[sc302 Veteran]

Eventually at one point it becomes decrypted and one isp gets to know the traffic.

Split vpn will split the traffic based on destination but I have not seen one that splits it based on protocol.

[Marujan]

Install Chrome plugin HTTPS_Everywhere

 

 

[adrynalyne]

54 minutes ago, Marujan said:

Install Chrome plugin HTTPS_Everywhere

 

 

Doesn't do diddly if the site doesn't have an ssl attached. 

[Joe User]

2 hours ago, sc302 said:

Eventually at one point it becomes decrypted and one isp gets to know the traffic.

Split vpn will split the traffic based on destination but I have not seen one that splits it based on protocol.

The VPN company says they don't care about my http traffic, I'll believe them for now. My ISP does care, they're busy doing things they shouldn't be with it, like injecting messages.

 

I'm wondering if a proxy server is the best solution.  

2 hours ago, Marujan said:

Install Chrome plugin HTTPS_Everywhere

 

Not really the solution I need, but a good plugin none the less.

[sc302 Veteran]

Clear your cache and keep it clear. Use a specific browser and use its stealth mode mixed with no script and ad block.  Are you still getting what you are considering isp injections?  

 

Is the isp injecting messages or are you being targeted by advertisers by your browsing habits/email/webmail/etc?  Are you certain it is your isp and not the ad bots?  Are you verifying by looking at the source or are you making assumptions due to the content that you are seeing?  

 

Dont believe what  you see without fully understanding what is going on. 

 

For what it is worth, I have never seen an isp inject anything..but those damn ad bots sure like to do some messed up stuff. 

[adrynalyne]

18 minutes ago, sc302 said:

Clear your cache and keep it clear. Use a specific browser and use its stealth mode mixed with no script and ad block.  Are you still getting what you are considering isp injections?  

 

Is the isp injecting messages or are you being targeted by advertisers by your browsing habits/email/webmail/etc?  Are you certain it is your isp and not the ad bots?  Are you verifying by looking at the source or are you making assumptions due to the content that you are seeing?  

 

Dont believe what  you see without fully understanding what is going on. 

 

For what it is worth, I have never seen an isp inject anything..but those damn ad bots sure like to do some messed up stuff. 

Comcast does it.  

https://gist.github.com/ryankearney/4146814

 

Theyve been accused of using it for ads too. 

[sc302 Veteran]

I have comcast for business at work, comcast business cable for the guest network, and comcast at home. I have yet to see any messages targeted to me on any page that I have not signed into. Again, I haven't seen it...doesn't mean it doesn't exist, just means I haven't seen it....there is a lot out there to have seen or know about everything.

 

Then again I kill the ad bots on just about everything.

 

 

 

[Joe User]

39 minutes ago, sc302 said:

Clear your cache and keep it clear. Use a specific browser and use its stealth mode mixed with no script and ad block.  Are you still getting what you are considering isp injections?  

 

Is the isp injecting messages or are you being targeted by advertisers by your browsing habits/email/webmail/etc?  Are you certain it is your isp and not the ad bots?  Are you verifying by looking at the source or are you making assumptions due to the content that you are seeing?  

 

Dont believe what  you see without fully understanding what is going on. 

 

For what it is worth, I have never seen an isp inject anything..but those damn ad bots sure like to do some messed up stuff. 

Yes, it's them, I've gotten 2 messages and they confirmed it. Mostly housekeeping stuff. Your CC expired, call customer service on your billing statement. You're nearing your limit, call customer service. Buuut, since they can do that, they're obviously running a proxy. Combine that with the 'we love ads'  and you can see why I want to bypass them for http and DNS.

 

I already run my own DNS resolver, but that's most likely getting sniffed by them. At least I don't get ads in the DNS queries anymore.

 

 

[sc302 Veteran]

I don't use them for dns at all. While you can squelch limit notifications, can't really do much on your actual limit. And yes they go through some sort of content filter...limiting your bandwidth or alerting them when you download something illegal.

 

I also don't have any service with them where I am limited. My bandwidth usage is off the charts being that I am a cable cutter. I have their blast plus and I am seeing my tests in the 250-260 range.

[adrynalyne]

9 minutes ago, Joe User said:

Yes, it's them, I've gotten 2 messages and they confirmed it. Mostly housekeeping stuff. Your CC expired, call customer service on your billing statement. You're nearing your limit, call customer service. Buuut, since they can do that, they're obviously running a proxy. Combine that with the 'we love ads'  and you can see why I want to bypass them for http and DNS.

 

I already run my own DNS resolver, but that's most likely getting sniffed by them. At least I don't get ads in the DNS queries anymore.

 

 

They are likely  injecting it into packet headers. In which case you could write a proxy server that strips those headers if you are handy with code. 

 

That's what one of my coworkers did. Never saw a Comcast message again. 

[Joe User]

7 minutes ago, adrynalyne said:

They are likely  injecting it into packet headers. In which case you could write a proxy server that strips those headers if you are handy with code. 

 

That's what one of my coworkers did. Never saw a Comcast message again. 

I'm more interested in not giving them the data in the first place.

[adrynalyne]

15 minutes ago, Joe User said:

I'm more interested in not giving them the data in the first place.

Even if you use a VPN, it's still going over their network and they can capture it. Not sure if you can add headers to encrypted traffic?

Anyway, it has to be decrypted somewhere, so someone is seeing it one way or another. 

Edited March 27, 2017 by adrynalyne

[Joe User]

18 minutes ago, adrynalyne said:

Even if you use a VPN, it's still going over their network and they can capture it. Not sure if you can add headers to encrypted traffic?

Anyway, it has to be decrypted somewhere, so someone is seeing it one way or another. 

No if it's going over an encrypted VPN, they're not able to modify the headers, since they have no idea what's in the stream. 

 

True, but it's going to be decrypted not by the cable company that has all my billing information to match to my browsing habits. It's going to be decrypted by my VPN provider, which has $35 of bitcoin and a hotmail address.

[adrynalyne]

12 minutes ago, Joe User said:

No if it's going over an encrypted VPN, they're not able to modify the headers, since they have no idea what's in the stream. 

 

True, but it's going to be decrypted not by the cable company that has all my billing information to match to my browsing habits. It's going to be decrypted by my VPN provider, which has $35 of bitcoin and a hotmail address.

Also keep in mind, you WILL take a performance hit with a VPN. 

[T3X4S]

Let me add a bit of personal experience with VPN.  

Myself and a few other neowinians use PIA VPN - Private Internet Access

They have many nodes, all over the world.
Luckily, they have a Texas node, so I only take about a 5-8 % hit on bandwidth.  A slight hit on the initial DNS resolving on webpages, but its no big deal.

I have not tested other nodes to see what kind of performance hit one would take if not near a node, so I cannot comment on that.

However, I will say that I am very happy with the service, and pricing is great.  ($40/yr) I believe the other neowinians feel the same way as there have been a few threads asking about which service to use.

Netflix:

Depending on the IP I am using, sometimes I will have to disconnect it for Netflix, other times I whitelist it (Cloudfare sometimes fusses over the IP)

But, when I do not have to disconnect it when watching Netflix, I do not see any performance hit - but, of course, that depends on your connection speeds with your ISP (I have 150/150)

 

[T3X4S]

As far as the "someone is seeing it, somewhere" - the encryption and decryption is done @ the VPN.  So the only one able to see it is the VPN service.  Otherwise - what would be the point ?

[sc302 Veteran]

Vpn service and ultimately their isp.

 

Don't think you are completely anonymous using the vpn service if that is what you are going for...esp if you actually use any of your personal information to sign up for the service.

 

The isp sees the end points, even if they can't see the traffic in plain sight. Why do you think there are no bans on vpns? If it truly made you anonymous don't you think they would ban them for some reason or another? Downloading stuff isn't big enough for them to care, they come down on random (not everyone doing it) to scare the public....and you would have to do it a lot for them to care. I won't say it doesn't happen, but will say it is random.

[+BudMan MVC]

16 hours ago, sc302 said:

Split vpn will split the traffic based on destination but I have not seen one that splits it based on protocol.

 

16 hours ago, Joe User said:

OpenVPN to route port 80 and 53 over the VPN, and leave everything else as-is.

So I quoted those out of order - but too lazy to fix it   Anyway to this exact question, this is quite easy to do with pfsense and policy routing.

 

You create your vpn connection in pfsense.  And then a simple firewall rule either based on protocol, source IP, dest IP or combo of them can either let your traffic go out your normal non vpn isp connection, or it can route the traffic down your vpn.

 

So sure you could create a rule that says dns (udp/tcp 53) go down the vpn.  Http (80) go down the vpn - while https don't go down the vpn.  You could even route your dns queries to different places based upon the name with a conditional forwarder in your dns setup.  And then a rule on pfsense that says if your going to dest ip abc use vpn, if your going to dest ip xyz go out your isp connection.

[Joe User]

6 hours ago, sc302 said:

Vpn service and ultimately their isp.

 

Don't think you are completely anonymous using the vpn service if that is what you are going for...esp if you actually use any of your personal information to sign up for the service.

 

The isp sees the end points, even if they can't see the traffic in plain sight. Why do you think there are no bans on vpns? If it truly made you anonymous don't you think they would ban them for some reason or another? Downloading stuff isn't big enough for them to care, they come down on random (not everyone doing it) to scare the public....and you would have to do it a lot for them to care. I won't say it doesn't happen, but will say it is random.

There's nothing stopping you from establishing nested VPN tunnels to different destinations. The quote "Good luck, I'm behind 7 proxies" comes to mind. Example:I connect to VPN provider 1 using openvpn on my router, then I connect to VPN provider 2 using SSTP on my workstation, then I connect to a http proxy server in my browser. My ISP sees a connection to VPN 1, VPN 1 sees a SSL connection to VPN 2, VPN 2 sees a connection to http proxy server, and destination website sees a connection from the proxy server.

 

Now, you're not completely anonymous. If destination website wanted to know where you came from, they would have to ask the proxy server, which would have to ask the vpn2, which would have to ask vpn1, which would have to ask the ISP.

If my ISP wanted to know where I went, they would have to ask VPN1. VPN1, would have to ask VPN2, VPN2 would have to ask ask proxy server.

[Joe User]

2 hours ago, BudMan said:

 

So I quoted those out of order - but too lazy to fix it   Anyway to this exact question, this is quite easy to do with pfsense and policy routing.

 

You create your vpn connection in pfsense.  And then a simple firewall rule either based on protocol, source IP, dest IP or combo of them can either let your traffic go out your normal non vpn isp connection, or it can route the traffic down your vpn.

 

So sure you could create a rule that says dns (udp/tcp 53) go down the vpn.  Http (80) go down the vpn - while https don't go down the vpn.  You could even route your dns queries to different places based upon the name with a conditional forwarder in your dns setup.  And then a rule on pfsense that says if your going to dest ip abc use vpn, if your going to dest ip xyz go out your isp connection.

Darn, I was hoping to do it on the router. I guess I finally have to take some time to learn pfsense. 

 

Thanks BudMan!

 

[Mando]

14 hours ago, Joe User said:

I'm more interested in not giving them the data in the first place.

Change provider if possible, vote with your feet mate ;o) thats the easiest solution no?

[+BudMan MVC]

I doubt such a thing is possible on your typical soho wifi router.  Maybe it possible with some 3rd party firmware??  But I can tell you its clickity clickity on something like pfsense.

[Joe User]

54 minutes ago, Mando said:

Change provider if possible, vote with your feet mate ;o) thats the easiest solution no?

I'm in the US. I have 1 choice for high speed.

 

 

 

[Joe User]

Just now, BudMan said:

I doubt such a thing is possible on your typical soho wifi router.  Maybe it possible with some 3rd party firmware??  But I can tell you its clickity clickity on something like pfsense.

I don't know enough about iptables to know if port based routing is possible.

 

I'm just going to have to spend some time and learn pfsense, doesn't seem too hard, I'll spin up a VM and give it a whirl. If I'm not happy with it, I'll set up a squid proxy and go that route.