A Bit About VPNs

There’s been a decent amount of talk about VPNs lately, and rightly so VPNs are a great tool to use. However people seem to be confused about what a VPN can be used for and how it all works. Let’s talk about that.

The Basics

Let’s start with the basics: what exactly is a VPN? VPN stands for Virtual Private Network. If you’ve read a few of my other posts, specifically the one on NAT, you know about the difference between public and private IP addresses, this matters for VPNs. Breaking down the name a VPN is a network with a private IP address space that is… virtual? that’s weird how does that work? Well voice of the reader who lives in my head, that is a great question! So at its most basic form a VPN is meant to take two machines that aren’t on the same private network, and let them interact as if they were on the same private network. VPNs do this by creating a “Tunnel” between the two machines that need to interact. This tunnel in and of it self isn’t necessarily encrypted, but often is for added security and privacy. Which is something good to note… just because things are going through a VPN doesn’t mean that it’s encrypted, just that it usually is.

Ok, I think I get it, VPNs create a private network for two devices to live on even though they are not connected to the same private network… that’s cool. BUT I’ve heard that VPNs are the magic bullet that will stop your ISP from snooping on you, allow you to watch netflix in other countries, keep you safe on public wifi, and even help keep you anonymous online, how does just connecting to another private network help do all this?

Well to put it the best way I can, let’s start by going through the use cases one by one.

Stopping ISPs From Snooping

First let’s talk about how ISPs can snoop on you… and if anyone else can! Your ISP by definition is your gateway to the wider internet, which means everything you do on the internet must pass through their equipment… which means they control your traffic, which means they can sniff it and gather data on you. What data can they grab I hear you ask (I mean, I didn’t but I’m assuming you are). They can grab anything that is not encrypted, actually a cool exercise would be to fire up wireshark and sniff your own traffic as you surf the web then look at it later and see what data is in the clear. (NOTE TO SELF, ADD SOME SCREENSHOTS OF THIS FROM YOUR OWN MACHINE!!) so as you can see they get things like URLs, DNS requests, any data sent to or from a site that uses HTTP instead of HTTPS, Image files, ect ect. This is all very valuable data, now they can tell where you like to go, what you like to do, and how you spend your time online. Digital Marketers will pay quite a pretty penny to get that data!

Woa, that’s pretty scary….. oh no does that mean Starbuck’s ISP can also see all this about me!? Glad you’re starting to think about the ramifications of this, but we don’t need to panic (this time). Yes Starbuck’s ISP will see all this data too, but they will only see that it’s coming from Starbucks, they can’t tie it directly to you so easily. Now since Starbucks owns their own network equipment, they maybe able to tie this data to a hostname, or MAC address, but likely do not, it takes quite a decent amount of infrastructure to do this, and for Starbucks the data from this would be minimally useful. However it is important to know that they could if they wanted to; any public wifi provider could if they wanted to, so that is something to keep in mind. Does that mean your VPN isn’t useful on Public wifi? Hell no… but for different reasons… which we will get into later. For now the important parts here are just the parts about how the ISP can spy on you, and how they do it.

Now let’s talk about how a VPN helps with this. As stated above a VPN creates a “tunnel” which lets two devices act like they are on the same private network, and this tunnel can be encrypted. What that means is our traffic flowing to this other VPN machine, we’ll call it our VPN peer, will look a bit different to the ISP. They will see the traffic going to the VPN peer, but if it’s encrypted all they see is that some traffic is flowing that direction, no URLs, no images, ect ect. So if you recall in the Routing post I mentioned Default Routes. If you do then you remember default routes are for everything your computer doesn’t know where to send, because your computer isn’t connected to the network of the destination. Well if the default route is set to the VPN Peer then everything destined to leave the network is sent to the VPN peer. If that VPN is encrypted it means all our internet traffic will be encrypted, and therefore can’t be snooped by your ISP. Here is where a pitfall lives, maybe some of you have already figured it out… if our traffic is flowing through our VPN provider’s equipment, doesn’t that mean that the VPN provider has the same ability to sniff my packets as my ISP did before? Yes, yes it does. So it doesn’t actually help with snooping that much then? Well……. yes and no. It lets you choose who you think is going to be more trust worthy of your data, your ISP or your VPN provider…. this is where choosing your VPN provider becomes very important…. more on that later.

Access Region Locked Content (watching netflix in another country)

You can generally approximate a users location based on their IP address. This is how Netflix can region lock its content, and show different movies for people living in the USA than people living in Europe for example. So how does a VPN help with this? Glad you asked! remember why ISPs could no longer snoop your traffic… because the VPN was sending all traffic destined for the internet through the tunnel. Well it’s that same idea that works here! See to the website it looks like your source IP would be the VPN peer, not your own computer. So according to Netflix you are located where ever you’re VPN peer is located, and not where you actually are. The best part about this, it doesn’t need to be an encrypted VPN for this use case to work!

Keeping you safe on public WiFi

This is actually very similar to stopping your ISP from snooping, except instead of your ISP snooping on you its that shady guy with the dark hoodie sitting in the corner with stickers all over his laptop(totally no me). Hang on, this shady Pyro character doesn’t own the router I’m connection to at my favorite coffee shop… does he? Well he shouldn’t but he very well might. You see most places, especially small, locally owned shops, don’t really know what they are doing when they offer their customers wifi. This leads to routers that don’t get patched, or worse, are left with default credentials. Have you audited the security of your favorite coffee shop’s wifi yet? Now here’s the scary thing though… this shady Pyro guy doesn’t even have to own the router to sniff your traffic. How is this possible? Well wifi is basically just a way to make a wireless switch. Remember when we talked about ARP in the Addressing post? The same thing applies here! You can trick the router to send you the traffic that they should be getting, and trick them to sending you the traffic that the router should be getting, then routing between the two. This allows you to sniff the traffic. This technique is called ARP Spoofing. If you guys are interested I could do a talk about that and include a tutorial. This technique would allow the attacker to view all of your unencrypted packets, like http requests, DNS trafic, FTP, telnet ect ect. Now encrypted channels like https are safer here as the attacker shouldn’t get the actual data files, but there are ways to defeat https when you own the gateways the requests are being filtered through. So how does a VPN help with this? Well if all of your traffic is being tunneled and that tunnel is encrypted then all of your traffic is encrypted and unreadable from an attacker perspective.

Keeping you anonymous online

VPNs can indeed help keep you anonymous online…. but to what extent and how do they do this? Well reader in my head I’m glad you asked. This concept actually combines two of the thing we’ve talked about before, stopping your ISP from snooping on your traffic and tricking Netflix into thinking you’re somewhere that you’re not. So if we take those concepts and combine them, using a VPN will hide your traffic from your ISP, and anyone who associates your habits with an IP address (advertisers) and use a different IP. Now if you use the same VPN endpoint every time then the advertisers will start to link that VPN exit IP to you as well. Also some of the less scrupulous VPNs actally keep your traffic and sell it to the very advertisers you may be trying to avoid! If your VPN is free, think about why that might be. Ok wow so that’s kinda scary… how do you know what VPNs to trust? Oh we’ll get to that…. we will get to that. For now let’s continue with how best to protect your self online. I’m sure, being a reader on my site, you’ve heard of TOR which is NOT a VPN. TOR works entirely differently, it sends all your traffic to a TOR node which then bounces it to another TOR node, which then bounces it to an exit node, with each node only keeping the data needed to get a packet back to the node before it an nothing else. But if a company like google owns the right node on the chain they can still trace it back to you, and realize who you are and how to best fill your screen with advertisements! So how do we protect against this, well we can combine a VPN with TOR so that even tor only know our VPN exit. I’m sure you can imagine how many layers deep this can go… basically it all depends on who you think is attempting to snoop your traffic and how paranoid you want to be about it. On the subject of anonymity though I want to mention that knowing where you are coming from is only one small part of what makes up your digital fingerprint, everything from your screen size, how many screens you have, how many tabs you have open, what those tabs are open to, how you type, how you move the mouse, even how long you wait until giving up on a website loading are taken into account so to be truly anonymous online you have to go to some pretty extreme measures… just food for thought.

Enough teasing which VPN should be used?

See this is a tougher question than you probably realize. You can use your best judgement and read reviews online to find the one that best one that has a no log policy. Now even if the reviews are good that doesn’t mean the VPN company can’t change its policy or be bought out by a less privacy focused company. You could go a whole other route and say the only person you can trust is yourself, and build your own VPN server on your home network, do the port forwarding and boom you can VPN from anywhere, but this obviously negates the stopping your ISP from snooping point of having a VPN, and unless you country you want Netflix to think you’re in is the one you live in then it won’t help here either. So is there a middle ground? Of course there is! You just have to purchase a VPS(Virtual Private Server) like from Digital Ocean, Google Cloud, Amazon Web Services, Linode, the list goes on and one there’s a million of these things, I’m partial to Linode because they sponsor a ton of Linux content creators and I love Linux… boy do I love Linux. Any who back on subject at hand, you can spin up a VPS (or more than one) and you’ll have your choice of datacenters to spin it up in. Then you can turn that VPS into a VPN server! Now you’re traffic will be hidden from your ISP, you can turn it on to protect you on public wifi, Netflix will think you’re where ever your VPS is hosted, and you can chain them together and with TOR to stay anonymous online.

Bringing it Back to Hacking

There’s the obvious helping you stay anonymous while carrying out attacks, but let’s get more creative than that, after all we are hackers aren’t we? So let’s start with that whole private tunnel thing that will set up a local connection over the internet, that sounds interesting! Imagine you have a vpnserver that you’re connected to, and you phish a user to execute a payload, you can craft the payload to connect their computer to that VPN and now you and your target are on the same “Local” network suddenly seeing open ports on that machine, and what services are running on those ports, making attacking it and finding vulnerabilities easier. We can get way more Mission Impossible than that though. Imagine you could Social Engineer your way into a building, how would you turn that into access to the computer network? Well what if you pre-set up something like a Raspberry Pi, hooked it up to a battery that will last a while or even plugged it into the wall and connected it to either the wifi network or an unused Ethernet jack ( which more often than not are live even though they shouldn’t be.) You can imagine building tunnels to allow local access to a remote network can be very useful.


Whew that was a long one! If you’ve made it this far… damn man thank you for reading my ramblings, hope that shed some light on the “Magic Bullet” some companies and individuals seem to thing they are. So next time you see an add claiming that VPNs can solve all your life’s problems, maybe take a closer look and see if the offer really is too good to be true.

This has been yet another alcohol, caffeine, and sleep deprived post several weeks in the making (mostly because I was in the process of taking the eCPPT exam so time was at a premium.) Thank you for coming along on this journey, and hey if you liked what you read feel free to leave a comment. Remember, always play with fire, no mater what your mother told you, its fun. Peace! -Pyro