This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

log question, openvpn related

0

Hello,

I'm using wireshark to verify my openvpn connexion is truly encrypted, I've found a guide around the web : http://www.online-tech-tips.com/computer-tips/check-vpn-connection-actually-encrypted/

Problem, I tried the test and ended with similar logs with & without vpn : http://i.imgur.com/tBHRlcM.png

In the capture, the packets titled 'standard query' or 'standard query response' are readable with or without vpn connection enabled. Could a wireshark developer tell me if that's normal or if I should be worried?

Thank you.

asked 13 May '16, 22:24

asiagoro's gravatar image

asiagoro
6112
accept rate: 0%

One Answer:

0

I'll dare to answer although I am not a Wireshark developer, as I don't think it needs a Wireshark developer to answer.

In both packets you've shown, the source IP address and the destination IP address are almost identical, which almost sure means that they are in the same subnet (can't be 100% sure as you have posted just screenshots and not a complete capture file).

Simplifying a lot, what the VPN software normally does is that it creates a virtual interface in your PC and replaces the default route for all the PC's IP traffic by its own one pointing to that interface, using the original default route's target as a route to the remote VPN server. This means that packets towards any IP address, except the VPN server's own one, go to the virtual interface, which encrypts and encapsulates them and sends them to the VPN server's address using the physical interface.

However, there is one more exception, and that is LAN traffic (i. e. traffic between devices sharing the same IP subnet). Packets towards equipment on the same LAN do not need any routing information and are sent directly to it rather than to a gateway element (router).

So the following are my assumptions about your home network:

  • you use a home router which has an IP address 192.168.1.1 and assigns client PCs their IP addresses using DHCP protocol

  • it also acts as a DNS proxy, which means that it tells the client PCs to use it as DNS server.

So your other traffic to the internet is likely encrypted, but your DNS queries are effectively not, because you send them to your home router which is not a member of the VPN and whenever it cannot respond your query from a previously cached answer, it sends that query "in its own name" (which is its IP address looking towards the internet, so enough to identify you) to the DNS server whose address it has got from your ISP.

To avoid this, you have to configure your PC to use a DNS in the internet directly, instead of sending the queries to the home router. The VPN provider's or your ISP's web pages may suggest you one. Or you may open the admin interface of your home router and find it there as the ISP has configured it there statically before shipping it or using DHCP every time it comes up.

answered 14 May '16, 02:06

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 14 May '16, 02:10