Discussion:
Simple VPN question
(too old to reply)
root
2017-12-28 17:32:01 UTC
Permalink
I don't understand to what extent using a VPN masks your IP address.
My questions arise from two observations.

1. I normally use w3m as a browser with no user-agent setting. Frequently
if I issue several google requests using inurl:something
google will take me for a robot and shut me down. I have tried using
openvpn and a public vpn and repeating the request but google still
recognizes me and refuses my request.

2. Some of the BBC sites allow access only from within the UK. As
a test of a commercial VPN I make connection to a VPN server
in Manchester, UK from my actual site in Southern California.
The BBC recognized that my request was coming from outside the
UK and denied access.

I have tried the webrtc test from github with the Chrome browser and
with javascript enabled I see only a local IP address from the
VPN, and neither the VPN or my address. I see nothing from Chrome
when javascript is disabled.

In all cases What is my IP shows the VPN server address as I would
expect.

How does google or the BBC determine my real IP address?

Thanks.
Ars Ivci
2017-12-28 18:01:51 UTC
Permalink
On Thu, 28 Dec 2017 17:32:01 +0000 (UTC)
Post by root
In all cases What is my IP shows the VPN server address as I would
expect.
How does google or the BBC determine my real IP address?
Thanks.
They might have stored a cookie previously; clearing them should help.
--
Ars Ivci
Grant Taylor
2017-12-29 06:34:20 UTC
Permalink
Post by root
2. Some of the BBC sites allow access only from within the UK. As
a test of a commercial VPN I make connection to a VPN server
in Manchester, UK from my actual site in Southern California.
The BBC recognized that my request was coming from outside the
UK and denied access.
There are a number of different things that can be done. But one of the
most common techniques is to rely regional on DNS.

Many VPNs only pass connections and rely on local DNS. So, BBC can have
uk-only.bbc.example resolve to one address in the UK and resolve to a
different address everywhere else.

So when your computer looks up the address via it's local DNS server,
you end up with the address that is for non-UK visitors. Thus when you
connect to that site through the VPN, you are giving away the fact that
you resolved outside of the UK.

There are various ways around this, including forcing your DNS traffic
through the VPN to a DNS server in the area you are trying to access.

I typically like to tell SOCKS 5 clients to let the SOCKS server resolve
the host names.

There are various other things that leak information about your real
location that can be used to detect non-UK residents.
--
Grant. . . .
unix || die
Pascal Hambourg
2017-12-29 12:31:37 UTC
Permalink
Post by root
I don't understand to what extent using a VPN masks your IP address.
It doesn't.
A VPN is just like a network cable. A cable does not mask IP addresses.
root
2017-12-29 15:57:52 UTC
Permalink
Post by Pascal Hambourg
Post by root
I don't understand to what extent using a VPN masks your IP address.
It doesn't.
A VPN is just like a network cable. A cable does not mask IP addresses.
WhatIsMyIP shows the IP address of the VPN server. I connected to
a server in Moscow and sent a query to Google. Google responded
in Russian so in that case Google thought that my request was
coming from Moscow. It seems to me that my real IP address is
being hidden in this case, how is that wrong?
Pascal Hambourg
2017-12-29 19:09:30 UTC
Permalink
Post by root
Post by Pascal Hambourg
Post by root
I don't understand to what extent using a VPN masks your IP address.
It doesn't.
A VPN is just like a network cable. A cable does not mask IP addresses.
WhatIsMyIP shows the IP address of the VPN server. I connected to
a server in Moscow and sent a query to Google. Google responded
in Russian so in that case Google thought that my request was
coming from Moscow. It seems to me that my real IP address is
being hidden in this case, how is that wrong?
If a website shows the VPN server IP address, then it means that the VPN
server does masquerading (source NAT), just like any internet box or
carrier-grade NAT. Nothing specific with VPN, really.

My own VPN server does not do masquerading.

Lew Pitcher
2017-12-29 16:50:18 UTC
Permalink
Post by Pascal Hambourg
Post by root
I don't understand to what extent using a VPN masks your IP address.
It doesn't.
A VPN is just like a network cable. A cable does not mask IP addresses.
On the local host, a VPN presents as a network device. This VPN network
device may acquire an IP address from the VPN supplier, and subsequently
alter the local routing tables such that all traffic (other than the VPN
encapsulation) goes through the VPN device. Thus, it is possible for network
traffic routed to the internet through the VPN to have a /different/ IP
address than the host's actual internet-connected node. A smart VPN supplier
might not just supply an IP address, but may supply one assigned from a
regional internet registry in the customer's preferred location (i.e. assign
an IP address from the RIPE pool for a customer in the USA who want's to
look like they host in Great Britain).

Additionally, a VPN provider may run Network Address Translation within the
VPN, so that locale-appropriate local host IP addresses translate to target-
locale-appropriate IP addresses.
--
Lew Pitcher
"In Skills, We Trust"
PGP public key available upon request
Eli the Bearded
2017-12-29 18:44:32 UTC
Permalink
Post by Lew Pitcher
On the local host, a VPN presents as a network device. This VPN network
device may acquire an IP address from the VPN supplier, and subsequently
alter the local routing tables such that all traffic (other than the VPN
encapsulation) goes through the VPN device. Thus, it is possible for network
...

Good summary of a VPN on a individual computer. Ideally a VPN like that also
changes your DNS configuration to use servers local to the endpoint.

VPNs can also be implemented on routing equipment. Companies with
offices in multiple locations might prefer inter-office communication to
go over a VPN and will route, say a RFC 1918 network space over that
link. In a case like that, you'd want internal nameservers, possibly
with separate "horizons", which know about the hosts in different
places. (The "horizons" are places from which DNS looks different; each
office may have say, "printer.office.tld", but the printer it goes to
would be different from each location.)

I'd sort of like to have the option to set up a VPN from my home's
network terminator, to route all traffic from inside my network to a VPN
endpoint somewhere. But that kind of configuration requires equipment
with a bigger footprint / more blinky lights than I currently have. (Or
could likely persuade my wife to put up with. Quiet and dark at night
are things she values.)

Elijah
------
used to regularly run into "VPN works, DNS doesn't" issues
Loading...