Need some help related to VPN/SSH?

[loper06]

In relation to the "VPN or SSH tunneling?" thread. If I setup my own (local LAN) SSH or VPN box, will this shield me from ISP sniffing? Basically, my primary desktop is the client which is connected to my router, and I have a SSH or VPN box connected to the LAN via the router. Traffic is then encrypted and sent to my ISP's servers then to the WWW.

Will traffic be encrypted by the SSH or VPN box so that my ISP only sees the encrypted info like so:

Code:

Primary desktop -> Router/LAN -> SSH/VPN box -> ISP encrypted -> 3rd party WWW server.

Instead of this:

Code:

Primary desktop -> Router/LAN -> ISP unencrypted -> 3rd party WWW server.

If this method will not work to prevent my ISP from sniffing packets, can someone please recommend a 3rd party SSH or VPN provider that prevents this?

ANY help would be appreciated. Thanks for the time!

[Devinco]

Is the Primary Desktop and SSH/VPN box all inside the same LAN?

Your ISP will always be able to see your traffic (traffic patterns: where, when, and how long you connect to another server). If the traffic is encrypted by SSL or SSH, then the ISP won't see the contents of your traffic (what is in the traffic).

Whether the traffic is encrypted between the SSH/VPN box and the 3rd party WWW server depends on the type of connection between them. Is it SSL? SSH? If so then it is encrypted. But you could do this directly without the SSH/VPN box.

[loper06]

Quote:

Originally Posted by Devinco

Is the Primary Desktop and SSH/VPN box all inside the same LAN?

Yes. All the computers will be in my home network. All computers connected will be able to connect to the VPN box.

Quote:

Originally Posted by Devinco

Your ISP will always be able to see your traffic (traffic patterns: where, when, and how long you connect to another server). If the traffic is encrypted by SSL or SSH, then the ISP won't see the contents of your traffic (what is in the traffic).

So my ISP can "see" the stuff I download and upload like xy.rar, xy.jpg, etc. without encryption? However, with encryption the ISP knows I'm using bandwidth and what server/IP I'm connected to but they can't see if I'm downloading xy.rar, xy.jpg, etc. Is that right?

Quote:

Originally Posted by Devinco

Whether the traffic is encrypted between the SSH/VPN box and the 3rd party WWW server depends on the type of connection between them. Is it SSL? SSH? If so then it is encrypted. But you could do this directly without the SSH/VPN box.

Well, for example: NNTP (newsgroup) traffic. Can I encrypt traffic so my ISP doesn't see my traffic (downloads/uploads)? Another would be mIRC. How can I do this without the SSH/VPN box?

Thanks!

[Devinco]

Quote:

Originally Posted by loper06

Yes. All the computers will be in my home network. All computers connected will be able to connect to the VPN box.

Then there is no need for the VPN/SSH box because when your primary desktop connects to the VPN/SSH box the connection is still WITHIN your LAN. The ISP cannot sniff within your LAN, only once the traffic leaves your LAN.
This type of a setup would only hide the contents of the traffic from other computers within your LAN.

Quote:

Originally Posted by loper06

So my ISP can "see" the stuff I download and upload like xy.rar, xy.jpg, etc. without encryption? However, with encryption the ISP knows I'm using bandwidth and what server/IP I'm connected to but they can't see if I'm downloading xy.rar, xy.jpg, etc. Is that right?

Correct. It is not just the files you download or upload, also the contents of every email you send or receive including passwords, all your IM chats, newsgroup traffic, FTP including passwords, and the contents of every non ssl webpage you visit.

Quote:

Originally Posted by loper06

Well, for example: NNTP (newsgroup) traffic. Can I encrypt traffic so my ISP doesn't see my traffic (downloads/uploads)? Another would be mIRC. How can I do this without the SSH/VPN box?

What you want to do is move that SSH/VPN box OUTSIDE of your LAN to a different location and then SSH/VPN connect to it remotely.

Like this:
Primary desktop -> SSH/VPN connection over ISP -> remote SSH/VPN box -> 3rd party WWW server.

The first connection is encrypted. The connection between the SSH/VPN box and third party depends if it is SSL. If it is, the connection is secure.
If the DNS requests are forwarded to the remote SSH/VPN box, then only the SSH/VPN box's ISP servers and DNS servers will have the traffic connection details.
Your local ISP would only see that there is a single connection to the remote SSH/VPN box and that the connection is encrypted. They will also see the volume of the traffic.

This is sometimes called an external or remote proxy.
The simplest way to do this is to use a privacy service like anonymizer, COTSE, FindNot, etc.

The only time you would want to set up the ssh/vpn box WITHIN your LAN is if you say travel a lot and don't want to use (pay for) the privacy services. Then you could connect with your laptop from an internet cafe to your ssh box at home and then from home it would go to your www server. The Internet Cafe (their LAN) and the ISP there would only see the encrypted connection to your home, not the contents. Then your Home ISP would be able to see the contents if it is not SSL.

Welcome to Wilders.

[loper06]

Thanks for all the help Devinco.

I just have a few more questions if you don't mind. How secure are these services? I've looked at SecurStar's SecurSurf before but it was too pricey. Do you recommend COTSE, FindNot, or some other provider? Also, how does port forwarding work on these services?

[Devinco]

Quote:

Originally Posted by loper06

Thanks for all the help Devinco.

I just have a few more questions if you don't mind. How secure are these services? I've looked at SecurStar's SecurSurf before but it was too pricey. Do you recommend COTSE, FindNot, or some other provider? Also, how does port forwarding work on these services?

If they are properly configured on both ends, the connection can be pretty secure from your average criminals and hackers. Just don't get any illusions that you can hide from Big Brother. There is no such thing as internet anonymity, just partial obscurity. If you want to use the internet, you have to connect. That connection can ultimately be traced back to the one making the connection. That doesn't mean you should give up on protecting the little privacy we still have left.
If you don't do things that are illegal and just want a little privacy, these services work well.

SecurSurf is $8.49 a month.
Anonymizer Total Net Shield is $8.33 a month.
FindNot is $8.33 a month.
COTSE Internet Shield is $5.95 a month.

They all offer similar services with each having their own unique selling points.

I have tried the Anonymizer Anonymous Surfing (not Total Net Shield). It was easy to set up and easy to use. It was the first "Anonymous" type of service I used. It is good to start with when you are just learning.
Later as I learned more about privacy and security (thanks to Wilders), I wanted something with more privacy and security features. I would have gone with the Anonymizer Total Net Shield, but I learned about COTSE and have been using them since.

COTSE is a very good service. I don't know how the other SSH services are, but setting up SSH takes some configuration.
The speed is good. The uptime is pretty good too. Maybe a service outage every 4 months or so. Outages are usually for a few hours, ocassionally a day or so. The customer service is very good and they deal with problems at once. If there is a problem that they can fix themselves, they do so quickly.

Can't comment on the others as I haven't used them.
There is also Privacy.li, but I get conflicting reports about them.

There is also JAP and TOR. These are free and they work a little differently. Search the Privacy Forums here and you will find a lot of info.

Good, Fast, Cheap - Pick two.