Say an attacker finds out that Johnny uses a specific VPN and even knows the VPN server IP that he connects to. Is it then that the attacker, if connected to this same VPN and server, could sniff unencrypted traffic just as if Johnny didn't use a VPN and the attacker connected to his ISP...or even worse, since it's the same IP?
No, each connected client has a private tunnel network. If you were setting up a VPN server, you could configure it to allow clients to see each other. But no sane VPN service provider would do that.
Mirimir, Except there are valid uses for setting up such a configuration. Using a toy all here could play with: Octopus tunneling as configured by the free vpn Security Kiss. There are legit reasons for wanting someone to remotely be able to achieve LAN in this fashion. Each SKiss client approves the connection of the other in this way. e.g. - Server X port Y will be shared between the participating clients (can be more than two clients if desired). SKiss has dozens of servers but when these two need to be "LAN like" connected it is only possible on the exact designated server and specific port of the server. It makes it secure and allows for amazing inter-connectivity. In theory this is an amazing concept. You could see where at the Admin level a similar connection could be made in secret that you would never know about. That is true of ANY vpn though. I have used something like this Octopus tunneling for specific uses. I am only posting about this service since its on a free VPN that users could look at. Most users of this unique type service leave a company server connected to the exact server and port allowing ONLY designated users (by client mutual approval) to access the network LAN or regular. All others on the server and port would be left completely out of the connection. It has its place for some!! Not trying to do anything other than shoot one over the top on this thread! The reality is that for 99.9 % of VPN users the thought of anything other than an exclusive private tunnel would be a nightmare. LOL!!
Thanks for the answers! And if for some (dirty spying) reasons a vpn provider allowed clients to see each other - how can we check for it?
@Palancar I had no idea that SecurityKISS provided that option. Global LAN on the cheap And yes, any VPN provider could be doing this. However, given that all VPN providers can see all traffic anyway, I don't see this as a major issue. @Iapibaru You could run nmap on the machine that's running the VPN client. As I recall, you should see at most two other machines on the VPN tunnel, the server and perhaps a DNS server. If you see more than that, be suspicious. Some VPN providers might not like clients running nmap, however.
If its done properly an "average user" wouldn't see it at all. Remember the provider has an advantaged position in the system (like a TOR exit node). My general response is that I believe in and strictly use a "partition of trust" where no one vpn provider can access anything of value. You should select only vpn services with the highest reputation and then chain several of them together in a way that if one "falls" they get nothing useful. By spreading around your "trust" you devise a system where only a compromise of the entire chain would result in open text to read. That is very unlikely given the reputation of the top 5 or so providers that are in use here by our members. I won't list my choices but we all have a basic idea of our individual top 5 or so. I almost didn't jump in this thread. I only wanted to point out that it is possible and for a GOOD reason. Just be careful and be smart!