Basically what the title says - Can my ISP see the exit node of my VPN ? I hope not, because that would be weird, and would defeat the whole purpose of a VPN.
A bit of backstory about why I had this question ( it is slightly long, so is totally okay for the reader to skip this part )
My partner subscribed to a McAfee security suite, that we share (because they had some promotions available or something for multiple devices). It’s not the worst thing around - the antivirus part, but it also came with their “McAfee Safe Connect VPN” service, which is infamous for having a super-invasive data logging policy. So I said fuck’em and set out for a better option.
I am more or less tech-literate, but I researched somewhat deeply this time, basically to choose between “Privacy” (like Bruce Wayne - everybody knows who he is and lives in the Wayne Manor, but nobody knows what he does there, or that he has a BatCave underground), and “Anonymity” (Like Batman - everybody knows what he does - kicks ass of bad guys - but nobody really knows who he is, ok except for may be a couple of people) - basically trying to figure out if I needed a VPN at all or not.
I already have DNS-over-HTTPS enabled in all my devices - so that kinda took care of my “privacy” concerns (i.e. a nosy ISP) - although I believe my ISP can see which IP/Domain I am finally connecting to, which kinda sucks.
Apart from my ISP, the other concern was Public Wi-fi. I do work with my device(s) on-the-go a lot, which is why I have reason to ensure safety while connected to Public Wi-fi at Cafes/Restaurants/Airports. The fact that Internet is not just HTTPS - there’s telnet/FTP/SMTP/IMAP/POP3/Gopher and other protocols which have their own encryption methods (or not) also led me to the realization that DOH is not a total replacement for VPN. And the ISP can know my destination Domain even if DOH stops them from sniffing or blocking the DNS lookup itself.
In the end, I decided to go with VPN. Not any free ones (because as we all know they suck), and neither any over-promoted ones as well, like Nord or IPVanish (because they suck as well, in a different way). I chose Mullvad, but white labeled as Mozilla VPN. This is because I do use email-forwarding services to a large extent, and Mozilla is providing this combined deal of their email masking service Firefox Relay along with phone masking and VPN for 5 devices, all for a reasonable subscription (I won’t say how much because this post is not a promotion for them) - and being a long-time Firefox user (and also being anti-Google for a while), I decided to go with that (and so far all I heard about Mullvad are good things).
So far I am alright with it. Let’s see how it goes.
And that concludes my VPN journey story. While I was researching about how much my ISP can see when I connect to a VPN - I found that they can see encrypted traffic to and from my real IP, and that I connected to a “VPN server”, and nothing else.
I assume this “VPN Server” that they can see is the “entry node”, and not the “exit node” (i.e. my IP as seen by the world) - but never got a clear answer to that - which led me to my original question above.
And thanks for reading this far ! Feel free to share insights.
Your ISP can tell which machine you’re connecting to, so unless you configure multi hop, yes. It still helps, in two ways: first, other people may be using your exit node, and even if your ISP can monitor the outbound exit node traffic, they can’t know which is yours. Second, and more importantly, the packet-level tracking data that your ISP puts on your traffic is rendered useless, because it’s lost at the exit node. That alone gives you more privacy than any other action. You can DNS over HTTPS all you want, but that packet tracking tells the ISP exactly where you went.
Many VPNs will support multi-hop, where the concentrator you connect to is not the same as the exit/egress point.
Many? Tor and Safing SPN, but who else?
Mozilla VPN supports it
@ahal I feel like if I wanted that, I’d use TOR.
If you want anonymity, you’d use TOR, yes. If you don’t need quite that level of privacy but still more than a single hop of VPN proxy, a multi-hop can have some limited benefits such as making use of multiple domicile’s privacy laws.
deleted by creator
Mullvad
Mullvad has it was well.
IVPN has multi-hop
deleted by creator
Looks really cool. Looking at the founders, and their history, it seems like they have the right background. I just question why the whole thing is closed source
deleted by creator
Safing SPN is very similar, open source, and it splits every one of your streams, not just all of your traffic multi-hop.
So that might be something to look at.
Using Mullvad is probably good enough.
One other thing your ISP can see, even with HTTPS traffic, is the domain name you’re connecting to. That’s part of the handshake of HTTPS, which is mitigated by encrypted hello but that’s just barely starting to get rolled out.
The only issue with a single point VPN, which most of them are, is if somebody is monitoring all the traffic of that VPN provider, they could do data stream analysis to determine which client has which stream. So if you’re watching a YouTube video through the VPN, and observer of the VPN could go I see a YouTube video going to the VPN provider at this bit rate, I see this new bitrate immediately correlated with this encrypted VPN user, therefore this encrypted VPN user is watching this video. Basically an observation and timing attack.
Even if you use multi-hop, somebody who can observe the entire network, like state actors, could perform the same attack and determine which data stream is going to which VPN user.
The good news is, other than state actors, no individual organization has the The entire Network observed that thoroughly. Your local ISP is not going to have that data.
This observation deanimonization attack can also be mitigated by not moving large data streams through the VPN, and using VPNs that are popular with many different users, hiding your traffic in the overall hustle and bustle of the VPN
Even state actor won’t really bother pursuing pirates if you make it harder like using a VPN
I assume this “VPN Server” that they can see is the “entry node”, and not the “exit node” (i.e. my IP as seen by the world) - but never got a clear answer to that
Traditionally, the entry node and the exit node have been the same VPN server/ip. In that sense, your ISP does know the IP of your exit server, since they are the ones connecting you to it.
For example, your X ISP’s logs could show “At 15:00, user #123 connects to IP 1.2.3.4, which lookup shows is assigned to “CheapVPNs Ltd”. At 15:01 our email server received 1,000,000 emails from IP 1.2.3.4 all angrily complaining about how “X ISP sucks”. Correlation implies user #123 is responsible for the mail bomb attack against our servers.”
At the moment, Mullvad specifically does use different entry and exit IPs, but they are all still located in the same datacenter and subnet. That is, you could be connecting to a Mullvad VPN server 1.2.3.4, 1.2.3.5, or 1.2.3.6 in London, and they all exit out through 1.2.3.1 in London. This is just something Mullvad does. Other VPN services may not do it and Mullvad hasn’t done it in the past. Someone analyzing ISP logs could correlate these IPs if they really wanted to.
Mullvad also offers “multihop”, but the way they have it implemented currently (changing the destination port number), an ISP could still deduce your exit IP if they bother looking up records of Mullvad network structure (which are publicly available), since they know the IP number and the port number of your entrance node.
The only way to hide your VPN exit IP from your ISP currently is to use multiple VPN services and nest them inside each other (or use one service and nest it inside itself using the “multiple devices” perk). Then only a state-level actor could hope to correlate your traffic by monitoring the ingress/outflow of multiple IPs simultaneously.
You’re mostly right, if not completely right. VPN is encrypted with SSL so the ISPs only see that you exchanged information with a VPN, but not what is being exchanged.
You may consider that maybe the ISPs can also figure out who else connects to the VPN and maybe deduce some information that way, but they can’t know everyone who uses the VPN, only those on their ISP that use it. So you can exchange information with somebody in Antarctica and the ISP has no way of knowing if it’s somebody outside or inside their ISP.
Also, on the point of services that are not HTTPS, don’t confuse encrypted protocols with the SSL of the VPN. Your ISP will not see your unencrypted packets either if you tunnel it through your VPN. They can’t see your DNS or ping requests (assuming you are using an IP based proxy, not using a SOCKS proxy). But your VPN provider can see those unencrypted requests. So you’re choosing to trust the VPN provider with those opaque requests over your ISP.
And last, about DNS-over-HTTP, a reverse DNS is enough for your ISP to know what domain you’re connecting to in a lot of the cases, regardless if you hide the domain name resolution. Of course, sites using shared CDNs mitigate this, but not all do.
Thanks! Appreciate the response.
I guess I should have mentioned in my original post that when I say “exit node”, I specifically mean multi-hop. My bad.
But even for Single hop as well, the world sees that VPN IP as my IP (although they probably don’t know it’s “me”), but
(a) Can my ISP map me with that VPN IP (“my” IP to the world’s eyes) and
(b) Can my ISP see the traffic that’s going out of that VPN IP ? My guess is no, unless that VPN server also uses the same ISP as me (but I’m dumb so feel free to correct me)
The transport between you and the endpoint will see an encrypted tunnel, nothing of what is passed through it. Unless your ISP also happens to control the VPN gateway and where the ISP carrier for the VPN they wouldn’t be able make a correlation.
The VPN provider knows all of the above, so if you’re really concerned with privacy make sure to pay the provider with untraceable means like a cash purchased debit card or crypto and use an email not used anywhere else for authentication.
deleted by creator
