Quick OpenVPN question for those with an ASUS router

[TheE]

My OpenVPN Connect is up and running, but I had the following question on one of the configuration settings...

In advanced settings, "Direct clients to redirect Internet traffic" Yes or No?

If I select no, will my internet traffic and access to my IP cameras still be safe and secure (encrypted) on public wifi like at a coffee shop? The setting does give an explanation ("Enable this option allows VPN clients use the Internet from your router instead of the one at their location."), but I still do not understand what it truly means and does... I've also searched online to find no real answers either.

Thanks in advance.

 

[SouthernYankee]

I use the asus general setting, not the advance setting on my asus router.

This has little to do with your cameras. It has to do with the client(Phone,laptop) how it directs internet traffic. Does it go from the phone to the router and out again. Or does it go to the internet.
If you access google from your phone, do you want it to go to your router or to the internet directly.

VPN question

 

[TheE]

Thank you, SouthernYankee.... Your explanation and the link you provided sorta cleared some things up for me...

 

[smoothie]

That option forces all traffic from your phone while the VPN is active and connected to traverse the VPN connection when it is set to "yes".

Think of it this way:

Let us say your home network private IP range is 192.168.1.x and your cameras are on 192.168.1.10. This doesn't need to be correct it is just an example.

Let us say you are at a Starbucks using their WiFi.

You connect the VPN successfully and are able to access your cameras at home.

You also open up a web browser on your phone with 2 tabs open. The first tab is to American Honda Motor Co., Inc. - Official Site and the second tab is to

http://www.shermansplanet.com

Here is the effect that turning that option between "yes" and "no" has on the above scenario:


When set to "yes":

Your connection to your cameras at 192.168.1.10 is encrypted by virtue of traversing the VPN to your home.

Your connection to American Honda Motor Co., Inc. - Official Site is encrypted by virtue of it being httpS and not http. Additionally the traffic is encrypted an additional time since this traffic traverses from your phone, across the VPN to your house, then to American Honda Motor Co., Inc. - Official Site

Your connection to

http://www.shermansplanet.com

is partially encrypted. It is encrypted from your phone to your house by virtue of traversing the VPN but it is then unencrypted from your house to

http://www.shermansplanet.com

.


When set to "no":

Your connection to your cameras at 192.168.1.10 is encrypted by virtue of traversing the VPN to your home.

Your connection to American Honda Motor Co., Inc. - Official Site is encrypted by virtue of it being httpS and not http. The traffic goes from your phone directly to American Honda Motor Co., Inc. - Official Site

Your connection to

http://www.shermansplanet.com

is not encrypted in any way.


What does all this mean ?

Frankly not very much. The internet as a whole is moving towards all websites being encrypted (e.g. they have the httpS) which means that any communication between your device (e.g. computer, smart phone, etc) and the website is encrypted. Google search results rank encrypted websites higher than unencrypted websites for example. The times to worry about unencrypted data is if there are passwords involved. If you visit a website that requires a password but it is http only then that password is passed in clear text, this means if someone were to intercept your traffic they could read your password. The only websites that don't have encryption while requiring passwords are without a doubt terribly run sites and I wouldn't trust that site with any of my personal info.

Another way that unencrypted data can catch people off guard is with their email. If your email provider is a modern web provider such as gmail.com or outlook.com you are encrypted when checking your email, even if you use an email client to check your mail such as Outlook or Apple Mail app on an iPhone. If your email provider is an outdated system that uses POP3 or IMAP then you have to manually configure the encryption and it may or may not even be possible to do with a modern device like an iPhone.

There are deeper aspects to the VPN usage and encryption in general but they can get very complicated. If you like I can go into greater depth on the topic.

 

[Mike A.]

I set it to run my traffic back through my VPN mostly so that I can use the same central ad blocking and other filters that I have set up for everything on my network. That way I have the same filtering when I'm outside that I do while inside my network and I don't have to individually set up and maintain as much stuff on each device. If you have a slower home Internet connection that might not work out as well.

 

[smoothie]

I set it to run my traffic back through my VPN mostly so that I can use the same central ad blocking and other filters that I have set up for everything on my network. That way I have the same filtering when I'm outside that I do while inside my network and I don't have to individually set up and maintain as much stuff on each device. If you have a slower home Internet connection that might not work out as well.

Yeah if you setup a firewall such as pfSense and load something like pfBlockerNG or Suricata you can use the VPN while outside the network to filter and block adware domains and malicious domains etc, that is a good setup. Additionally you can use pihole or similar to add an additional layer of filtering/blocking and you need only configure the VPN clients to use that DNS server.

The only catch people may have to watch for is not everyone has unlimited mobile data plans and while the VPN itself adds virtually no traffic it can add up for some.

 

[J Sigmo]

Correct me if I'm wrong, but wouldn't another potential benefit of setting this to "yes", assuming you have sufficient and unrestricted internet connectivity from home to the internet, be that the ISP, or the administrators of whatever WiFi system you might be using while out and about cannot tell what websites you're visiting?

So you can slack off at work and watch Hulu without the boss identifying this traffic, or you can use the WiFi at Sam's club and not have them block access to Amazon (so you can price compare), etc.

 

[catcamstar]

Correct me if I'm wrong, but wouldn't another potential benefit of setting this to "yes", assuming you have sufficient and unrestricted internet connectivity from home to the internet, be that the ISP, or the administrators of whatever WiFi system you might be using while out and about cannot tell what websites you're visiting?

So you can slack off at work and watch Hulu without the boss identifying this traffic, or you can use the WiFi at Sam's club and not have them block access to Amazon (so you can price compare), etc.

Indeed, that's why I have on all my devices the "redirect gateway" set to "on". Especially with unlimited data (both on 4g and at home), so having data travel twice the line, is not a sad thing anymore.

For me, the advantages are:
- all my communication is encrypted (security first)
- all my communication is compressed (little less than twice the data overhead, however battery drainage on the phone is a minus)
- all my "internal LAN" devices are available at fingertips
- no messing around on public wifi's or even the wifi at work - I hate people evesdropping on when I'm playing my stupid online games

But don't think that having the openVPN app open is enough: there are (little) caveats like DNS bleeding (in which your devices passes on DNS requests to the "default" and not through the VPN tunnel), so when surfing to "I-want-greener-grass-than-my-neighbor.com) can be logged. So do have a look at the advanced options in your openVPN client app to twiggle around in these options (eg deadman's switch).

Cheerios,
CC