Can an untrusted VPN client monitor my network activity?

My scenario is:

This is my own Windows 10 machine.
The client has installed a VPN that connects me to their servers. The VPN is auto-connected when my Windows 10 machine is booted up.
If I am not on the VPN, I am unable to connect to their servers.
My IP address is different when I am connected to their VPN.

My question is, when I am connected via their VPN, can the client monitor what I am doing on my machine (like viewing YouTube, or screen sharing, or working on another client's project)?

Can I prevent the client from monitoring my other tasks? (I use this particular machine for multiple client projects.)

Neal

Posted 2019-09-23T13:20:54.780

Reputation: 197

3any way that I can prevent the client from being able to monitor, since I use this machine for projects multiple different clients – Neal – 2019-09-23T13:25:44.307

@Neal that's a separate question, but one way to ensure that tools of (and for) one client don't trample on another is to use separate virtual machines; e.g. in various security use cases it would not be uncommon to do all the sensitive stuff (including VPN setup) from an isolated VM that's used for one client only. – Peteris – 2019-09-24T08:23:31.040

7Different idea. if you do separate projects in the same computer, use a virtual environment for your this specific client and install vpn inside that virtual environment – Vishwa – 2019-09-24T09:23:00.873

Good question, good topic. I would suggest to move to Security SE. Welcome to SU – usr-local-ΕΨΗΕΛΩΝ – 2019-09-24T11:26:17.443

8The client has installed a VPN -> read The client has touched my machine -> ergo the client has potentially control over your machine. And could be reading my comment here – usr-local-ΕΨΗΕΛΩΝ – 2019-09-24T11:28:58.697

@CaldeiraG Way oversimplified. I have an OpenVPN connection to work and my routing tables in Windows are set up in such a way that the OpenVPN connection is only used for very specific IP ranges. It just depends on how the whole thing is set up. – Voo – 2019-09-24T13:39:24.123

@Voo all the answers here explain my comment. It depends how the VPN is configured. – CaldeiraG – 2019-09-24T13:44:13.593

1@CaldeiraG Hence why a simple "yes" is wrong. – Voo – 2019-09-24T13:46:14.507

@Voo i made that comment on the first revision of the question (first question). I replied on the comment as yes, soon after, grawity posted a really good answer on that. While you can configure your VPN to only specify " very specific IP ranges" most of them are by default routing all the traffic. – CaldeiraG – 2019-09-24T13:52:50.597

Comments are not specified to answer anything complex, there is 3 answers already doing the job. – CaldeiraG – 2019-09-24T13:53:50.623

@Vishwa excellent suggestion - one VM per client as required. – Criggie – 2019-09-24T19:33:24.210

6@Voo: The OP says that the VPN was installed by the client. This at least hints at the fact that the client had administrative access to the machine for at least a short while. If that is true, this means the machine should be considered compromised and nuked from orbit. Rule #0 of InfoSec: if someone had, even if for a very brief moment, physical access or administrative to your machine, it is no longer your machine. – Jörg W Mittag – 2019-09-24T20:26:17.273

2@Jörg Sure that's the paranoid answer which works for everything. But then: By that argument everybody whose computer is not air gapped must be considered compromised as well (I'll take the bet that there's been a zero day exploit discovered since after you plugged your PC in). You always have to consider your threat vectors and "intentionally malicious client" wouldn't worry me personally in most circumstances (unintentionally stupid configuration on the other hand? Very likely). – Voo – 2019-09-25T08:06:47.100

Answers

when I am connected via VPN, can the client monitor what I am doing on my machine

It depends on what they actually installed, and on how the VPN client is configured.

A normal VPN client doesn't transfer information about what you're doing in general – the server doesn't know that you're editing a file, and it doesn't know which file you're editing.

But it does handle your network traffic (obviously) and a lot of information can be determined from that traffic. For example, the VPN server's administrator can know if you're using TeamViewer (but not the actual data – that's encrypted), or if you're watching YouTube (but not the actual video URL – that's encrypted), or if you're sending an email (but not the actual email contents). In other words they'll see everything that your ISP would see, but usually nothing more.

So first, a VPN client can be configured to either route all traffic through the tunnel, or just specific traffic. (It is very common to use VPNs which connect only to school/company networks while leaving everything else untouched, aka "split tunnel" VPNs.)

If the client is honest (and not lazy), they can configure the VPN to only catch traffic to that client's servers, and nothing else. However, they can also configure the VPN client to capture all your traffic (or just traffic to their competitor's website, etc). Of course, enabling the VPN for all traffic is not malicious in itself at all, but it does allow your client to monitor you.

And in your case, "My IP address is different when I am connected to their VPN" is a strong indication that everything goes through the VPN.

But second, you're not 100% sure whether they installed just a VPN. They could have installed other software, e.g. something that specifically logs all your browser visits or tracks which program is currently active.

Can I prevent the client from monitoring my other tasks?

You allowed the client to install software on your computer – you've already lost.

It is possible to use a VPN for connecting to the client's network while still remaining safe; however, exactly how to do this depends on what VPN client you're required to use.

For a start, you would need to download and configure the VPN client yourself from provided information (instead of letting the client do it), and you would need to make sure the VPN client doesn't have any "remote provisioning" features which would allow it to locally install more components.

If in doubt, only install any client-provided software to a separate machine (maybe a VM) – never to your main computer.

user1686

Posted 2019-09-23T13:20:54.780

Reputation: 283 655

I've had a similar situation - a VPN software that automatically routes everything - but it was possible to later change my own local routing tables to only pass relevant traffic through the VPN. Usually VPN presents itself to the system as simply another network adapter. In that case I think you don't even need the command line to change their priorities. – Vilx- – 2019-09-24T07:14:16.757

5I want to add there is a big difference between a client seemingly accidentally routing all traffic through their servers and seeing some connection metadata (this is very likely) - and the client installing spy software on your machine without informing you, which is most likely illegal, a breach of trust/contract and can possibly open the door for you suing them for a lot of cash. - So I think with a halfway respectable client it is very unlikely they did something which leaves proof and is clearly illegal. – Falco – 2019-09-24T10:47:07.797

2... Everyone is going on about client potentially installing additional software beyond the VPN; however, I would be more concerned about the client potentially installing their own Certificate Authority along with the VPN. I have personally seen a private entity require all individuals who want to use their Network to install a specific VPN and a private certificate authority. While this is handy for accessing internal resources, if they install a CA, then they can issue certificates for "www.google.com" just as easily as "hostmachine.your-client.internal" (barring HSTS and cert pinning). – Spencer D – 2019-09-24T21:37:12.530

I agree with Spencer D, it's possible that a CA was installed and now all encrypted traffic is no longer trustworthy at all. The Lenovo Superfish issue shows just how trustworthy a CA can be. It's probably best to remove or use strikethrough on the part about encryption as it's potentially not safe.

– Blerg – 2019-09-25T01:49:20.397

1But an installed CA is easy to find in your central store and easy to replace - just remove it and trust to individual certificates for the pages from the client individually. – Falco – 2019-09-25T08:00:50.457

client has installed a VPN,

Yes, they can conceptually do anything they want to you, including spying. If you do not absolutely trust them, it is already too late for preventative measures. Since they are probably not actually malicious just wiping the machine (ie. reinstalling the OS/software) is probably sufficient.

My question is, when I am connected via VPN, can the client monitor what I am doing on my machine (like viewing YouTube, or screen sharing, or working on another clients project)

Besides that they already rooted your machine, looking at this from just a networking perspective there are several ways to configure a VPN. One of them is to route all traffic through the tunnel such that the VPN endpoint connects you to the internet. In this case they could see metadata about what sites you are visiting and when, but the encrypted payloads of HTTPS connections or SSH connections should be secure. Well, besides the fact that they might sabotage encryption such that they can snoop deeper... some enterprise style networking tools do this by default when installing client endpoint software.

Preventative measures for next time

Do not allow clients to install software on your machine. Ever. Particularly if you feel uneasy about it. If having control over your development machine is deeply important to them ask for one to be provided. Otherwise, buy a copy of good virtualization software (basically VMWare Workstation) and configure the VPN within a development VM by yourself.

trognanders

Posted 2019-09-23T13:20:54.780

Reputation: 358

Note: Instead of buying anything, it is often sufficient to activate virtualization software already present in the operating system (example).

– miroxlav – 2019-09-24T19:21:10.920

@miroxlav There are many free virtualization products, but they tend to offer a much inferior experience when using a VM as a desktop environment. Another option might even be a cloud desktop service like AWS WorkSpaces which would virtually eliminate the possibility a client spying. – trognanders – 2019-09-24T23:16:49.760

The parts concerning encryption in your answer are a bit off. Enterprise level tools are not required to sabotage the encryption on the machine, only a root certificate. Any home user with some basic knowledge can create and install one of these. Now all encryption used can be compromised. Also of note is that Virtualbox is a good, free hypervisor, (virtual machine software).

– Blerg – 2019-09-25T02:14:15.980

1@Blerg I was trying to communicate that enterprise firewalls normalize the concept such that the owners of draconian enterprise firewall product do not see it as an attack or exploit. It is just part of their edge computer setup process... the root certificate is to help the computers get on the internet, for their security. – trognanders – 2019-09-25T20:16:51.667

but the encrypted payloads of HTTPS connections or SSH connections should be secure That implies that OPs traffic is safe; however this is not true with a root certificate. By installing a root certificate, you can then perform a MITM attack and not be detected by any of your OSs encryption securities. Meaning that they can decrypt most of your traffic, including HTTPS. – Blerg – 2019-09-26T03:10:35.817

My IP address is different when I am connected to their VPN.

Assuming you're referring to your public IP address on the internet, as shown by a service like WIMI (What Is My IP) https://wimi.com/

This means the VPN client is redirecting all of your traffic through the VPN. OpenVPN calls this "default gateway redirect" and all your internet traffic is passing out your inet link, into theirs, through their network and back out to the internet.

Any proxy server/firewall device in their network could monitor your traffic.

The short-term fix would be to modify the system's routing table on your local machine, and restore your default gateway once the VPN has connected.

Start an administrator command prompt and run

 route print

Here's a the top of the windows ipv4 route table.

IPv4 Route Table
=================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    456.789.104.1  456.789.105.201     25  <-- my default gateway
        888.1.0.0    255.255.240.0      198.18.18.1      198.18.18.5     35  <-- a VPN
....

I suggest you compare the differences between the default gateway line when customer VPN is connected vs when its not connected.

I think the command you want to run (as administrator) immediately after connecting the client VPN will be something like:

route CHANGE 0.0.0.0 MASK 0.0.0.0   (your-default-GWIP-when-VPN-off) 
route CHANGE 0.0.0.0 MASK 0.0.0.0   456.789.105.1                  # for me

This glosses over any IPv6 changes the VPN might make. Also, you will need to check your DNS resolvers in case the VPN sends all your DNS requests to the client's DNS servers.

If the client VPN is OpenVPN based, you can edit the local config file and add a line like

 pull-filter ignore redirect-gateway

If you want to overwrite what DNS servers come with the VPN then a line like this will ignore those settings:

 pull-filter ignore "dhcp-option DNS "

Documented at https://community.openvpn.net/openvpn/wiki/IgnoreRedirectGateway

Criggie

Posted 2019-09-23T13:20:54.780

Reputation: 985