For example, using my network (Public IP: 12.34.56.78) I’m connecting to a VPN server (1.2.3.4) and I get assigned an IP address (5.6.7.8).
Am I in the right to make an assumption that my ISP only sees the encrypted data between my network (12.34.56.78) and the actual VPN server (1.2.3.4), therefore not knowing what Public IP address was assigned to me whilst using the VPN (5.6.7.8)?
Correct. Your isp sees you connected to 1.2.3.4 but was no visibility what happens inside this connection nor where you connect further from 1.2.3.4. In theory, depending on encryption level used for vpn they could read it, but I believe it should be both weak encryption and really interesting traffic to start decrypting it.
Your data is encrypted but the destination is not.
I’m connecting to a VPN server (1.2.3.4) and I get assigned an IP address (5.6.7.8).
I haven’t tested this, but I think:
you usually don’t get an individually-assigned IP address on the outbound (toward-web-site) side of the VPN server. You share one address with all users of that VPN server. Which is a good thing.
that outbound IP address of the VPN server may be the same as the inbound (from your system) IP address of the VPN server. If the VPN server did everything through one network interface and there was no trickiness in the router to the internet, inbound and outbound would be same IP address.
Someone please correct me if I’m wrong.
Marks answer as solution.
Thanks, bud.
Isn’t the VPN server the destination?
Me -> ISP -> VPN -> Website
How can the ISP possibly see Website’s IP?
I understand VPN isn’t TOR, but using DOH (DNS over HTTPS) plus a VPN should hide Me from the Website, and at the same time hide the Website from the ISP, because all I’m getting back from the VPN is encrypted packets.
Correct?
That would mean that VPNs provide a false sense of security, only hiding me from the Website I’m connecting to, but not actually hiding me from all parties involved in transferring the actual data.
Eg. If what you are saying is true and the VPN inbound-outbound IP is the same, then the Police could just ask Website,
Hey what IP does
User Xhave?
Then ask different ISPs,
Which Clients connected to a
VPNwith Given IP we got fromUser X?
Effectively exposing me as a client of specific ISP.
PS: Yes I realize this is a far fetched scenario, but it’s more than possible if the right amount of resources are put in.
Yes, security varies depending upon which configuration is used.
Even if VPN is using a single IP address for both sides of VPN server, this is not “false sense of security”. It is “less security (more work for police) than two separate addresses”.
I understand. Thank you.
Although, if we exclude timing attacks and data decryption,
Isn’t it sort of bulletproof if the VPN saves no logs and has different IP addresses for both sides?
Nothing is bulletproof. The VPN has to use a data center and/or ISP. Correlation attacks are possible at many points. Insiders could be malicious. Sure, if you exclude major classes of attacks, eventually you get to “bulletproof”.
This war ain’t easy…