Need help getting my head around VPN's

[MrM]

Please bear with me, whilst not completely incompetent, VPN's have me somewhat confused. Apologies if these questions are stupid.

I have a Synology NAS and use the VPN client on it, so when I am away from home, in the country or abroad, I can connect to my home network.

When I connect to this VPN via a mobile device, for example , what does my home ISP see by way of internet traffic? Is there any advantage of connecting to my home network via this VPN beyond security when connected to a 3rd party public wifi provider?

Which leads on to my next question. What is the benefit of using a 3rd party paid for VPN provider when I have my VPN client running on my Synology?

Many thanks

 

[neodude]

You have a VPN server running on your Synology, not a client. The client is your phone or whatever you're using to connect. The advantage is that you can access your home network without opening ports.

The paid services allow you to connect to a VPN server hosted by the VPN provider. The advantage here is that you can browse the internet without your ISP seeing what sites you visit.

 

[BigT]

You're using the VPN server on your Synology not the client I suspect.

To answer your questions:

Imagine it's like a real tunnel you're burrowing from your client out and about to your home. Your home ISP sees the outer tunnel coming from your mobile or whatever you're connecting from. So can the ISP your client is on, so perhaps your mobile provider. But neither of them can see the traffic in the tunnel.

Thing is though if you connect to VPN back home and then have traffic out from your home router on the regular internet then when out and about say you make a request for a web page, your home ISP won't see the request coming in the tunnel but will see it then going out to the internet, will see the response back home but then not the response sent back down the tunnel to your mobile.

So the only advantage you are gaining is that all traffic appears to be coming from your house to your ISP and the services on the internet. This is good for, say, using iPlayer abroad as it looks to the BBC that you're at home.

It's not good for masking from the internet where (and so who) you are. That is what the paid for VPN services are for hosted on the internet. They make you look like you're coming from somewhere random on the internet to the services you request, not your home. And all your ISP sees is the outer "tunnel" walls.

It's not quite that simple, but I hope describes it conceptually for you.

 

[MrM]

Thanks guys, that's exactly what I needed to know. Sorry I got client and server mixed up.

 

[MrM]

If I may ask a follow on question. I am trying to understand how to practically use the service for my needs.

My router (Netgear D7800) has an OpenVPN config page, but I dont think it will allow me to specify specific devices to use the VPN and others not (which would be my preference). I do not want all devices connecting via the VPN. I would like my Amazon Fire TV box to connect to it, and then my iPhone and Macbook for geo masking would be useful on holiday.

Could someone kindly explain if this is possible, such that the VPN config is taken care of on the local device, opposed to the router?

Many thanks

 

[neodude]

Generally it is yes. I use PIA, I could set it up in my router but I generally don't bother. PIA comes with a Windows installer which gives me an on/off toggle in the System Tray. When I want to use the VPN I toggle it on, easy as that really.

Connecting to the VPN from the Firestick is something I've never done but a quick Google shows many guides.

 

[BigT]

So you have two devices with some sort of VPN settings. I think we've established that your Synology has a VPN server that you make use of.

I'm not familiar with your router but it could have both an OpenVPN server and client.

....my iPhone and Macbook for geo masking would be useful on holiday.

So in an earlier post you said you could connect to your home network using your Synology NAS VPN server. If that's the case then do the same with your iPhone and Macbook and as you surf you'll appear to be coming to your home.

I would like my Amazon Fire TV box to connect to it

I'm going to assume that your Amazon TV is in your home and when you say you want to connect to "it" you mean a commercial VPN server somewhere outside on the internet that will mask your location/traffic? This would necessitate you either:

1. Finding an app on the Amazon store that will let you connect out into a VPN or
2. Using the VPN client on your router to connect out to a commercial VPN provider so all traffic is routed this way, including the Amazon Fire

Now if you choose option 2 and you want to fulfill this requirement:

I do not want all devices connecting via the VPN

Then you're probably in a bit of a bind as, while I don't know the router, I suspect the OpenVPN client is all or nothing. What you want is policy based routing which is effectively saying 'if this device go via the VPN, otherwise go via regular internet'. Cheapest way to do that is probably a home made pfSense router. There is a possibility that your router can be flashed with a custom open source firmware that allows policy based routing but I don't know and would need someone else to advise. Also if you're having VPNs all over the shop and selective routing then your average consumer router is going to start to struggle for horsepower to do all that encryption and keep internet speeds up.

 

[MrM]

Thanks for your replies. BigT, you pretty much hit the nail on the head. Whilst the Synology server worked abroad for ITV and BBC, it failed to beguile Sky Go, and I understand certain paid for services are successful, somehow.

Regarding the router, I believe there is an open-wrt firmware for it, but I've also read of people having issues with it. In yesteryear I would have been willing to give it a go, but nowadays time comes at a premium, so unless I'm confident it would work, I will exhaust options to run a VPN on each device as required first.

I believe with a bit of work, Open VPN software can be loaded on a Fire TV, so hopefully I would then be good.

Thanks again for your help.

 

[ScoTTyBEEE]

Router vpn policy is likely on custom firmware. You need to use dns to assign static ips off the mac to separate the with/without vpns (only need to do this for one group) and ideally 2 separate Vlans so you only need 2 policies defined. My 68u didn't have vlan options without editing iptables, so I created my own by using cidr and setting 2 subnets like /23 /21 or whatever it was, I forget. It was a lot of messing around but this info should help. Just google cidr calculator if you need it.