Thomas,

I hope all is well. Great questions !! let's see what we can do to shed some light on answers that make sense for you.

I'll go in the order that you asked the questions in:

"If I want to connect to a website and I have a VPN client installed on my computer, when I enter the website's name in my browser, what's exactly the route that my connection is going to take?"

Short answer is: The route will depend on where you are in relation to where you want to go & You ALWAYS have to use DNS to resolve and find a path to get to a website, the only question will be whose DNS and where is it located?

Longer answer involves us having to distinguish here between two possible scenarios to answer your question as noted below:

First Scenario: You DO NOT HAVE the VPN engaged and are using your machine to get to the Internet OUTSIDE OF THE VPN TUNNEL.

Second Scenario: You DO HAVE the VPN engaged and are using your machine to get to the Internet INSIDE OF THE VPN TUNNEL.

The reason to distinguish between these two scenarios is twofold: First, it is a question of your location PRIOR to making the request to resolve the website & Second, it is a question of what DNS infrastructure comes into play when, and as a result, whether you can get to the internet or not, and if so, how?

In the FIRST SCENARIO, you are connecting WITHOUT the VPN being engaged, so if you are at home, using your machine via your Internet Service Provider's (ISPs) network, you simply open a browser, type in a URL or IP address for the website you want to reach, and using the IP configuration provided by your ISP you use their DNS infrastructure to resolve the website, and then are routed to it via whatever path is most expedient over the public network(s) beyond your home access device provided by the ISP (cable modem, DSL device, etc...)

This would be the same by the way if you were at work, and connecting over the corporate network to an external website such as ITPRO.TV and did not use a VPN. The only difference would be that your company would most likely be providing the IP configuration and DNS information for you to use on the corporate network PRIOR to you connecting to the Default Gateway (the router for your subnet) that would allow you to gain access to the outside world. From there, the process would be the same.

In the SECOND SCENARIO, since you are using the VPN to establish a tunnel PRIOR to attempting to access the internet, things change a bit.

First, the VPN creates a dedicated pathway via an encrypted tunnel to allow you to securely connect to and use resources at the other end of that tunnel, wherever that is. As a result, when you establish the VPN, and successfully authenticate and connect, your machine will now NO LONGER be operating from the original connection point PRIOR to establishing the VPN, but rater is now operating from WITHIN the VPN tunnel and more specifically, from the other network that you have connected the VPN to. As a result, your machines IP configuration is changed and now matches whatever the IP configuration is for the endpoint network you are connected to via the VPN.

This is the critical difference between the two scenarios, as it means that your pathway to connect to the internet is now specified by the network that you are connected to, the VPN endpoint network. Whatever that path is, however it is designed, and whatever DNS and IP configuration it requires will be what is used if you attempt to access the internet while the VPN is active.

The above assumes of course that there is a pathway defined to get to the internet from the VPN endpoint network. If there is no path defined, then you WOULD NOT be able to connect to the internet while the VPN is active on you system.

"if you want to connect anywhere on the internet, you first have to use your ISP's infrastructure to do it, right? Is the first step out to the routers of the ISP's and then to whatever DNS server that will give me the IP of my VPN server? Or is my computer smart enough to directly send its packet to the VPN server?"

Lets break these down one question at a time:

"if you want to connect anywhere on the internet, you first have to use your ISP's infrastructure to do it, right?"

Based on the two scenarios we discussed above, the short answer is that you would use the ISP's infrastructure of the network that you are connecting through,

"Is the first step out to the routers of the ISP's and then to whatever DNS server that will give me the IP of my VPN server? Or is my computer smart enough to directly send its packet to the VPN server?"

Short answer is actually a combination of the two, assuming that you have a static IP configured as part of the configuration parameters for the VPN client's target.

Longer Answer: So, because we are using an IP ADDRESS to create the connection to the VPN endpoint, the target of the VPN client, that is provided EITHER ahead of time as part of the static configuration of the VPN client, or is prompted for or entered when you initialize the VPN client. DNS does not come into play for the resolution, UNLESS you are providing a Fully Qualified Domain Name (FQDN) as the endpoint for the VPN, in which case then DNS would be used to resolve and find the IP address to actually use for the connection.

As a result, your VPN client initializes its connection and goes straight to the router / default gateway that is local to where you are, and then from there the VPN tunnel is connected over the pathway that the ISP provides based on a variety of factors such as routing protocols being used, QoS on the connection, etc...

"if the first step has to be one of my ISP's routers, can the ISP see your unencrypted data before it reaches out to the VPN server? Or does my computer encrypt automatically its packets even before reaching the ISP? I guess that the ISP would still see the destination IP address in order to be able to forward my packets, am I correct?"

Short answer is that if there is no encryption being used / provided on a connection, then the data is available to anyone who is able to connect and see it.

Longer answer: It comes down to when the encryption protection(s) are applied to the data stream. If you are not using an application that provides encryption, then the data is being sent in the clear and can be seen. This why you use secure transmission protocols to send data over public networks such as the Internet/ World Wide Web.

Computers DO NOT automatically encrypt anything unless told to do so. For that matter, they do not do anything automatically unless told to do so.

It is not really that the ISP is able to see the destination IP address in the header of the request to set up the VPN, but rather that whatever mechanism(s) are used to transmit that request between routers until it gets to where it needs to go is able to understand the destination IP address.

I hope that this helps to clarify all your questions. Please let me know if we need to discuss anything further.

Good Luck !!!

Cheers,

Adam

Justin,

Man, my apologies on not seeing your post, usually, I spot them right away. If you're having a hard time understanding the basic theory of VPNs then I would suggest taking a look into the Network+ show where we cover the VPN technologies. Also there are plenty of links if you just do a browser search for Understanding VPN technologies. If you're talking about implementation of the VPN connections, then this can become granular. Even thought the concepts are the same, the implementation and configuration of VPN tunnels can vary from technology to technology and even type to type (i.e. site-to-site or client remote access). You'll find this also in our Cisco Security Show as well as the Microsoft Client and Server shows that focus on the technologies.

Cordially,
Ronnie Wong
Host, ITProTV