Is it true that routers, like the Sophos XGS 87 decrypt the data stream on VPN connections?

Question

I have a NordVPN account and the router at our office is Sophos XGS 87. According Sophos literature they do deep packet inspection on TLS 1.0 to 3.0 (HTTPS) connections. 
 It seems the router acts as a "man in the middle" so that it acquires the encryption key and then uses it to inspect all encrypted traffic. 
 I asked NordVPN if this would impact the session with their VPN service. Their only reply, on repeated requests, is that they use AES 256bit encryption for the connection but they don't say what encryption is used to make the connection or if Sophos router can pose as client? 
 My concern is that if the router can pose as the VPN client it will decrypt-inspect-encrypt all traffic passing through it. I am working outside office hours, which the company allows me to do on their network, but I value my privacy and security. 
 If my concern is valid, then is this true of all VPN services?

Wayne Folta · Answer

ADDED: Just read your sentence about the company's computer. I assume they admin it. They have very strong reasons for not allowing you to VPN through their network, ranging from security to liability for your actions. So they probably force your machine to trust their CA certificate and do the MitM, and then block any VPNs that they can detect. If you want privacy don't do things on your employer's network. You have no right to privacy there. 
 ORIGINAL: The key thing is that a client and server can detect a man in the middle. Your browser, for example, uses TLS and will give you a warning if your XSG is doing DPI by doing a MitM. That's why you have to copy the XGS's certificate down to your computer and mark it as a trusted Certificate Authority certificate. 
 So if you control your laptop as the admin, you will know if someone turned on TLS decryption on your XGS. If it's not your laptop, it doesn't really matter what happens on the XGS, the admin of your laptop can get access to your data before any encryption if they want. 
 Even if you mark the XGS' CA certificate as trusted, the server at the far end can still detect that the certificate is not the one that is "pinned" in the client. If it wants: some servers like banks will do this check. 
 This is using the HTTP-TLS-style certificate and authority mechanism, which allows creation of certificates by Certificate Authorities and can check for authorizations. 
 You could also just generate a key on the server end and somehow get it to the client end and then encrypt your data with this key. No certificates, no certificate infrastructure, no authorities, just a key that you either know or don't know. In that case, there's no MitM possible unless your key has been compromised. There's no way for anyone to insinuate themselves into the middle. Similarly, public key encryption allows the client to use a public key and unless the encryption is cracked because of inherent weaknesses, etc, there's also no possibility of a MitM. 
 So depending on how NordVPN encrypts its VPN, it's either impossible to MitM, or you can detect at either end that a MitM is happening and you either accept it or not. The question is: what mechanism is the VPN provider using and if it is a certificate-infrastructure mechanism like TLS do they detect MitM and stop the connection or not.

LuCar Toni · Answer

It is quite simple. 
 There are two different approaches, DPI works. It can show you, which algorithm you use. Its like looking at you, while you lock the door. I can tell by simply looking at your hand, if you use a key, a fingerscanner or your face to lock the door. I cannot enter at this stage. 
 The other approach is to replace the keys and do a MITM "attack" to be able to copy the key to look into the content. 
 But to do this, you (as a client) needs to give your permission. Sophos (or any other vendor) cannot do this technically. If this would be possible, we could stop doing https / vpn etc. because everybody could read the traffic. 
 Be aware: If this device is managed, the conses to give permission could be done by a management platform.

Is it true that routers, like the Sophos XGS 87 decrypt the data stream on VPN connections?

Top Replies