Author Topic: Configuring to Block All Non-VPN Traffic  (Read 21351 times)

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #15 on: February 07, 2013, 05:21:59 PM »
OK...here goes...

Protect Your IP From Being Disclosed if Your VPN Connection Fails

The following steps will help assure that you do not accidentally expose your real IP address if your VPN connection drops. Normally if this were to happen, your real IP address would be exposed since your normal networking connection is still in place if the VPN connection is lost. There is no firewall or P2P monitor application needed. You only need to make relatively simple changes to your Windows routing table using simple commands. Although this looks like a lot of information, it’s really quite simple. I’m just being very thorough and very detailed. After doing it a few times, it will become second-nature!

Steps

Because I disabled my Wi-Fi adapter, I plugged in a network cable from my laptop to my router. Since I have my laptop set to use DHCP, a local IP and DNS addresses got assigned to the Ethernet adapter in my laptop. In my case, that was 192.168.1.107 because I choose to start my IP addresses at 100, which is just a personal preference. I have my Linksys router’s IP set to 192.168.1.1 which is pretty common. Just substitute your router’s IP address for mine (192.168.1.1) and your computer’s assigned IP address for mine (192.168.1.107) in the examples below.

I then opened a Windows command shell (Start, Run, cmd) and from within it typed route print to view the routing table. The first entry is what is called a “default route” to which all traffic that does not otherwise have a specific destination routes to. You can see my laptop’s IP address (Interface) and my router’s IP address (Gateway) in the entry which looks like this:

Network Destination    Netmask       Gateway          Interface             Metric
0.0.0.0                      0.0.0.0         192.168.1.1    192.168.1.107      20

You don’t need to understand what the Netmask is or how to use network masks in general or what the Metric is, although you can certainly research these if you like.

Now start up your VPN client application. If it works like mine (http://PrivateInternetAccess.com located in Michigan, USA) it will create another entry in the routing table based on the IP address it is using for the server you happen to connect to. Now type route print again to view the new routing table. The first two lines should look something like this:

Network Destination          Netmask            Gateway            Interface            Metric
0.0.0.0                            128.0.0.0          10.140.1.17       10.140.1.18        1
0.0.0.0                            0.0.0.0             192.168.1.1       192.168.1.107     20

You will notice there are now two default routes—the original one for your network adapter and router as well as the new VPN route, which has its own Gateway and Interface IP addresses based on the server you connect to. Of course, your VPN service will have different IP addresses for these and may use a different Netmask as well. Since VPN is a protocol that rides on top of the normal networking protocol these table entries make sense. Once the VPN connection is established though and the correct routing table entry is made, the normal default route is not needed (second line). As a matter of fact, therein lies the problem. If the VPN connection drops (first line gets automatically deleted) the default route to your router (second line) remains and any connections in place via your P2P client or other connections will continue uninterrupted, which is what you don’t want when using a P2P client because that would expose your real IP address and DNS servers (more on DNS at the end of this tutorial).

To remedy this, you simply need to delete the default route to your router while the VPN connection is active. To do this, within the command shell window, simply type route delete 0.0.0.0 192.168.1.1 and then type route print again to verify that the “normal” default route has been deleted and only the VPN route remains (along with several other routes below the VPN route that should not affect what we are doing).

The final “feel good” test would be to now open up your P2P client and start downloading something legal and large enough to take a few minutes to test just in case your did something wrong and your real IP gets exposed briefly. I would not recommend downloading the latest Blu-Ray release of a big box office movie!

Once you start seeing the file downloading and possibly uploading, go to your VPN client application (usually in the system tray area) and disconnect from the VPN server. You should notice that all your down and up loads stop. If you use http://uTorrent.com, don’t be confused if the timers in the Peers column are still counting down or if the DHT and PEX entries still say “working”. I presume this is either a bug or just the way they designed uTorrent, since even if you physically unplug your network cable or turn off your Wi-Fi adapter, you will notice the counters still count down and the DHT and PEX entries still say “working”!

To get your VPN connection working again, you can’t just simply reconnect to your VPN because remember you deleted the default route to your router that the VPN needs initially to connect to its server. You will need to add the default route back to the routing table BUT FIRST SHUT DOWN YOUR P2P APPLICATION COMPLETELY! There are several easy ways to add the default route back:

  • Disconnect and reconnect your network cable if you are connected that way or disable, then re-enable your Wi-Fi adapter if you are connected that way. Either should automatically recreate the default route to your router.
  • Within a command window, type ipconfig /release then ipconfig /renew. This sometimes works and sometimes doesn’t in my experience.
  • Within a command window, manually recreate the entry by typing route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 [metric 1 if 2]. The parts in brackets are optional and shouldn’t be needed unless you want to change the metric (number of hops) for some reason or want to use a specific device (the number after the “if”) other than your normal network adapter. Windows will pick the best metric (usually 1) and the best network adapter automatically. If you want to see how your network adapters are numbered (in hex) then just look at the first few lines in the route print output which will look something like this:

    Interface List
    0x1 . . . . . . . . . . . . . . . . . . . . . . MS TCP Loopback interface
    0x2 . . . 00 C3 D5 35 7B 24 . . . . .  Sis 900-Based PCI Fast Ethernet Adapter – Packet Scheduler Miniport
    0x3 . . . 00 78 FC A9 FE 38 . . . . . .TAP-Win32 Adapter V9 – Packet Scheduler Miniport

    In the above, my normal network device is device #2 (0x2). My VPN client application “device” is #3
    (0x3).

Once you add the default route back, try reconnecting to your VPN server. If it doesn’t reconnect you may need to terminate then restart the VPN client application. Once you confirm it’s reconnected, go back and repeat the above steps starting with the step to delete the default route to your router.

Again, once you have a stable VPN connection working, you don’t want the default route still in the routing table. After you verify there is just the VPN route in the table (route print), it’s safe to restart your P2P application.

Final Notes

Creating Simple Batch Scripts

If you like, you can easily create tiny batch files so you don’t have to type these commands over and over. I created three batch scripts named rprint.bat, rdelete.bat, and radd.bat. To create each one, use the built-in shell editor (edit rprint.bat for example). The first script contains the line “route print”. The second script contains the lines “route delete 0.0.0.0 192.168.1.1” and “route print”. The third contains the lines “route add 0.0.0.0 mask 0.0.0.0 192.168.1.1” and “route print”. To run these batch script files from a command prompt window, type either rprint, rdelete, or radd. Note that if you are using a different command prompt window (like the PowerShell below for example) you may have to add a “.\” in front of each command when you want to run them (.\rprint for example).

Windows Command Shell

The built-in Windows XP (which is what I’m using) command shell window is very basic and sometimes difficult to read because of word wrapping. A much nicer Windows shell can be downloaded for free from Microsoft. I don’t know if this applies to Windows 7 and 8 or not. This search on the Microsoft Download Center page will produce versions you can look through http://www.microsoft.com/enus/download search.aspx?q=windows+powershell

DNS Leaks

In addition to the possibility of exposing one’s real IP address (i.e. the IP address your ISP assigns to you on a frequent basis) you need to be concerned with a phenomenon of VPN usage called DNS Leaking. There are some VPN services that claim they take steps to assure this doesn’t happen. Depending on how safe you want to feel, there are things you can do manually to make sure that even if your DNS servers get leaked, they won’t point back to you or even the area you are in.

The two steps I did was to first find the DNS server addresses that my VPN provider uses or prefers. Once I knew this, I manually typed them into the DNS fields of the TCP/IP VPN connection created in my Network Connections area by the VPN client application. I won’t go into the details of how to do that here but it’s very easy. In my case, http://PrivateInternetAccess.com uses 4.2.2.1 and 4.2.2.2 as their DNS servers. Next to be absolutely sure my DNS wouldn’t get leaked by accident, I changed my preferred ISP DNS servers to generic ones within my router (which then of course, gets used by all computers on my network that have DHCP turned on), since I don’t want anyone to know what ISP I’m using. There are lots of choices for other DNS servers and two very popular ones are Google (8.8.8.8, 8.8.4.4) and OpenDNS (208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222).

IMPORTANT: If your router has more than two entries for DNS servers make sure to fill them all up even if you have to duplicate the server numbers. If you leave any blank, your router may pick up your ISP DNS numbers for those blank entries and assign them as DNS3, DNS4, etc.

Final Caution

Obviously, this technique involves multiple steps every time you want to use your VPN service and as such is prone to “pilot error”. The most important thing you can do is always double check to make sure the normal route to your router has been deleted before you start up your P2P client and always make sure your shutdown your P2P client after a VPN disconnection before starting everything back up again. Furthermore, keep in mind that Windows will recreate the default route automatically if you reboot the machine, unplug then re-plug your network connection, or disable then re-enable your Wi-Fi or other networking connection.

Disclaimer

Of course, I’m not encouraging illegal activity and I can’t guarantee that any of this information will work 100% of the time to keep you from being exposed.

Contact Info

Feel free to contact me if you need further info or if you find problems in these steps.
chewy3479[at]tormail.org

Happy secure downloading!
« Last Edit: February 08, 2013, 03:46:46 PM by stevefoobar »
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #16 on: February 07, 2013, 06:33:31 PM »
An excellent guide, thanks for taking the time to create this. One thing you might like to add, you can add persistent routes to your routing table, which should negate the need to add the VPN routes each time. Just use:

route -p add...

It writes a registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\PersistentRoutes

And should survive reboots.

With regard to Powershell, it's standard issue on Windows 7 and Windows 8. In fact, with Windows 8, tools like netsh have been depreciated, so it's now the preferred way of performing command line administration.

We could really do with a place for 'stickies' and this should be one...

 
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #17 on: February 07, 2013, 07:14:33 PM »
Thanks Radaghast!  Yes, I didn't want to get into persistent routes because I thought they would be a little more dangerous for people that aren't really familiar with this level of operating system manipulation.  My VPN Client app inserts the correct routing table entry every time so I don't have to do that manually.  I only have to delete and add my default route manually--no biggie with a small script.

I took the time to type all this up because I also posted it to other forums where people were having the same concerns and questions about how to do this over and over again with mostly incorrect information being posted by others.

Yes, I know what you mean about stickies in this forum.  In general I've noticed this forum application isn't so great compared to many others I've used.

P.S. I neglected to mention one last security measure, although I admit to not knowing WHY it's a security risk, especially in Windows XP.  I went into each network device's settings (Wi-Fi, Ethernet, VPN) and uninstalled the IPv6 protocol as I've read it's highly recommended to do so.
« Last Edit: February 07, 2013, 07:18:05 PM by stevefoobar »
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #18 on: February 07, 2013, 07:49:51 PM »

Snip...P.S. I neglected to mention one last security measure, although I admit to not knowing WHY it's a security risk, especially in Windows XP.  I went into each network device's settings (Wi-Fi, Ethernet, VPN) and uninstalled the IPv6 protocol as I've read it's highly recommended to do so.

It really depends on the VPN provider. OpenVPN 2.3 and above fully supports IPv6 but not all VPN providers have updated their environments. Basically, check with the provider.

As far as why, it will also depend on your environment. If you get both IPv4 and IPv6 from your ISP (dual stack) unless you can also route the IPv6 packets via the VPN, they're prone to leaking. This may also be a problem with IPv6 tunnelling (teredo, 6to4, 6in4 etc.) If you don't have dual stack and you've disabled tunnelling, it shouldn't be an issue.
« Last Edit: February 07, 2013, 08:37:03 PM by Radaghast »
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #19 on: February 07, 2013, 08:28:54 PM »
I see...very interesting.  I'll have to inquire on the VPN site but I doubt they support IPv6.  Thanks.

P.S. Just checked...they don't support it yet.
« Last Edit: February 07, 2013, 08:34:39 PM by stevefoobar »
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Configuring to Block All Non-VPN Traffic
« Reply #20 on: February 08, 2013, 10:22:47 AM »
Thanks also for the guide and your time  :)
I'm learning all the time thanks to you guys  :-TU
I am gonna try and implement this on my system sometime over this wkend
I'll update as to how I get on....
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #21 on: February 08, 2013, 03:47:54 PM »
Thanks also for the guide and your time  :)
I'm learning all the time thanks to you guys  :-TU
I am gonna try and implement this on my system sometime over this wkend
I'll update as to how I get on....

You are quite welcome.  I'm quite certain it will work if not exactly as outlined then very close.   :)
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline Katelee

  • Newbie
  • *
  • Posts: 11
Re: Configuring to Block All Non-VPN Traffic
« Reply #22 on: February 08, 2013, 05:09:58 PM »
I tested the method pretty extensively after I read this excellent article(http://www.securitykiss.com/resources/articles/exclusive_tunneling/) at SecurityKiss's website
All I found after the tests is that CPF actually works better for that.

On XP, the deleted default route came back very often after VPNs dropped.
The things seemed to have improved with Windowns 7 and 8 (I didn't tested it so often on them!), but I still saw it come back sometimes, like when I connected a VPN without switching my IP from DHCP to Static.

Plus, the method didn't work for a DNS leak anyway!

OTOH, CPF never failed to prevent those leaks when VPNs dropped.

AirVPN's website has an excellent guide for it(https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142).

I'm not sure you need all of them, as I only use rule 8 & 10 and they work perfect!
(I use a VPN for just anonymous surfing, which might be reason, though....)

BTW, speaking of an IP leak...,

I made this post(http://forums.comodo.com/comodo-trustconnect-ctc/true-ip-detected-by-https-t81597.0.html) just a year ago.

I found my true IP was detected at those HTTPS based ip check websites because I had OpenVPN and Hotspot Shield installed on my PC...
« Last Edit: February 09, 2013, 09:25:33 AM by Katelee »

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #23 on: February 08, 2013, 07:22:15 PM »
I tested the method pretty extensively after I read this excellent article(http://www.securitykiss.com/resources/articles/exclusive_tunneling/) at SecurityKiss's website
All I found after the tests is that CPF actually works better for that.

On XP, the deleted default route came back very often after VPNs dropped.
The things seemed to have improved with Windowns 7 and 8 (I didn't tested it so often on them!), but I still saw it come back sometimes, like when I connected a VPN without switching my IP from DHCP to Static.

A possible problem that may have been prevented by the addition of a low metric for the VPN route and also disabling Automatic metric in the OS.

Quote
Plus, the method didn't work for a DNS leak anyway!

Did you disable the DNS client service and manually specify the preferred DNS servers?

Quote
OTOH, CPF never failed to prevent those leaks when VPNs dropped.

AirVPN's website has an excellent guide for it(https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142).

CIS does very well with the right configuration and AirVPN are very good providers.

Quote
I'm not sure you need all of them, as I only use rule 8 & 13 and they work perfect!
(I use a VPN for just anonymous surfing, which might be reason, though....)

You don't need all, just those for your environment. There are also quite a few variations on those rules.

Quote
BTW, speaking of an IP leak...,

I made this post(http://forums.comodo.com/comodo-trustconnect-ctc/true-ip-detected-by-https-t81597.0.html) just a year ago.

I found my true IP was detected at those HTTPS based ip check websites because I had OpenVPN and Hotspot Shield installed on my PC...

I've not seen any issues with OpenVPN installed, however, I've never use Hotspot shield...
« Last Edit: February 08, 2013, 07:24:46 PM by Radaghast »
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #24 on: February 08, 2013, 07:30:21 PM »
Thanks for the links Katelee...there is some good info here.
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline Katelee

  • Newbie
  • *
  • Posts: 11
Re: Configuring to Block All Non-VPN Traffic
« Reply #25 on: February 09, 2013, 08:53:30 AM »
A possible problem that may have been prevented by the addition of a low metric for the VPN route and also disabling Automatic metric in the OS.
Radaghast,
Thanks for the reply.

I'm no techie and so not sure what you mean, but if you are talking about SecurityKiss's method to delete a default route, I think it uses the interface ID, instead of the metric, to specify an intended adapter.

I'm not sure about it, too, but would you please tell me how to "disable Automatic metric in the OS"?

Did you disable the DNS client service and manually specify the preferred DNS servers?

I don't think it's a good idea.

This will cause an IP leak if the deleted route has been already restored when a VPN drops, which actually happened during my test.

I think you might as well use #5 in solution B here(http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php), instead.
(For XP, use "1.1.1.1" or "none", instead of "0.0.0.0".)

Anyway, I think, we still need CPF to prevent a deleted default route from being restored.

I read somewhere that, if you unplug your LAN cable,  wait for 10-20 secs, and then plug it in, your ip table will be renewed and the deleted route will be restored.

In fact, SecurityKiss's OpenVPN client will delete it whenever a deleted route is restored.

Unfortunately, when I saw it happen last summer, 6 months ago, I was easily able to cause an IP leak for a couple of secs, b/w I plugged my LAN cable in and the client finished deleting the route.

..., however, I've never use Hotspot shield...

I know, I know... I had better not use it!

But, I'm really cheap and I don't want to pay anything for my Internet security solutions, including VPN services, and love free stuff(, which is why I love Comodo! ;)).

The free version of CTC is kind of slow, while HS is pretty fast lately and I don't see any drop in speed while using it.

So, HS had been my default VPN solution for 5-6 yrs and I had used CTC for online shopping only., until I found it out...

BTW, HS is an OpenVPN-based VPN and, I heard, it also installs some kind of a proxy to inject ads into web pages, which seems to confuse network traffic from other OpenVPN services.

I played around with disabling/uninstalling Hotspot Shield's Tap adapter and driver.
And then, I sometimes connected to Hotspot Sheild's VPN while using CTC and vice versa....

Thanks for the links Katelee...there is some good info here.

Steve,
Thanks for the reply.

I'm sorry if you felt I tried to hijack your thread.

I just wanted you to read my old thread, as I visited the forum of your VPN service and saw a member saying s/he installed Hotspot Shield, Spotflux and Cyberghost on the PC and so was wondering if you could ask this person to go to https://www.whatismyip.com and see what happens...

Offline treefrogs

  • Comodo's Hero
  • *****
  • Posts: 550
  • Money.... it's a crime
Re: Configuring to Block All Non-VPN Traffic
« Reply #26 on: February 09, 2013, 08:54:31 AM »
Thanks again for this guide
I have successfully modified my routing table for only VPN.

I found the SecurityKISS link http://www.securitykiss.com/resources/articles/exclusive_tunneling/ was pretty useful also.
Although Yours is the first guide of this type that I have seen, despite looking! I suspect it may have "legs"
 :-TU :-TU
Windows 7 x64
CIS 6 - fully virtual/HIPS enabled
Virtual Dragon
Cyberfox

Offline stevefoobar

  • Newbie
  • *
  • Posts: 12
Re: Configuring to Block All Non-VPN Traffic
« Reply #27 on: February 09, 2013, 11:38:55 AM »
Thanks again for this guide
I have successfully modified my routing table for only VPN.

I found the SecurityKISS link http://www.securitykiss.com/resources/articles/exclusive_tunneling/ was pretty useful also.
Although Yours is the first guide of this type that I have seen, despite looking! I suspect it may have "legs"
 :-TU :-TU
AWESOME!  Glad it worked.  Make sure you cover the DNS leakage issue also.  It's almost as bad a problem as IP exposure.  I'm always amazed that these "small" VPN companies being so technical suck so much at providing proper documentation.  It's completely pointless to pay for a VPN service if you don't have solutions for these two problems and they don't seem to care.  Worse, they are providing a false sense of security for people who use their services in some cases.

One other command that's sometimes useful is route -f which does a complete flush of the routing table back to defaults after which you would typically have to do the route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 command to get your default route back.  Normally the OS does a pretty good job of managing the table all on it's own though since the routing table is an automatic reflection of what's physically happening in the computer (VPN clients starting and stopping, Ethernet cables being plugged and unplugged, Wi-Fi being enabled, and disabled, etc.

I hope my detailed explanation and instructions goes viral!   ;D
Steve | Chicago | Illinois | USA | Planet Earth | Milky Way Galaxy | Virgo Supercluster

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Configuring to Block All Non-VPN Traffic
« Reply #28 on: February 09, 2013, 04:51:32 PM »
Radaghast,
Thanks for the reply.

I'm no techie and so not sure what you mean, but if you are talking about SecurityKiss's method to delete a default route, I think it uses the interface ID, instead of the metric, to specify an intended adapter.

I'm not sure about it, too, but would you please tell me how to "disable Automatic metric in the OS"?

The metric is simply a value assigned to a link based on such things as speed of the link, latency, hop count etc. Typically, the lower the metric the more likely the interface will be used.

As far as where to find it:

1. Open the properties of th network adapter
2. Select IPv4
3. Select Properties
4. On the General page select Advanced
5. Under Default Gateways select Add
6. Disable the check box

Quote
I don't think it's a good idea.

This will cause an IP leak if the deleted route has been already restored when a VPN drops, which actually happened during my test.

I think you might as well use #5 in solution B here(http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php), instead.
(For XP, use "1.1.1.1" or "none", instead of "0.0.0.0".)

It's the same thing. It's simply ensuring the only DNS servers available are those of the VPN provider.

Quote
Anyway, I think, we still need CPF to prevent a deleted default route from being restored.

Nothing wrong with having some extra protection.

Quote
I read somewhere that, if you unplug your LAN cable,  wait for 10-20 secs, and then plug it in, your ip table will be renewed and the deleted route will be restored.

In fact, SecurityKiss's OpenVPN client will delete it whenever a deleted route is restored.

Unfortunately, when I saw it happen last summer, 6 months ago, I was easily able to cause an IP leak for a couple of secs, b/w I plugged my LAN cable in and the client finished deleting the route.

I know, I know... I had better not use it!

I guess you could always configure the default network card with a static IP address and leave the gateway empty...

Quote
But, I'm really cheap and I don't want to pay anything for my Internet security solutions, including VPN services, and love free stuff(, which is why I love Comodo! ;)).

The free version of CTC is kind of slow, while HS is pretty fast lately and I don't see any drop in speed while using it.

So, HS had been my default VPN solution for 5-6 yrs and I had used CTC for online shopping only., until I found it out...

BTW, HS is an OpenVPN-based VPN and, I heard, it also installs some kind of a proxy to inject ads into web pages, which seems to confuse network traffic from other OpenVPN services.

I played around with disabling/uninstalling Hotspot Shield's Tap adapter and driver.
And then, I sometimes connected to Hotspot Sheild's VPN while using CTC and vice versa....

Free is always good :)



“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Katelee

  • Newbie
  • *
  • Posts: 11
Re: Configuring to Block All Non-VPN Traffic
« Reply #29 on: February 11, 2013, 03:58:40 PM »
1. Open the properties of th network adapter
2. Select IPv4
3. Select Properties
4. On the General page select Advanced
5. Under Default Gateways select Add
6. Disable the check box

Radaghast,
Thanks for the tip.

I entered the IP address of my default gateway in "Gateway" and '1' in "Metric" but it didn't work on XP(, I mean, the deleted route still came back).

Am I doing something wrong here?

It's the same thing. It's simply ensuring the only DNS servers available are those of the VPN provider.

IMO, they are Not the same

Dnsleaktest's solutions not only force your VPN's DNS servers to be used, without your providing tthe DNS server addresses, but also "partly" prevent an IP leak.

I said "partly" because, while using the fix, I got the ping to respond with "connect" after my VPN drops, but yet, I couldn't load any pages and download anything.

So, I am assuming that it would save us from an IP leak in case a deleted route comes back, to some extent...

OTOH, if you assign an IP of a "real" DNS(, instead of one of a "fantasy" DNS), as Steve's method tells you to do, it will cause an IP leak when a VPN drops and a deleted route has been already restored....

I guess you could always configure the default network card with a static IP address and leave the gateway empty...

Yes, in order for the "DNS leak fix' (and Steve's "IP leak fix") to work properly, you do absolutely need to switch to a static IP address before connecting to a VPN.

As for the gateway IP addresses, I'm not sure if "1.1.1.1" is some fantasy address or not, as "0.0.0.0" of "Network destination" in a route table refers to "any IP", but it is the address that VPNCheck's website suggests.

Anyway, the empty address("none") works just fine and it is actually the address "Solution A" on dnsleaktest.com uses for #5 in "Solution B".

Nothing wrong with having some extra protection.

As I mentioned in the previous post, as far as I observed in my tests, using CPF(CFP? I mean, Comodo Firewall) is much more effective in terms of blocking those leaks and, I think, it is sufficient.

I know that the guide on AirVPN's website looks fairly intimidating to many of you.
However, it actually took me only 20 mins to finish the configurations.

Plus, I use only three of AirVPN's rules: 6) block all traffic(I forgot this in my previous post); 8 ) allow traffic to/from my TAP adapter; and 3) allow traffic to/from my VPN.

I don't know why they need the other rules(, as I don't know what the meanings of them are ;)...)
I guess the rules for those who live in a country like China or UAE or those who do P2P.
(Actually, I don't view a stream video via VPN, which, I assume, many VPN users enjoy, but I doubt those who do need the rules...)

Anyway, those three rules alone work really great for my VPN use(browsing the net, checking my emails, and downloading files).
Also, in this rule set, the less rule, the more protection, right?

Having said that, I use both the firewall method and Steve's method to secure my VPN connections.

While the firewall method is more effective, I feel Steve's method is more appropriate.
I mean, when a VPN drops, the ping response to Steve's method is "Destination Host Unreachable", while that to the firewall method is "Request timed Out".

Plus, I don't see any negative impact on the performance of my VPN, such as speed, by using both.
(As a matter of fact, I'm too lazy to use the protections these days and so I can't confirm that now, though ;D.)

So, I use Steve's method as the primary protection against IP and DNS leaks, while I regard the firewall method as a mean to a deleted default route from being restored...

Free is always good :)

Well, I think I got hacked while connecting to a free VPN at g***sv**.com :-[(, which was actually when I was writing my last post...).
 
### edited - censored the site name and added '*' just in case... ###
« Last Edit: February 12, 2013, 12:26:52 PM by Katelee »

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek