I use various privacy services like TOR, JonDoFox, Hotspot Shield and UltraVPN. But it is very common that I lose the connection to a privacy service during a browsing session. When this happens, my browsing continues, but with no anonymity.

I assume that, when I lose these connections, suddenly my ISP knows where I've been browsing and that's what I want to avoid.

Is there a way to set up a firewall or something so that, if I lose the connection to the privacy service, all of my browsing info is not delivered to the ISP on a silver platter? I mean, if I lose that connection, I would like my whole internet connection to go dead, until I can reconnect to the privacy service.

I don't know anything about firewalls, so if there is a way to configure them to prevent this problem, can someone advise me as to which (freeware) firewall to install, and how to configure it? Thanks for any advice.

How to Harden OpenVPN/DNS for Linux (https://xerobank.com/support/articles/how-to-harden-openvpn-in-12-easy-steps/)

How to Harden OpenVPN/DNS for Windows (https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/)

Thanks Steve. My, that seems like a lot of work to do every time I use a VPN...i wish there was a way to automate the process.

So a firewall can't be set up to do this?

Thanks for the info. :thumb:

For Tor, I would think that using the Tor Browser Bundle (http://www.torproject.org/torbrowser/) would solve your problem. (Windows-only)

For Tor I guess JanusVM or JanusPA

For VPN, there is a simple but effective method.


First, before using your vpn, watch at your routing table with netstat -R.

You will see for example:
Destination Netmask Gateway
0.0.0.0 0.0.0.0 192.168.1.1


Interface Metric.
192.168.1.5 20








When your VPN is running, the same command netstat -R let see you a second line, such as:


Destination Netmask Gateway
0.0.0.0 0.0.0.0 <some VPN IP>


Interface Metric.
<Other VPN IP> 10




As 10 < 20, the routing table says that your traffic is routed via the vpn (your computer uses the costless route, ie the route with the lowest metric)... But if your vpn connection drops, the only remaining route is your "ISP route" (with gateway 192.168.1.1), and your computer send your data through it.

So, what you have to do is, after your vpn being connected, to delete the first route, with (in my example):

route delete 0.0.0.0 192.168.1.1

So, if your vpn connection drops, your computer will no more have any access to the internet, and nothing will be leak.

Lyx, that's great info, thanks. I didn't know what netstat was so I googled it and came across this interesting tidbit of info on Wikipedia:

"In addition to the command-line netstat.exe tool that ships with Windows, there are GUI-based netstat programs available."

I'll have to research this more as I don't like to use the command line, prefer GUI. Will your solution still work with a GUI netstat?

Is this easier than the other approach? Because I do not understand wither of them. I will have to tinker with it a little I guess. However, when my xerobank connection is interupted, the icon turns yellow and I do not have any connection at all.

You could also get an SSH tunnel provider such as Cotse or Guardster, when the SSH tunnel goes down your internet browsing will be cut off as well.

But SSH tunnels have downsides too, they need some application by application configuration.

-{ Quote: "Is this easier than the other approach? Because I do not understand wither of them. I will have to tinker with it a little I guess. However, when my xerobank connection is interupted, the icon turns yellow and I do not have any connection at all." }-
In my experience, when XeroBank connections are interrupted, the icon turns yellow, and there is no internet connection. OpenVPN tries to reconnect, but never seems to succeed, and that process seems to prevent the TAP adapter from giving up routing priority. It doesn't do that until you fully disconnect, and the icon turns red.

If you want extra assurance that there will be no leaks, and also want to readily switch between using XeroBank or not, you can tweak Steve's approach a little. Before changing anything, save your interface settings as instructed ...

netsh interface ip dump > c:\net.cfg

After making the changes, save again with a different name ...

netsh interface ip dump > c:\net_xb.cfg

You can then switch between them ...

netsh exec c:\net.cfg
netsh exec c:\net_xb.cfg

You could put those in shell scripts.

-{ Quote: "In my experience, when XeroBank connections are interrupted, the icon turns yellow, and there is no internet connection. OpenVPN tries to reconnect, but never seems to succeed, and that process seems to prevent the TAP adapter from giving up routing priority. It doesn't do that until you fully disconnect, and the icon turns red.

If you want extra assurance that there will be no leaks, and also want to readily switch between using XeroBank or not, you can tweak Steve's approach a little. Before changing anything, save your interface settings as instructed ...

netsh interface ip dump > c:\net.cfg

After making the changes, save again with a different name ...

netsh interface ip dump > c:\net_xb.cfg

You can then switch between them ...

netsh exec c:\net.cfg
netsh exec c:\net_xb.cfg

You could put those in shell scripts." }-

Thanks for that buddy. But just to show you how clueless I am, I have no idea what to do with those instructions. I assume that I am suppose to type these commands in somewhere. But this is something that I have never done. I am completely unfamiliar with these types of things. I wish there was a "Special Ed" version... Or "lock down instructions for dummies"....LOL If I ever manage to figure this out I will create step by step instructions that anyone can follow.

Both Steve's instructions, How to Harden OpenVPN/DNS for Windows (https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/), and Lyx's employ Windows command line programs. You can open a command prompt window by selecting Start|Run and entering "cmd" at the Open prompt.

Steve's approach assigns a static IP address, subnet mask and default gateway to the local area connection corresponding to your computer's physical NIC -- but doesn't assign any DNS server(s). As a result, you cannot access the internet using that connection, but you can access other resources on your local network. You could achieve the same result navigating through Control Panel | Network Connections | Local Area Connection N (the one with a hardware Device Name) | Properties | Internet Protocol (TCP/IP) | Properties and entering the values manually, with just 1 in the first DNS server box, but that's slower.

Lyx's approach deletes the route for the physical NIC connection. I believe that you can add it back with the command ...

route add 0.0.0.0 192.168.1.1

... but I haven't tested that. I'm learning here too.

Lyx, I am trying your solution but it's not working. First of all, netstat is not presenting me with the simple choices you posted. Instead it is showing me a confusing array of network destinations, gateways and interfaces, not 1 or 2, but about 18, most of them are repeats of the same 3 or 4 addresses. I am able to identify which one is the VPN. I think I identified which one is the one I want to delete, but when I try to give the route delete command I keep getting the message "the route specified was not found."

I notice that the C prompt Netstat gives me is C:\Documents and Settings\Administrator>

Is that the correct prompt from which I should issue these commands?

I also tried using the Netstat GUI called TCPView but I can't figure out how to do your solution in that program. It doesn't even show me IP addresses.

I'm on a hotel wifi connection and I think it uses a range of different consecutive IP addresses, if that's relevant.

-{ Quote: "Lyx, I am trying your solution but it's not working. First of all, netstat is not presenting me with the simple choices you posted. Instead it is showing me a confusing array of network destinations, gateways and interfaces, not 1 or 2, but about 18, most of them are repeats of the same 3 or 4 addresses. I am able to identify which one is the VPN. I think I identified which one is the one I want to delete, but when I try to give the route delete command I keep getting the message "the route specified was not found."
" }-


Yes, Netstat -R gives many lines. First stage, you have to do netstat -R without your VPN, in order to identify your ISP's route: Focus on the line beginning with destination 0.0.0.0: These four 0 means "any ip", so this line means "any communication to any IP has to go through this route".

Then, second stage, run your VPN, and perform an other netstat -R: If you see the route you has identified in first stage, delete it.

It is possible that your (open)VPN is well coded enough to automatically delete your ISP route: It seems to be the case for example with Xerobank (cf Caspian's remark): To verify this point, you can edit your VPN logs and perform a search on keyword "delete". If it is the case, your ISP route no more appears when performing the second "netstat - R", you then have not to try to delete it, and when the VPN connection drops, the VPN icon becomes yellow and your computer is isolated from the internet.


To re-add your ISP route to your routing table, you have to type the command add as Hierophant said, but in specifying the interface (the one you saw at stage 1)


-{ Quote: "
I notice that the C prompt Netstat gives me is C:\Documents and Settings\Administrator>

Is that the correct prompt from which I should issue these commands?
" }-

It seems correct.

Lyx,

Thanks for the followup. i think i made a mistake the first time. When I gave the route delete command, I forgot to use the 0.0.0.0

Now i tried it again and Netstat deleted the route. Then ran Netstat -R again. The ISP IP was deleted from the position where it was on the second line, but the same gateway ISP IP that I deleted still appears further down in the list. It appears as the gateway for the network destination that is the VPN IP address.

To make this doubly confusing, my UltraVPN is now doing weird things. When it connects, the program tells me that it has IP address 10.8.25.86 but when I go to the "what is my IP?" websites they all tell me that my IP address is 76.73.18.50.

BOTH IP addresses show up in Netstat. The 10.8.25.86 address shows up frequently but the 76.73.18.50 address shows up only once. I have posted to the UltraVPN forum to ask why the program tells me that I have a European IP but the "What is my IP?" websites tell me I have a different IP from the US. And Netstat sees both of them.

Unfortunately, the VPNs that I am using now, Hotspot and UltraVPN do not delete my ISP's route when they accidentally disconnect, so I need to find a solution. Still haven't tried Steve's approach but will.

After I post this I will disconnect Ultra and see if I still have an internet connection.

-{ Quote: "To make this doubly confusing, my UltraVPN is now doing weird things. When it connects, the program tells me that it has IP address 10.8.25.86 but when I go to the "what is my IP?" websites they all tell me that my IP address is 76.73.18.50.

BOTH IP addresses show up in Netstat. The 10.8.25.86 address shows up frequently but the 76.73.18.50 address shows up only once. I have posted to the UltraVPN forum to ask why the program tells me that I have a European IP but the "What is my IP?" websites tell me I have a different IP from the US. And Netstat sees both of them." }-
Albeit confusing, what you report is evidence that UltraVPN is at least somewhat anonymous, and doing more than just giving you a new IP and forwarding ports. The IP address 10.8.25.86 is your computer's address in the UltraVPN virtual private network. Both 10.*.*.* and 192.*.*.* are reserved for private networks. The IP address 76.73.18.50 is the public address of the UltraVPN exit node that you're using.

thanks for explaining, hierophant. The thing that puzzles me is, until a week ago, Ultra wasn't behaving like this. The IP address that Ultra said I had was the same (French, I think) address that the "what is my ip?" websites indicated.

Also, after I disconnected ultra last night, I still had an internet connection, so I guess I need to keep working on this.

-{ Quote: "thanks for explaining, hierophant. The thing that puzzles me is, until a week ago, Ultra wasn't behaving like this. The IP address that Ultra said I had was the same (French, I think) address that the "what is my ip?" websites indicated." }-
Perhaps they've upgraded. Or ???

-{ Quote: "Also, after I disconnected ultra last night, I still had an internet connection, so I guess I need to keep working on this." }-
I'm most familiar with XeroBank. When it spontaneously disconnects, perhaps because of an internal glitch, or something that my ISP or the NSA did, or whatever, the tray icon turns yellow, and I lose internet connectivity. I don't regain internet connectivity until I terminate the dead connection.

However, when I terminate the dead connection, the tray icon turns red, and I do regain internet connectivity, but with my true IP address instead of the XeroBank exit node's IP address. The same happens when I terminate a working connection. In that case, there's no perceptible interruption in connectivity, just a change in IP address.

If I'm using some P2P app with XeroBank, it loses internet connectivity when XeroBank spontaneously disconnects, so there's no IP leak. However, in order to avoid an IP leak, I need to stop the P2P app before renewing the XeroBank connection.

I've never used UltraVPN, and don't know how this might apply to it.

-{ Quote: "Lyx,

Thanks for the followup. i think i made a mistake the first time. When I gave the route delete command, I forgot to use the 0.0.0.0

Now i tried it again and Netstat deleted the route. Then ran Netstat -R again. The ISP IP was deleted from the position where it was on the second line, but the same gateway ISP IP that I deleted still appears further down in the list. It appears as the gateway for the network destination that is the VPN IP address.
" }-

If I well understand what your are saying, it's perfectly normal: Your vpn connection has to use your ISP connection at some moment in order you receive or send data with the internet. What's important is to delete link between 0.0.0.0 and your ISP Gateway.

In order to verify this deletion does what it is supposed to do, you can then force disconnection of your vpn, or even terminate your openvpn.exe process, and try access to the internet. This attempt should fail.

NEWSFLASH: You blow your anonymity as soon as you login to the internet.

If someone is doing something illegal on the interner, Tor and VPN etc will not protect you. The right people will find you and come a knocking.

Over any given day, I'm likely doing things that are illegal in at least ten nations. Fortunately, most of the time the nation I'm living in isn't one of them. In particular, the DSD and mutawwa are SOL, which is a very good thing. YMMV.

-{ Quote: "Both Steve's instructions, How to Harden OpenVPN/DNS for Windows (https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/), and Lyx's employ Windows command line programs. You can open a command prompt window by selecting Start|Run and entering "cmd" at the Open prompt.

Steve's approach assigns a static IP address, subnet mask and default gateway to the local area connection corresponding to your computer's physical NIC -- but doesn't assign any DNS server(s). As a result, you cannot access the internet using that connection, but you can access other resources on your local network. You could achieve the same result navigating through Control Panel | Network Connections | Local Area Connection N (the one with a hardware Device Name) | Properties | Internet Protocol (TCP/IP) | Properties and entering the values manually, with just 1 in the first DNS server box, but that's slower.

Lyx's approach deletes the route for the physical NIC connection. I believe that you can add it back with the command ...

route add 0.0.0.0 192.168.1.1

... but I haven't tested that. I'm learning here too." }-

Do both of these techniques work with Vista 64 bit and Windows 7?

I went to the Control Panel and it does not say Network connections. But it does say Network Sharing. From there I chose "Manage Network Connections" and I get this:

http://i46.tinypic.com/2agp8oi.jpg

If I right click and choose "Properties" I get this:

http://i50.tinypic.com/2ekrt4x.jpg

Am I on the right track?

Yes, you are. It looks like you have both wired and wireless connections. If both are active, you'll need to assign static IPs for both -- and "fake" DNS servers (1.0.0.0).

Assuming that your machine is currently using a DHCP server, the IP addresses and DNS servers in connection properties will be assigned automatically. Before doing anything, write them down. Then click the "Use the following ..." buttons and enter the values that you just wrote down. Do that for all active physical adapters (apparently, wired and wireless) and you should be OK.

When you want direct access, you can just click the "Obtain an IP address automatically" button. Or you can leave the static IP addresses, and enter your preferred DNS servers (e.g., 208.67.222.222 and 208.67.220.220).

A much simpler way to do this is just use VPNetMon. This program will forcefully close any program that you set it to when it detects the VPN connection is lost.

-{ Quote: "A much simpler way to do this is just use VPNetMon. This program will forcefully close any program that you set it to when it detects the VPN connection is lost." }-
Cool. Thanks!

Thanks for that info, Zero2008. I was going to suggest that it would be great if someone made a small app that could do all this automatically. But I have one question:

VPNetMon shuts down your browser when it detects that the VPN has disconnected. But isn't it already too late? As soon as the VPN disconnects, aren't the URLs you were browsing instantly logged by your ISP? Before VPNetMon can shut your programs down?

Its simple. Just use a software firewall to control outbound connections.

-{ Quote: "Its simple. Just use a software firewall to control outbound connections." }-

How do you do that, arran? Which (freeware) firewall can you use to do this and how do you configure it?

-{ Quote: "VPNetMon shuts down your browser when it detects that the VPN has disconnected. But isn't it already too late? As soon as the VPN disconnects, aren't the URLs you were browsing instantly logged by your ISP? Before VPNetMon can shut your programs down?" }-
That doesn't seem to be problematic for XeroBank when the VPN connection (rarely) drops, because the TAP adapter seems to retain routing priority. VPNetMon would have killed the program(s) of concern before you reset the connection. YMMV with other VPNs and anonymity services.

However, VPNetMon might well be too slow if you unthinkingly terminated the VPN connection. In that case, the TAP adapter would immediately lose routing priority (having been disconnected). Having nonfunctional TCP/IP on the physical NIC -- either by specifying a bogus DNS server, or by deleting the route -- would protect you while VPNetMon did its thing.

There is another issue that I haven't mentioned (as I recall, anyway). At any given time, there may be many processes automatically accessing the internet -- OS and app updaters, time synchronization, email clients, IM clients, IP checkers, etc. Depending on your level of paranoia, you may want to do some or all of that manually. Indeed, you may want to restrict some access to your true IP, and some to your VPN IP.

I have deleted the route and also succeed but if I check the netstat -r after some time, the route has come back. Is it because DHCP?
Does this happen also on you, guys?

Even though the route has come back, ip isn't leaked. I have checked it with generated torrent file which runs in your torrent application and you can go and check the the reported ip in this website: http://www.checkmytorrentip.com/#

There is also introduced this tip and also one more, which, I think is what Steve's technique does.

Copied directly from there :


A couple more points.

You may need to set a static local IP address if you have flaky wireless. Otherwise if you briefly lose your wireless connection (and therefore local IP address) while on VPN and your VPN doesn't drop, when your PC reconnects back to your wireless, your original route will automatically be added, and so even though you deleted it, it'll pop back up. So in the Control Panel under networking, turn off DHCP and assign the 192.168.0.8 address manually. That way that route will never be added back unless you add it yourself.

After you manually add your routes back, it make take some time before DNS works again. I've never figured out why the delay, so sometimes it's faster to reboot your computer after you lose the connection (this is why VMWARE is so much easier).

Tip 1: Create .bat files with the route add/del commands in it, that way you can just click a short cut.

Tip 2: Also create a shortcut to cmd with this Target: %SystemRoot%\system32\cmd.exe /k "netstat -R" . That way you never have to go to Start->Run->cmd->netstat -R each time you want to check your routes.

Tip 3: Use a virtual machine (like vmware) to connect to a VPN, that way your normal day to day traffic won't be affected..



Are you using a virtual machine, hierophant?

-{ Quote: "Are you using a virtual machine, hierophant?" }-
Right now, I'm not. I'm just using XeroBank on a Win XP box. When I want to be especially anonymous, I use a Win XP VM -- residing on a TrueCrypt volume and running in VMware Player -- and tunnel other anonymity services through XeroBank. I've also used Linux VMs in that way. And lately, I've been playing with a Win 7 VM in Win Server 2008 Hyper-V, accessed via Remote Desktop. I do think that VMs are the way to go, because you can sandbox activities (work/play/finances) and identities.

-{ Quote: "That doesn't seem to be problematic for XeroBank when the VPN connection (rarely) drops, because the TAP adapter seems to retain routing priority. VPNetMon would have killed the program(s) of concern before you reset the connection. YMMV with other VPNs and anonymity services." }-

This is going way over my head. I don't even know what a TAP adapter is...also does Xerobank have this fine functionality when used with TOR or only when used with Xerobank's premium VPN?

-{ Quote: "However, VPNetMon might well be too slow if you unthinkingly terminated the VPN connection. In that case, the TAP adapter would immediately lose routing priority (having been disconnected). Having nonfunctional TCP/IP on the physical NIC -- either by specifying a bogus DNS server, or by deleting the route -- would protect you while VPNetMon did its thing." }-

Hierophant, can you explain exactly how to specify a bogus DNS server? Is that in itself a simple solution to this problem? Deleting the route is a function of netstat -R, i suppose. But I have deleted the route with Netstat -R and still had internet connectivity when the VPN quit. But I'm not sure I did it correctly.

Regarding VPNetMon, this page (http://vpnetmon.webs.com/) says "For running VPNetMon you need a VPN connection created already in the Network preferences."

But Hotspot Shield and UltraVPN aren't set up in Network Preferences. You start them with an icon in the system tray. I wonder if there's a way to set them up in Network Prefs.

This is all so complicated. Is it possible to just run VMWare with your VPN and does this protect you from the disconnection perils as well as the Flash and Java perils? I will admit I don't know anything about VMWare and have never run a virtual machine, so unless it's easy for a non-techie it won't work for me.

Or if you can do it with a simple firewall setting, that would be great.

gumbyy if you are using a wireless connection, the route can come back even though you deleted it, as said in the text which I copied from http://www.checkmytorrentip.com/#. However, I also got the route back when I checked it again about thirty minutes later after i deleted it, although I have a wired connection. Maybe it because of my router and DCHP. Since the ip didn't leak to the tracker, both Xerobank and cryptocloud clients stopped it, I guess.

If you used a VMWare, you would still have to do same process to your virual machine because it runs an Operating system in virtually mode. In addition, that machine could leak dns if you haven't done settings properly, so I recommend to skip that and use sandboxie if you want to have a more secured web browser.

You may choose to try Steve's method but I cannot say how it's done because I am learning it also myself. Firewall settings might be an option too but I don't know are them easier to configure than setting a static local IP address and are them as effective; it could be a case that the data would still leak if you use a firewall method.

Edit:

-{ Quote: "This is going way over my head. I don't even know what a TAP adapter is...
" }-
1. Open the Start menu and select Control Panel
2. network connections

There you should see for example "a TAP-Win32 Adapter V9"


-{ Quote: "Yes, you are. It looks like you have both wired and wireless connections. If both are active, you'll need to assign static IPs for both -- and "fake" DNS servers (1.0.0.0).

Assuming that your machine is currently using a DHCP server, the IP addresses and DNS servers in connection properties will be assigned automatically. Before doing anything, write them down. Then click the "Use the following ..." buttons and enter the values that you just wrote down. Do that for all active physical adapters (apparently, wired and wireless) and you should be OK.

When you want direct access, you can just click the "Obtain an IP address automatically" button. Or you can leave the static IP addresses, and enter your preferred DNS servers (e.g., 208.67.222.222 and 208.67.220.220)." }-
But according to Hierophant, you should seek your physical adapter not the virtual adapter.

This is really simple, if you don't get distracted by the unfamiliar business of mucking with your computer's networking setup.

When you use OpenVPN, it creates a virtual TAP-Win32 network adapter on your computer, and connects to a remote network. Via that virtual adapter, your computer is now part of that remote network, with an IP address (e.g., 10.4.*.*) that's dynamically assigned by that remote network's DHCP server.

In setting up the connection, the OpenVPN script assigns a routing priority to the virtual TAP-Win32 network adapter that's higher than the routing priority of the physical network adapter(s). That insures that network traffic will use the virtual adapter. BTW, "adapter" and "connection" are sometimes used more-or-less synonymously.

When the VPN connection is broken, traffic shifts to the functioning adapter with the highest routing priority. That's probably a physical network adapter, with a non-anonymous public IP address.

If you want to prevent that, you need to disable that connection in some way. We've been discussing two approaches -- (1) assigning a fake DNS server (e.g., 1.0.0.0) to the adapter, or (2) deleting the route that adapter uses to connect to the internet. Either works, and you could do both at the same time.

However, neither works for very long unless you manually configure TCP/IP on the physical adapter, specifying the IP address, Subnet mask, Default gateway, and DNS servers. Otherwise, the adapter will get all of that from your network's DHCP server, which is typically the broadband modem/router (or a hardware firewall, or perhaps a dedicated server).

Also, from a security perspective, it's best to (1) manually configure TCP/IP for all computers on your network, (2) assign IP by MAC in your DHCP server, and (3) restrict the IP range appropriately in your DHCP server. Although that's perhaps unworkable for large networks, it's not so bad for homes and small offices.

WOU, a very good summary :thumb:





-{ Quote: "
Also, from a security perspective, it's best to (1) manually configure TCP/IP for all computers on your network, (2) assign IP by MAC in your DHCP server, and (3) restrict the IP range appropriately in your DHCP server. Although that's perhaps unworkable for large networks, it's not so bad for homes and small offices." }-
Could you summarise this also? (how it's done) ;D

OK, let's say that you have the following devices on your network ...

00-90-7F-XX-XX-XX 192.168.111.1 Firebox X5 Edge
00-24-E8-XX-XX-XX 192.168.111.2 Dell R710
00-24-E8-XX-XX-XX 192.168.111.3 Dell T7500
00-1F-33-XX-XX-XX 192.168.111.4 ReadyNAS Pro

The IP address of the Firebox is fixed. You start by listing the MAC address for each device, and deciding what IP address each will have. Then, you enter the MAC-IP pairs in the address reservation table in your DHCP server. In my case, that's the Firebox.

Once you've done that, and rebooted the DHCP server, you reboot each of the other devices, and verify that they have the right IP addresses. If all is cool, you set 192.168.111.2-192.168.111.4 as the IP address pool in the DHCP server, and reboot it. Now, only the three specified devices can connect to your network. If you wanted to connect another device, you'd assign it 192.168.111.5, add the new MAC-IP pair to the DHCP address reservation table, and set 192.168.111.2-192.168.111.5 as the IP address pool.

-{ Quote: "gumbyy if you are using a wireless connection, the route can come back even though you deleted it, as said in the text which I copied from http://www.checkmytorrentip.com/#. However, I also got the route back when I checked it again about thirty minutes later after i deleted it, although I have a wired connection. Maybe it because of my router and DCHP. Since the ip didn't leak to the tracker, both Xerobank and cryptocloud clients stopped it, I guess.

If you used a VMWare, you would still have to do same process to your virual machine because it runs an Operating system in virtually mode. In addition, that machine could leak dns if you haven't done settings properly, so I recommend to skip that and use sandboxie if you want to have a more secured web browser." }-

Asus,
99% of the time I am using Wifi. I only rarely have a wired connection. And to help explain why I am interested in this topic, the Wifi at the hotel where I am living now is VERY flaky and is constantly cutting out, then returning a few minutes later. Only seldom do I experience a long, extended, uninterrupted session here.

I think it was a JonDo webpage that also once mentioned using a Sandbox. But I am only dimly aware of the sandbox concept and don't know how to use them to solve this problem.

-{ Quote: "You may choose to try Steve's method but I cannot say how it's done because I am learning it also myself. Firewall settings might be an option too but I don't know are them easier to configure than setting a static local IP address and are them as effective; it could be a case that the data would still leak if you use a firewall method.

Edit:


1. Open the Start menu and select Control Panel
2. network connections

There you should see for example "a TAP-Win32 Adapter V9"

But according to Hierophant, you should seek your physical adapter not the virtual adapter." }-

Well, I don't see any TAP-Win32 adapter in my network connections window. And I am using UltraVPN right now, which uses OpenVPN. All I see is "Internet Connection," "Local Area Connection 3" (which I use on those rare occasions when I have plug-in internet) and "Wireless Network Connection."

Then, below that, under the heading "Virtual Private Network," I have an icon for "ItsHidden," which is a VPN that I set up but have only used once.

I don't see entries for UltraVPN and Hotspot Shield VPN, which I use a lot. these programs only seem to make their connections known by their icons in the system tray, which change color depending on connection status.

We really need someone to write a program that will solve this problem automatically! I would volunteer but I don't know computer code from a ham sandwich.

-{ Quote: "...
When you use OpenVPN, it creates a virtual TAP-Win32 network adapter on your computer, and connects to a remote network. Via that virtual adapter, your computer is now part of that remote network, with an IP address (e.g., 10.4.*.*) that's dynamically assigned by that remote network's DHCP server." }-

Okay, but as I mentioned above, I do not see that TAP adapter in my network connections window (I am using XP SP2) although i am using UltraVPN right now.

-{ Quote: "In setting up the connection, the OpenVPN script assigns a routing priority to the virtual TAP-Win32 network adapter that's higher than the routing priority of the physical network adapter(s). That insures that network traffic will use the virtual adapter. BTW, "adapter" and "connection" are sometimes used more-or-less synonymously.

When the VPN connection is broken, traffic shifts to the functioning adapter with the highest routing priority. That's probably a physical network adapter, with a non-anonymous public IP address.

If you want to prevent that, you need to disable that connection in some way. We've been discussing two approaches -- (1) assigning a fake DNS server (e.g., 1.0.0.0) to the adapter, or (2) deleting the route that adapter uses to connect to the internet. Either works, and you could do both at the same time.

However, neither works for very long unless you manually configure TCP/IP on the physical adapter, specifying the IP address, Subnet mask, Default gateway, and DNS servers. Otherwise, the adapter will get all of that from your network's DHCP server, which is typically the broadband modem/router (or a hardware firewall, or perhaps a dedicated server)..." }-

Okay, my hotel's normal connection is the Wireless Network Connection in my network connections window, which is a Broadcom 802.11g network adapter. I right click it, choose Properties, Internet Protocol (TCP/IP), Properties...and it is set to Obtain IP and DNS addresses automatically. If I am going to change this I need to know the correct IP address...is that the address I get from the "What is my IP?" websites? I mean when I'm not using the VPN.

If I enter that IP in TCP/IP properties, then enter a fake (1.0.0.0 as you suggest) DNS server address, is that all I need to do? Will the hotel Wifi connection still be able to access the internet so that I can access my VPN, even with this fake DNS address? And yet NOT be able to access the internet when I unexpectedly lose the VPN connection? Simply by giving it a fake DNS address? Without having to delete the route?

Perhaps I am not understanding you correctly.

Thanks, everyone, for your help. It's amazing how many approaches there are to this.

this thread gave me some great insight on a few things. :thumb:

-{ Quote: "Okay, but as I mentioned above, I do not see that TAP adapter in my network connections window (I am using XP SP2) although i am using UltraVPN right now." }-
This is very strange. I just tested UltraVPN on a Win XP SP2 VM. Initially, connected with XeroBank via OpenVPN, I saw the TAP-Win32 Adapter V9 in Network Connections (as I have since installing XeroBank on that VM). After downloading the UltraVPN installer and creating an account, I disconnected from XeroBank and closed OpenVPN. After installing UltraVPN, and connecting, I could see no TAP-Win32 adapter in Network Connections. Even so, running "ipconfig /all" at the command prompt showed both the AMD PCNET Local Area Connection and a TAP-Win32 Adapter V9. Finally, after exiting from UltraVPN, and connecting to XeroBank, I STILL couldn't see a TAP-Win32 Adapter V9 in Network Connections!

WTF! It appears that UltraVPN has somehow altered the properties of TAP-Win32 Adapter V9 such that it doesn't appear in Network Connections.

Any ideas?

-{ Quote: "Okay, my hotel's normal connection is the Wireless Network Connection in my network connections window, which is a Broadcom 802.11g network adapter. I right click it, choose Properties, Internet Protocol (TCP/IP), Properties...and it is set to Obtain IP and DNS addresses automatically. If I am going to change this I need to know the correct IP address...is that the address I get from the "What is my IP?" websites? I mean when I'm not using the VPN." }-
No, you don't use the IP address that you get from whatismyip.com -- that is the external internet IP address. What you're setting in TCP/IP properties is the computer's IP address etc. on the local network. You can very likely just use the values that you see initially by running "ipconfig /all" at the command prompt, which were obtained automatically. However, I can't say for sure without knowing how your hotel's network is set up.

-{ Quote: "If I enter that IP in TCP/IP properties, then enter a fake (1.0.0.0 as you suggest) DNS server address, is that all I need to do? Will the hotel Wifi connection still be able to access the internet so that I can access my VPN, even with this fake DNS address? And yet NOT be able to access the internet when I unexpectedly lose the VPN connection? Simply by giving it a fake DNS address? Without having to delete the route?" }-
The "fake DNS server" approach prevents your computer from resolving domain names to IP addresses. Given that websites typically use domain names, rather than numerical IP addresses, this should protect your anonymity. However, if you're using software that connects via numerical IP addresses, blocking DNS lookups wouldn't be enough. In that case, deleting the route would be the best approach, I believe.

With that in mind, and this is crucial, you need to establish the OpenVPN connection before assigning a fake DNS server to your physical Local Area Connection. If your physical Local Area Connection doesn't have a working DNS server, it probably can't establish the OpenVPN connection, because it can't resolve domain names to IP addresses. That's definitely the case with XeroBank. I suppose that one could hack the login script using just IP addresses, but that would probably not be reliable. In the case of XeroBank, each entry domain name resolves to several IP addresses. If you hard coded one of them, you couldn't connect if it were busy or down.

-{ Quote: "Perhaps I am not understanding you correctly." }-
Perhaps I'm not being clear. It wouldn't be the first time ;)

-{ Quote: "Thanks, everyone, for your help. It's amazing how many approaches there are to this." }-
Yes, this is a great forum :)

-{ Quote: "
WTF! It appears that UltraVPN has somehow altered the properties of TAP-Win32 Adapter V9 such that it doesn't appear in Network Connections.

Any ideas?" }-

I believe that Hotspot Shield does the same thing. It also doesn't appear in Network Connections.

-{ Quote: "
No, you don't use the IP address that you get from whatismyip.com -- that is the external internet IP address. What you're setting in TCP/IP properties is the computer's IP address etc. on the local network. You can very likely just use the values that you see initially by running "ipconfig /all" at the command prompt, which were obtained automatically. However, I can't say for sure without knowing how your hotel's network is set up." }-

Thanks. I will try this.

-{ Quote: "
The "fake DNS server" approach prevents your computer from resolving domain names to IP addresses. Given that websites typically use domain names, rather than numerical IP addresses, this should protect your anonymity. However, if you're using software that connects via numerical IP addresses, blocking DNS lookups wouldn't be enough. In that case, deleting the route would be the best approach, I believe." }-

But does this protect me from my ISP knowing where I surf? I mean, won't the ISP still log the domain name, even if they don't log the IP? (I mean if you lose your VPN connection) Domain names can be pretty descriptive, don't you think? They usually indicate the subject matter of the website, and that's something that we want to keep private from the ISP. That's the whole point of this exercise. Also if the ISP has the domain name they can visit the site and see what you are surfing.

I'm just using the typical everyday programs that everyone uses. Firefox, etc.

Bloody hell this is like reading a Japanese forum, I have no idea what you guys are about. I thought by connecting to xerobanks VPN I was as safe as houses and anonomous!! After reading this thread I'm bloody confused..

@JB007

I can imagine that this may be confusing. What we've been discussing are ways to ensure that there are no communications of any kind between your computer and the internet, except for those routed through the encrypted VPN connection. In particular, we've been discussing what happens if the VPN connection goes down, or if you accidentally disconnect.

Based on my experience with XeroBank, for P2P clients as well as for simple browsing, there is no problem when the VPN connection drops. When that happens, which is rare, your computer simply loses internet connectivity. The OpenVPN tray icon changes from green to yellow, and hovering over it shows a message that it's connecting. However, without intervention, it will never reconnect. I believe that's intentional. Your computer won't regain internet connectivity until you manually disconnect (and perhaps then reconnect to XeroBank).

When you manually disconnect from XeroBank, starting either with a working connection (green icon) or non-working connection (yellow icon), the icon turns red, and you regain regular non-XeroBank internet connectivity.

In order to maintain your anonymity, you need to close all applications that are accessing the internet before manually disconnecting from XeroBank. You're protected as long as the icon is yellow, but not when it's red.

Let's say that you're running a P2P client. You check your computer in the morning, perhaps, and you see that XeroBank has disconnected (yellow icon). When that happened the first time, BTW, I freaked. However, after some testing, I confirmed that my true IP hadn't leaked. Anyway, all you do is shut down the P2P client, disconnect from XeroBank, reconnect to XeroBank, verify that you're anonymized, and then fire up the P2P client.

So, what we've been discussing is how to block internet connectivity and maintain anonymity even when the VPN is totally disconnected (red icon). That's nontrivial because the VPN connection is in fact using the physical connection, so you need to disable the physical connection in ways that don't prevent the VPN connection from maintaining itself.

@gumbyy

Yes, I see that the OpenVPN Tap-Win32 adapter can be hidden in Network Connections. What I don 't understand yet is how to unhide it. I gather that one must edit the Registry.

I'll have more to say re your other questions after some testing.

-{ Quote: "Bloody hell this is like reading a Japanese forum, I have no idea what you guys are about. I thought by connecting to xerobanks VPN I was as safe as houses and anonomous!! After reading this thread I'm bloody confused.." }-


Instead of reading endless dribble of longwinded posts in here I can narrow a solution down for you to just one simple word. "Firewall"

-{ Quote: "Instead of reading endless dribble of longwinded posts in here I can narrow a solution down for you to just one simple word. "Firewall"" }-

Arran,

The question of whether you can solve this problem with a simple firewall configuration is one that I am very interested in. Can you tell us exactly how you do this? Or give us a link that explains it? I have previously heard some people assert that a firewall will do the trick, but others say it won't.

-{ Quote: "@JB007

Based on my experience with XeroBank, for P2P clients as well as for simple browsing, there is no problem when the VPN connection drops. When that happens, which is rare, your computer simply loses internet connectivity. The OpenVPN tray icon changes from green to yellow, and hovering over it shows a message that it's connecting. However, without intervention, it will never reconnect. I believe that's intentional. Your computer won't regain internet connectivity until you manually disconnect (and perhaps then reconnect to XeroBank).
" }-

Hiero,

I did not realize that you could use Xerobank with OpenVPN. Googling it, I see that there are two ways:

XB Portable OpenVPN:
http://www.wilderssecurity.com/archive/index.php/t-178149.html

Or XeroBank for OpenVPN:
http://support.xerobank.com/wiki/doku.php?id=using_openvpn_instead_of_xb_vpn

Which of these two ways do you recommend? I don't have OpenVPN installed now, unless perhaps UltraVPN installed OpenVPN as part of its installation.

I would love to try Xerobank with OpenVPN. Also I get confused sometimes--when we refer to Xerobank do we mean Xerobank's VPN or the XB Browser? When you referred previously to Xerobank not having this problem with losing your anonymity when the VPN disconnects, were you referring to Xerobank used with OpenVPN, with TOR, or with Xerobank's premium VPN?

You seem to be saying that using Xerobank browser with OpenVPN solves this disconnection-anonymity problem without having to enter baffling ip codes and issue complex command line gobbledygook. If that's the case I will just use Xerobank exclusively.

I've had some troubling experiences with Ultra. A few days ago, the Ultra icon was green, indicating I was connected, but the "what is my ip?" websites were all showing my local IP!

And Hotspot is a royal pain. It tries to prevent you from connecting to Google and often hijacks whatever page you're on and takes you to some Anchorfree page.

@gumbyy

I apologize for the confusion. By "XeroBank", I mean the paid XeroBank service, using its own network, not Tor. The XeroBank installer includes both XB VPN and XB Browser. The XB VPN client uses OpenVPN. Although one can connect to XeroBank using straight OpenVPN, I haven't done that. Also, although the XB Browser is a secured version of Firefox, one can use any browser.

Although UltraVPN also uses OpenVPN, it configures it differently than the XeroBank installer does. In particular, it sets a flag somewhere that hides the TAP adapter. I don't know how to undo that. Uninstalling UltraVPN might do it. If not, it might require editing the Registry. I plan to play with it when I have time. Perhaps someone who knows OpenVPN could comment.

Regarding Xerobank and the disconnection-anonymity problem, I know that there is no apparent internet connectivity after the XeroBank OpenVPN icon turns yellow and reports that it's connecting (but never connects). I also know that, after several hours in that state with a stalled torrent, the tracker didn't list my true IP. However, I routinely hard code TCP/IP setup, so my experience may not apply if you're using DHCP. And in any case, I don't have Wireshark or firewall logs for such disconnection events, so I don't know what did or didn't leak.

Hiero,
I don't know what Wireshark is, but is there a method or program or website that lets you see exactly the info that your ISP sees and logs?

I installed OpenVPN and its GUI yesterday. When I tried to run it for the first time, I got a message that "OpenVPN GUI is already running". (or words to that effect). I finally figured out that I was getting that message because the UltraVPN icon was in the system tray, although I was not connected to Ultra. When I got rid of the UltraVPN icon, I was able to start OpenVPN, and it's icon was identical to UltraVPN. Moreover, I was able to login to OpenVPN with the same username and PW that I use on UltraVPN.

It's hard to avoid the conclusion that UltraVPN and OpenVPN GUI are the same program.

Re Xerobank, I guess you mean that if I use XB VPN, I have the option to connect to OpenVPN and don't have to use the paid service.

I have a suspicion that the XB VPN system tray icon will also be identical to the UltraVPN icon, since your description of its color-changing behavior matches that of Ultra and Open. And I guess i will be able to use my same Ultra username and PW when I use XB to access Open.

i wonder is there any difference at all among these programs that use OpenVPN?

BTW, OpenVPN, like Ultra and Hotspot, did not put a TAP adapter icon in my Network Connections.

-{ Quote: "Arran,

The question of whether you can solve this problem with a simple firewall configuration is one that I am very interested in. Can you tell us exactly how you do this? Or give us a link that explains it? I have previously heard some people assert that a firewall will do the trick, but others say it won't." }-

Any software firewall with outbound protection will do if you configure it to only allow apps to connect to the internet thru your vpn program. You just need to learn how to configure it, go and read the firewall forums.

-{ Quote: "I don't know what Wireshark is, but is there a method or program or website that lets you see exactly the info that your ISP sees and logs?" }-
Wireshark is a "network protocol analyzer" aka packet sniffer. With it, you can record network traffic on any adapter that your computer can see. For most of us, that means the computer's physical network adapter(s) and any virtual network adapter(s) that we've created (e.g., using OpenVPN, VMware Player or VirtualBox). It's also possible to monitor traffic across network switches.

Wireshark shows you what's leaving your computer on whatever adapter you're monitoring. Your firewall logs (from the software firewall on your computer, and also from the perimeter hardware firewall that you may have on your network) show you what's leaving for your ISP. However, many firewalls don't filter or log all types of packets, so it can be confusing.

-{ Quote: "I installed OpenVPN and its GUI yesterday. When I tried to run it for the first time, I got a message that "OpenVPN GUI is already running". (or words to that effect). I finally figured out that I was getting that message because the UltraVPN icon was in the system tray, although I was not connected to Ultra. When I got rid of the UltraVPN icon, I was able to start OpenVPN, and it's icon was identical to UltraVPN. Moreover, I was able to login to OpenVPN with the same username and PW that I use on UltraVPN.

It's hard to avoid the conclusion that UltraVPN and OpenVPN GUI are the same program." }-
You're almost right. UltraVPN is a service that (like XeroBank) uses OpenVPN to establish the connection. You can use OpenVPN to establish a connection to any network that you have credentials for. All that you did was login to UltraVPN.

-{ Quote: "Re Xerobank, I guess you mean that if I use XB VPN, I have the option to connect to OpenVPN and don't have to use the paid service." }-
No. OpenVPN is just open-source software for establishing a VPN connection. XeroBank is an anonymity service. There is no OpenVPN service. XB VPN is just a "wrapper" for OpenVPN, set up to connect to XeroBank.

-{ Quote: "I have a suspicion that the XB VPN system tray icon will also be identical to the UltraVPN icon, since your description of its color-changing behavior matches that of Ultra and Open." }-
UltraVPN just uses the default OpenVPN tray icon, whereas XeroBank substitutes its own custom tray icon. The color behavior is the same, however.

-{ Quote: "And I guess i will be able to use my same Ultra username and PW when I use XB to access Open." }-
No. To reiterate, both UltraVPN and XeroBank use OpenVPN. You could use OpenVPN to connect to any network, as long as you have proper credentials. Each remote network -- UltraVPN, XeroBank, other anonymity networks, your employer or whatever -- will have its own IP address, certificates, username and password.

-{ Quote: "i wonder is there any difference at all among these programs that use OpenVPN?" }-
Yes, there is. However, that's a contentious issue. It's very hard for users to assess anonymity networks. AFAIK, the best evidence is reputation.

-{ Quote: "BTW, OpenVPN, like Ultra and Hotspot, did not put a TAP adapter icon in my Network Connections." }-
Right. Once you install UltraVPN, it appears that the TAP adapter is hidden. I don't know how to get it back (yet).

Ok, this is a very interesting topic. Currently I am using an OpenVPN provider and am pretty happy with the service. However I would very much like to stay anonymous when I think I am, so this is a big deal.

What I want to know: is there any way to "spoof" a failed VPN connection? How could you test if you are really secure? My problem is that my provider very rarely has dropped connections (it happened only once and I quickly reconnected without testing anything). So how could I know the behavior on the event it loses the VPN connection?

-{ Quote: "Any software firewall with outbound protection will do if you configure it to only allow apps to connect to the internet thru your vpn program. You just need to learn how to configure it, go and read the firewall forums." }-

Arran,

I googled it quickly and came up with only this:

StrongVPN Forum / Firewalling your PC to only use the VPN connection
http://www.strongvpn.com/forum/viewtopic.php?id=294

but some people in that thread are having problems with the instructions. What do you think?

-{ Quote: "What I want to know: is there any way to "spoof" a failed VPN connection?" }-
I'd be gobsmacked if OpenVPN were vulnerable in that way.

-{ Quote: "How could you test if you are really secure? My problem is that my provider very rarely has dropped connections (it happened only once and I quickly reconnected without testing anything). So how could I know the behavior on the event it loses the VPN connection?" }-
You could tell from Wireshark (on physical NIC) and firewall logs (local and perimeter). However, given that spontaneously-dropped connections are so rare, you'd need to maintain months of logs, which is nontrivial. Instead, I've been using two tests: (1) dropping the connection by disconnecting the network cable for several seconds; and (2) disconnecting via the OpenVPN menu. I'm testing the three approaches discussed in this thread. We could all do that, and compare results.

-{ Quote: "Arran,

I googled it quickly and came up with only this:

StrongVPN Forum / Firewalling your PC to only use the VPN connection
http://www.strongvpn.com/forum/viewtopic.php?id=294

but some people in that thread are having problems with the instructions. What do you think?" }-

the instructions look straight forward to me,. I guess the ones complaining there must be noob's

Ok, finally my OpenVPN connection dropped tonight so I was able to see what happens! The OpenVPN icon on the taskbar turned yellow and it says "Reconnecting to *ServerName*". However my internet did NOT revert back to the unsecured connection. So the behavior is fine. If the connection drops I get no internet, which is what I want. So all is well.

I believe the reason this works is due to the batch scripts that are running to plug the DNS leaks. These batch files were provided by my privacy host and they cause DNS requests to only go through the VPN. The scripts automatically run when the OpenVPN initiates a connection and also when it closes. However it did not run when the connection dropped unexpectedly. So this cripples communication that relies on DNS (although I guess an IP based connection might still go through). Still better than nothing though.

These batch files should work with an OpenVPN host that provides you with *.ovpn config files. If the config file was named 'SomeServer.ovpn' then the files to plug the DNS leak are called 'SomeServer_pre.bat', 'SomeServer_up.bat', and 'SomeServer_down.bat' and are located in the "Program Files/OpenVPN/config" folder. Here are the scripts:

*_pre.bat:
@echo off
setlocal


echo Checking for active internet connection...
set ActiveNet=

FOR /F "tokens=2,3* " %%j in ('netsh interface show interface ^| find "Connected"') do set ActiveNet=%%l

echo Active internet connection is "%ActiveNet%"

echo %ActiveNet%>ActiveNet.txt

@ping 127.0.0.1 -n 4 -w 1000 > nul

*_up.bat:
@echo off
set /p ActiveNet=<ActiveNet.txt

echo Locking down DNS leaks for "%ActiveNet%"
ipconfig /flushdns

netsh interface IPv4 set dnsservers "%ActiveNet%" static 0.0.0.0 both validate=no

@ping 127.0.0.1 -n 4 -w 1000 > nul

*_down.bat:
@echo off

echo Reseting network to normal

set /p ActiveNet=<ActiveNet.txt
netsh interface IPv4 set dnsservers "%ActiveNet%" dhcp
ipconfig /flushdns
del ActiveNet.txt

@ping 127.0.0.1 -n 4 -w 1000 > nul

And if something goes wrong use this script to return to normal settings (can be on the desktop):
NetworkReset.bat:
@echo off

set /p ActiveNet=<"%PROGRAMFILES%\OpenVPN\config\ActiveNet.txt"
echo OK to reset - %ActiveNet% - to normal?
pause

netsh interface IPv4 set dnsservers "%ActiveNet%" dhcp
ipconfig /flushdns

del "%PROGRAMFILES%\OpenVPN\config\ActiveNet.txt"

@ping 127.0.0.1 -n 2 -w 1000 > nul

Keep in mind I did not write these scripts, nor do I know if they will work with all OpenVPN configurations. Please note that I believe these may only work on Windows Vista/Seven 32-bit. Maybe they may help somebody.

OK, I've confirmed that the firewall approach works for me. After connecting to XeroBank, I created three rules: (1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP. After disconnecting from XeroBank, I had no internet connectivity. With Wireshark on the physical NIC, I could see packets addressed to various external IPs, and I could see in the firewall log that all non-LAN traffic had been blocked.

Perhaps that's not surprising. OTOH, if it really is that simple, I'm left wondering about rationales for the other approaches. Is it that some don't trust firewalls?

Edit: Or is it that providers prefer approaches that don't involve users configuring firewalls?

-{ Quote: "
You're almost right. UltraVPN is a service that (like XeroBank) uses OpenVPN to establish the connection. You can use OpenVPN to establish a connection to any network that you have credentials for. All that you did was login to UltraVPN...

No. OpenVPN is just open-source software for establishing a VPN connection. XeroBank is an anonymity service. There is no OpenVPN service. XB VPN is just a "wrapper" for OpenVPN, set up to connect to XeroBank." }-

Thanks Hiero. I had thought that OpenVPN was a free VPN network, not just software. So I guess UltraVPN is the free network, not OpenVPN.

So if you use XB VPN with OpenVPN, what network can you connect through? Only XB's premium service and TOR? I had mistakenly thought that OpenVPN was another connection option that would be faster than TOR.

-{ Quote: "
Right. Once you install UltraVPN, it appears that the TAP adapter is hidden. I don't know how to get it back (yet)." }-

That's an important issue. Without the TAP adapter icon I don't know if you can use VPNetMon. Did you try uninstalling Ultra?

-{ Quote: "OK, I've confirmed that the firewall approach works for me. After connecting to XeroBank, I created three rules: (1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP. After disconnecting from XeroBank, I had no internet connectivity. With Wireshark on the physical NIC, I could see packets addressed to various external IPs, and I could see in the firewall log that all non-LAN traffic had been blocked.

Perhaps that's not surprising. OTOH, if it really is that simple, I'm left wondering about rationales for the other approaches. Is it that some don't trust firewalls?" }-

Hiero,

Wonderful that you were able to confirm this. Did you also confirm that the firewall blocked Flash and Java from bypassing the VPN and revealing your real IP address?

Which firewall approach did you use? The one whose link I posted (StrongVPN)? Or a different approach? It would be immensely helpful to the non-techies amongst us (such as moi) if you could tell us exactly what you did -- like, step by step instructions, and also what firewall you used.

I am still in the early stages of my privacy and security education and don't know anything at all about firewalls. When you say you "created three rules", perhaps everyone else here understands what you mean, but I don't know how to create rules in a firewall, and don't know if this is easy or difficult.

I would like to try some of these approaches and see if I can duplicate JustJohnny's success but right now my computer is in the repair shop.

-{ Quote: "Wonderful that you were able to confirm this. Did you also confirm that the firewall blocked Flash and Java from bypassing the VPN and revealing your real IP address?" }-
XeroBank doesn't leak true IP in any of the Metasploit decloak.net tests, so there's nothing to confirm. However, I have played with some VPNs that do fail the Flash test, and could check that with them. I'm not sure when I'll have a chance, however.

-{ Quote: "Which firewall approach did you use? The one whose link I posted (StrongVPN)? Or a different approach? It would be immensely helpful to the non-techies amongst us (such as moi) if you could tell us exactly what you did -- like, step by step instructions, and also what firewall you used." }-
I use Symantec Endpoint Security. However, the steps were basically the same as in the link that you posted. In whatever firewall you're using, there should be a screen for configuring firewall rules. If you don't have a firewall yet, other than Windows firewall, you might as well use the one in the link that you posted.

-{ Quote: "I am still in the early stages of my privacy and security education and don't know anything at all about firewalls. When you say you "created three rules", perhaps everyone else here understands what you mean, but I don't know how to create rules in a firewall, and don't know if this is easy or difficult." }-
It's easy. Really.

-{ Quote: "I would like to try some of these approaches and see if I can duplicate JustJohnny's success but right now my computer is in the repair shop." }-
Best wishes :)

-{ Quote: "Thanks Hiero. I had thought that OpenVPN was a free VPN network, not just software. So I guess UltraVPN is the free network, not OpenVPN." }-
Yes.

-{ Quote: "So if you use XB VPN with OpenVPN, what network can you connect through? Only XB's premium service and TOR? I had mistakenly thought that OpenVPN was another connection option that would be faster than TOR." }-
XB VPN is basically "repackaged" OpenVPN. With XB VPN (essentially OpenVPN) you can connect to the XeroBank premium service. I've never used XB Browser with Tor, and don't know how that works.

-{ Quote: "That's an important issue. Without the TAP adapter icon I don't know if you can use VPNetMon. Did you try uninstalling Ultra?" }-
No, I haven't worked on that further. It might work to uninstall both UltraVPN and XB VPN, and to then reinstall XB VPN.

Perhaps ForceBindIP (http://www.r1ch.net/stuff/forcebindip/) would be useful for scenarios in which a separate network connection is used for the privacy service.
-{ Quote: "ForceBindIP is a freeware Windows application that will inject itself into another application and alter how certain Windows Sockets calls are made, allowing you to force the other application to use a specific network interface / IP address. This is useful if you are in an environment with multiple interfaces and your application has no such option for binding to a specific interface.

ForceBindIP works in two stages - the loader, ForceBindIP.exe will load the target application in a suspended state. It will then inject a DLL (BindIP.dll) which loads WS2_32.DLL into memory and intercepts the bind(), connect(), sendto(), WSAConnect() and WSASendTo() functions, redirecting them to code in the DLL which verifies which interface they will be bound to and if not the one specified, (re)binds the socket. Once the function intercepts are complete, the target application is resumed. Note that some applications with anti-debugger / injection techniques may not work correctly when an injected DLL is present; for the vast majority of applications though this technique should work fine.

As of version 1.2, all known functions in WS2_32.DLL that either explicitly or implicitly bind to an interface are intercepted. Please note however that certain programs may still end up using the default interface if they implement connections that do not use the standard winsock functions.

Some programs that have been tested to work with ForceBindIP include DC++, uTorrent, Quake II, Quake III, Diablo II, StarCraft, Internet Explorer, Mozilla Firefox, Google Earth, Infantry, Real Player, Unreal Tournament 2004 (requires -i), Outlook 2000 (requires -i). Programs that do not work include GetRight (anti-debugger / forking techniques), WinCVS (forks cvs.exe)" }-

-{ Quote: "I use various privacy services like TOR, JonDoFox, Hotspot Shield and UltraVPN. But it is very common that I lose the connection to a privacy service during a browsing session. When this happens, my browsing continues, but with no anonymity.

I assume that, when I lose these connections, suddenly my ISP knows where I've been browsing and that's what I want to avoid." }-

I don't understand this at all I am afraid.

If you are using Tor and Privoxy / Polipo then your browser is set up to route all traffic through default Privoxy / Polipo port 8118 whose file is set up to route traffic through Tor port 9050.

If Tor fails then no traffic is sent. You can try this by cancelling Tor using the Vidalia GUI and all browsing traffic will stop and web pages will no longer be found.

Right?

-{ Quote: "I don't understand this at all I am afraid.

If you are using Tor and Privoxy / Polipo then your browser is set up to route all traffic through default Privoxy / Polipo port 8118 whose file is set up to route traffic through Tor port 9050.

If Tor fails then no traffic is sent. You can try this by cancelling Tor using the Vidalia GUI and all browsing traffic will stop and web pages will no longer be found.

Right?" }-

Thanks dumpydonk. it's good to know that Tor has no problem. Perhaps I shouldn't have mentioned Tor in my original post, since I haven't used it in a long time and am now really just interested in securing VPN connections.

-{ Quote: "OK, I've confirmed that the firewall approach works for me. After connecting to XeroBank, I created three rules: (1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP. After disconnecting from XeroBank, I had no internet connectivity. With Wireshark on the physical NIC, I could see packets addressed to various external IPs, and I could see in the firewall log that all non-LAN traffic had been blocked.

Perhaps that's not surprising. OTOH, if it really is that simple, I'm left wondering about rationales for the other approaches. Is it that some don't trust firewalls?

Edit: Or is it that providers prefer approaches that don't involve users configuring firewalls?" }-

Hi Hierophant and others. Sorry to bring back this old thread from the dead.

I've been busy and have just gotten around to trying to set up the firewall to make sure that I have no connectivity when my VPN goes dead. I'm running into problems because the instructions at http://www.strongvpn.com/forum/viewtopic.php?id=294 are based on an older version of PC Tools Firewall Plus and in the new version the interface is different.

Moreover, I can't follow StrongVPN's instructions (I don't use Strong VPN, I am just trying to adapt their instructions to the free VPNs I do use) because step 6 says "6. Now click on the "Settings" button in the PC Tools Firewall window.
Select the "Adapters" tab.
StrongVPN Regular - Highlight your "Wan Miniport (IP) - PCTools Driver"

StrongVPN OpenVPN - Highlight your "Tap-Win32 Adapter V9 - PCTools Driver"

Under "Zone" set to Allow All Traffic

Select the "Filtering" tab and uncheck "Application Filtering Enabled"

...because the adaptor tab doesn't exist in the new PC Tools Firewall, seems to have been replaced by a "networks" tab. But under the networks tab, there is no TAP adapter listed, just as there is none listed in Network Connections for any of my VPNs except "ItsHidden" which I never use. Not even ItsHidden appears in PC Tools firewall's Networks tab.

Incidentally, earlier Hierophant and I were puzzled by the fact that installation of UltraVPN seems to make the TAP adapter disappear from Network Connections. I think I have found it, but it's not called TAP adapter, it's called Local Area Connection 6 and it's listed under "LAN or High speed internet" category in XP Network Connections, not the Virtual Private Network category where it ought to be. When I hover my mouse over Local Area Connection 6 a box appears with the words "TAP-Win32 adapter V9". I only have this one TAP adapter even though I have about 4 free VPNs installed on my system.

Anyway, the VPNs I have that are based on OpenVPN -- e.g., UltraVPN and ProXPN -- I am not worried about since by default they seem to display the behavior that Hierophant noted before -- when you lose the VPN connection there is no connectivity until you manually select Disconnect.

The problem is Hotspot Shield. I don't think it is an OpenVPN app -- I don't know what kind of protocol it uses. But I do know that when it accidentally disconnects, the computer still has connectivity, which is what I want to prevent. So I would love to set up a firewall just for Hotspot to make sure there is no connectivity when it disconnects. I use Hotspot a lot because it seems faster than the other free VPNs.

But as you can see, I've run into problems with the instructions I found online. So I'd like to use Hierophant's simple approach of creating 3 rules, but I need more info.

Hierophant wrote:
(1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP.

But PC Tools firewall Plus needs more info than that. To create a rule, I have to go through a series of multiple choice questions such as:
Check: "where the ethernet type is"
click below on "Undefined" and select "IP"
click on "where the remote ip is"
click below on "Undefined" and in the "Match Remote IP address" window enter the IP from step 1 and click "OK".
Click "Next" and on select "Allow"

There are even more choices to make:'where ethernet type is' can be IP, IP V6, IP V4, 802.1x, ARP, Customize or Other. So how can I follow Hierophant's 3 step process with the PC Tools firewall?

Would be very grateful if Hierophant or someone else would elaborate and give something like step by step instructions for creating these simple rules

Besides VPNetMon there is also VPNCheck http://www.jothodesign.com/vpncheck/

For French speakers there is VPN Lifeguard http://sourceforge.net/projects/vpnlifeguard/

Some VPN providers such as Mullvad have custom clients that address this issue. I believe MetroPipe does as well.

Just get a good piece of vpn software that works. The one I like is VPN4all.com it starts on reboot and shuts down all your internet if the connection breaks. Not complicated and cheap.
The problem with free services is that you have to be a techie to deal with stuff like this. Rather pay a few bucks and get it right.

I hope, this fits in here.

Checking the IP during TOR-connections, it will change.
I assume to see the ExitNode IP?
Do the EntryNode and the 'man in the middle' also change?

Question is:
Do I blow my anonymity when TOR changes its IPs?

I have noticed two things
- logged into a Forum, I move around without noticing the IP change.
- logged into a Forum, I am still connected to that Forum but have to login again after an IP change.

Is my original IP revealed at any time?

I just tested out Lyx's method of deleting the entry in the routing table, and it does indeed work. It also seems like a fairly solid method without much room for error. The way I tested this was by setting up a Torrent to download (a legal Linux iso ;)) after I was connected to my VPN. I am using a PPTP-based VPN, but I assume this should be the same thing for OpenVPN. Then I unplugged the cable from my router that links to the cable modem. After about 45 seconds the VPN connection was dropped. At that point I reconnected the cable. After a short while I could see the Torrent had started downloading again, but this time over my ISP's connection and hence with my real IP. This is not what we want.

So I disconnected from the VPN, stopped the Torrent and set everything back to normal. Now I reconnected again. This time after I was connected to the VPN I executed the command to delete my default route to my router. This had no effect on the VPN connection, and I was able to restart the Torrent, no problem. Now I unplugged the internet connection from my router once again. As before the VPN connection was dropped after about 45 seconds. I plugged it back in. However, this time, the connection did not revert back through my ISP. BitTorrent stalled and I was not able to browse the web or ping any addresses (named or by IP). I then added the default route back in and after that I could connect to the internet again through my ISPs connection. I repeated this whole process again, but instead of unplugging the cable I merely disconnected from the VPN by right-clicking on the icon. Again, the connection was totally dead until I manually restored it. So as far as I can tell, this method is rock solid. Very nice.

I have wrote some simple batch scripts to do this automatically, which will probably be helpful for people that aren't comfortable with the command-line. Its also easier in general, so there is no reason not to use them. However, make sure you edit them to reflect your default gateway (aka your router) as it might have a different IP. In the script below I used "192.168.1.1" as that is common, but yours might be "192.168.2.1" depending on your brand of router. You can see how this should look by typing in a command window:

route print

Near the top you should see something like:

Destination: 0.0.0.0
Netmask: 0.0.0.0
Gateway: 192.168.1.1
Interface: 192.168.1.10

It is important that both destination and netmask are "0.0.0.0". Gateway is what you are looking for (this is your router that then links to the internet). Interface will be your LAN IP. So what it says for Gateway is the IP that should be in the script below. Open Notepad and copy-paste the following code and then save with the appropriate name (*.bat). To run it you *must* right-click and do "Run as Administrator" (Vista and 7). On XP you can probably just double-click.

RouteKill.bat
@echo off

echo Killing Default Route

route delete 0.0.0.0 192.168.1.1

RouteRestore.bat
@echo off

echo Restoring Default Route

route add 0.0.0.0 MASK 0.0.0.0 192.168.1.1

So just to be clear: you connect to the VPN as normal. Then you run "RouteKill.bat". Now you are protected. If the VPN drops you should be safe. Once you want your internet back, run "RouteRestore.bat". Seems to work good for me. Like I said before I am using PPTP but I think it should work for OpenVPN as well. If anyone else wants to test this, please do so and let me know.

-{ Quote: "Bloody hell this is like reading a Japanese forum, I have no idea what you guys are about. I thought by connecting to xerobanks VPN I was as safe as houses and anonomous!! After reading this thread I'm bloody confused.." }-

The way I'm seeing this it's not that complicated, you're just trying to prevent your DNS from leaking and getting connected to your ISP if the VPN connection dies.



-{ Quote: "Instead of reading endless dribble of longwinded posts in here I can narrow a solution down for you to just one simple word. "Firewall"" }-

Yep...

Also I'm not a networking guru, networking has been a bit of a weakness, but I see it one way here.

1. We want to stop DNS from leaking.
2. We want to keep ourselves protected from a dropped VPN connection.

Ok the way I see this, it's real simple, but maybe I'm wrong so if I am I'd like to have someone point this out.

1. Get a primary and secondary DNS from your VPN and use those, now no more DNS leak.

2. In the TCP/IP assign it to a fake IP.

Bingo, from what I now see, I've stopped a DNS leak and if my VPN dies, I'm not getting online because of the fake IP...

@DasFox

OK, here's an experiment. Secure your VPN interface as you prefer. Then terminate the VPN connection, and kill the OpenVPN daemon. Test by browsing http://www.google.com. That, of course, should time out. Google IPs such as 66.102.7.99 should also time out. If they don't, your VPN isn't secure.

-{ Quote: "@DasFox

OK, here's an experiment. Secure your VPN interface as you prefer. Then terminate the VPN connection, and kill the OpenVPN daemon. Test by browsing http://www.google.com. That, of course, should time out. Google IPs such as 66.102.7.99 should also time out. If they don't, your VPN isn't secure." }-


So what I said works right? I don't see why it wouldn't?

Also forgot to mention use a software firewall and have it only allow outbound on the VPN...

In regards to DNS leaks is just using the DNS provided by the VPN going to help stop this? Your assigning the DNS you want, but is there a way for the real DNS to appear or no? As long as you assign a primary and secondary DNS from the VPN then you are good or is the ISP DNS still going to appear?

THANKS

-{ Quote: "So what I said works right? I don't see why it wouldn't?

Also forgot to mention use a software firewall and have it only allow outbound on the VPN..." }-
OK. Unless you block outbound with a firewall, you can connect to numeric IPs, even with no accessible DNS server, or local DNS cache.

-{ Quote: "In regards to DNS leaks is just using the DNS provided by the VPN going to help stop this? Your assigning the DNS you want, but is there a way for the real DNS to appear or no? As long as you assign a primary and secondary DNS from the VPN then you are good or is the ISP DNS still going to appear?" }-
All interfaces other than the VPN need to be static. Otherwise, they'll get DNS servers from the local DHCP server.

-{ Quote: "THANKS" }-
De nada.

-{ Quote: "OK. Unless you block outbound with a firewall, you can connect to numeric IPs, even with no accessible DNS server, or local DNS cache.


All interfaces other than the VPN need to be static. Otherwise, they'll get DNS servers from the local DHCP server.


De nada." }-

You actually don't need any firewall if you put in a fake IP, you're not getting online. 'Use the following IP address', isn't using DHCP....

You can't connect if you've given a FAKE static IP, I'm not talking about a real static IP.

I'm just saying in the TCP/IP preferences on a Windows machine, in the section;

'Use the following IP address'

Give it some fake IP in case you drop the VPN and you're not getting online...

So now, what's wrong with this approach? Seems like everyone is trying to make it like you have to go through some complicated procedure to protect against a drop and to me this looks pretty simple like what I've explained above...

1. So if you use DHCP, then 'Use the following IP address' and put in a fake IP.

2. If you happen to use a static IP and not DHCP, then also put in a fake static IP.

3. Either way, with 1&2 above, giving a fake ip, you're not getting online...

-{ Quote: "So now, what's wrong with this approach? Seems like everyone is trying to make it like you have to go through some complicated procedure to protect against a drop and to me this looks pretty simple like what I've explained above...

1. So if you use DHCP, then 'Use the following IP address' and put in a fake IP.

2. If you happen to use a static IP and not DHCP, then also put in a fake static IP.

3. Either way, with 1&2 above, giving a fake ip, you're not getting online..." }-
OK, I see what you mean. Sure, if you break an interface's TCP/IP by using a bogus static IP that's not on the same network segment as your gateway, you won't connect through it.

-{ Quote: "OK, I see what you mean. Sure, if you break an interface's TCP/IP by using a bogus static IP that's not on the same network segment as your gateway, you won't connect through it." }-

Yeah I know you're not going to connect, so this is why I didn't understand why everyone was making this so complicated and Steve's video also about stopping DNS leaking with that video to correct all this which seemed like overkill...

So now as far as DNS leaking, all you have to do is use the DNS from the VPN correct and your DNS is not exposed?


THANKS

Have you actually done that? That is, have you established the VPN, and then assigned a bogus IP address to the physical NIC? Upon reflection, I suspect that breaking TCP/IP like that would also hose the VPN. It's one thing to trash DNS, because the VPN doesn't need DNS once it's established, but it's another to assign an unworkable IP to the computer.

-{ Quote: "Have you actually done that? That is, have you established the VPN, and then assigned a bogus IP address to the physical NIC? Upon reflection, I suspect that breaking TCP/IP like that would also hose the VPN. It's one thing to trash DNS, because the VPN doesn't need DNS once it's established, but it's another to assign an unworkable IP to the computer." }-


LOL, what a bonehead I was to think this... :blink:

Ok back to the drawing board... :argh:

-{ Quote: "The way I'm seeing this it's not that complicated, you're just trying to prevent your DNS from leaking and getting connected to your ISP if the VPN connection dies.


Yep...

Also I'm not a networking guru, networking has been a bit of a weakness, but I see it one way here.

1. We want to stop DNS from leaking.
2. We want to keep ourselves protected from a dropped VPN connection.
" }-

I will try it, because in that matter I think only experiments matter . But I'm not convinced by the DNS trick in preventing any traffic outside your vpn when you vpn connection drops.

Because 'as already noticed by Hierophant) what if you are torrenting, or using any P2P apps which connects to others peers in using numeric IP directly, without DNS translation ?

What the purpose to prevent DNS leakage when DNS is not used by the apps you are running ?

In case your vpn connection drops, isn't be possible for your system to connect to your ISP, for exemple if your connectivity to your ISP only uses a numeric IP ?

-{ Quote: "I will try it, because in that matter I think only experiments matter . But I'm not convinced by the DNS trick in preventing any traffic outside your vpn when you vpn connection drops.

Because 'as already noticed by Hierophant) what if you are torrenting, or using any P2P apps which connects to others peers in using numeric IP directly, without DNS translation ?

What the purpose to prevent DNS leakage when DNS is not used by the apps you are running ?

In case your vpn connection drops, isn't be possible for your system to connect to your ISP, for exemple if your connectivity to your ISP only uses a numeric IP ?" }-


Well you can put in a different DNS like from OpenDNS or Comodo and if the connection drops and you connect to your ISP you are still going to be on that DNS but you'll be back on your IP, so I don't see much advantage here...

There is an easy way to avoid DNS leaks, just set the default DNS server to "0.0.0.0". Then all DNS queries will go through your VPN, if possible, and if the VPN drops they go nowhere. Unfortunately the Windows GUI will not let you do this, but you can using the "netsh" command. I found some batch scripts on the Perfect-Privacy forum that do this for you. They are designed for use with PPTP VPNs, but I think you could probably edit the scripts a little and have them work with OpenVPN. The thread is here:

https://forum.perfect-privacy.com/showthread.php?t=1265

If you go to the end of the thread you will see I posted edited versions which work with Vista 32-bit. The files in the original post do not work with Vista 32-bit, I haven't tried them on any other OS. If you are having problems, try my versions. I am fairly sure these scripts work 100% to plug DNS leaks, at least with PPTP.

However, you still have to make sure your connection stays down, as even with no DNS you could still be exposed by traffic that is using straight IP addresses. You can try the scripts I posted earlier in this thread (based on Lyx's method) which will kill the route to your default gateway in your routing table. This forces all traffic through the secure tunnel. If the tunnel drops there is nowhere to go. I have tested this combination of scripts and I am pretty sure they are working. Feel free to test them yourself.

If you obtained your router from your ISP, it is likely that the router has DNS primary and secondary table entries for its own DNS servers. If the ISP supplies documentation on your router, then look at it and log into the router via the admin password you should have been given when you received when your installation took place from the ISP.

Then you can change the router's default DNS servers (primary and secondary) to whatever you like, e.g. OpenDNS. That should assure you that when you are using client softare like Tor which a browser such as Firefox where in the about:config file you can see the network.proxy.socks_remote_dns is true when using the Torbutton plugin - and your ISP will never see a DNS leak then or otherwise. However, the website to which you have set your DNS (primary and secondary) servers to would see any leaks if they occured.

-- Tom