Privacy problems during bootup?

There are lots of ways to "skin a cat" so I am looking for opinions and options here. Not everyone will agree with all ideas but I'ld like to hear yours.

Scenario: I am booting up a laptop and going to connect to the router on my encrypted private network. I use a VPN tunnel connection on this machine and would like NO exceptions unless I MANUALLY override that configuration. I currently use the machine in question for my surfing and posting activities.

However; it has dawned on me that the AV programs, sometimes the windows OS, etc... will jump on the network's IP directly from my ISP and some software updates will happen during boot up. Once booted up I click on the VPN client and then I am gone from observation as far as my ISP knows (except they see the server connection - duhhh). My VPN software client "locks down" the tunnel and removes the default route out of the machine so that a lost connection will NOT allow data up or down except in the tunnel - period. Thats all good, but first I have to boot up to gain access to the tunnel. Software updates during bootup are not a huge risk for my threat model, but they are a loose end I'ld like to close up if I can do so without huge difficulties.

So there is my concern. I am running windows and on this machine I am using PrivateFirewall. Recommendations for how to lock down during boot?

I know I can turn off auto updates on the software but then I'ld have to manually keep triggering the various programs to update. If they were not online until I get in the tunnel it would be much better in my opinion.

How would you recommend locking down the machine during boot up as described above. I will still need internet access to grab the VPN tunnel.

 

Random thoughts:

Run the VPN connection on your router. AirVPN supports DD-WRT, for example.

Set rules in your firewall to only allow traffic through the VPN. Maybe a global rule blocking TCP and UDP OUT to every IP *but* your VPN provider's 10.x range. Comodo can do this easy, with the 'Exclude' switch and also offers a 'Block all traffic' option.

PD

 

Some nice thoughts Pauly Defran.

Much of the time the router is used with the normal IP connection. Most of the network computers run on the vanilla IP provided by the ISP. I can't use the router approach then because it would lock down the connection for those machines outside of the VPN (which is most of them).

The Firewall rules would be somewhat easy IF the computer was always connected. My issue is I need the normal connection to get to the VPN server where I create and enter the tunnel.

It looks like I will simply turn off the auto update features on a few software programs and then launch their respective updates manually when I get in the tunnel. This will help the laptop in question from ever handshaking with the outside world except via VPN.

 

If you go into the OpenVPN log for your connection, you can get the IP addresses for the VPN server(s) you are connecting to and also allow that(them) as well, with the Global Deny rule. I think that will work. With Comodo it would be something like:

Block all TCP and UDP Out *except* ('Exclude' box in Comodo) 123.456.789.x *and* 10.x.x.x.

I *think* that may work

PD

 

Palancar,

Judging by your numerous informative posts at Wilders on the subject of VPNs, I have my doubts whether the following suggestion will add anything new. Still...

It might be worthwhile to consider conducting your private internet activities using a Virtual Machine. As explained in kb 833134, its possible to set up a VM connection such that "The virtual machine appears and behaves like a separate physical computer on the same network.", i.e., with a different DHCP or static NAT IP address than your physical machine.

You could add and remove your VM network connection settings as an element of your private internet connection SOP. Net result, your private VM internet connection activities aren't tied to the insecure, boot up, internet connection activities of your physical machine.

Regards.

__

 

PaulyDefran and S. B.,

Those are both good suggestions.

S.B. --Hmmmm may look into that VM approach. I have a half dozen already built and ready to go. I use them when I don't want to be on the radar. LOL!!

PaulyDefran ---I like the suggestion for locking down the firewall to the IP's out to the server. Would that approach keep windows OS from calling home for updates upon bootup? I guess since I haven't logged into the server during the boot process the OS and my AV programs couldn't actually call out. Simple on paper. Can't believe I never thought of that.

Any PF users here doing something like this on their machines? Always happy to gain from others that have traveled the road ahead of me. I"ll post back if I get this working. Don't have the time to tear it apart today.

 

I was on a public Wifi connection the other day and tried it out and it *seemed* to work. The only problem (and this shouldn't apply to your home connection) was that initially, I needed access to the Hotspots's router to get a DHCP address and click OK on their browser access page. After I did that, I created the Global Rules in Comodo to only allow outbound to the VPN server address, and then the VPN private address space and everything seemed to work. Now that I think about it, I may have also created an allow rule to the hotspot's router, which was 192.168.6.1.

So, if you travel, maybe 3 rules:

Out only to any hotspot router (I assume they will all be 192.168 addresses)
Out only to the VPN Server
Out only to the VPN private address range

I'd need to play with it more for free wifi spots, but at home, these rules should definitely work.

It should be easy to test...shut down the VPN and try to ping something or run Windows update.

PD