How to keep from blowing your anonymity when you lose the VPN or Tor connection?

Cool. Thanks!

 

Thanks for that info, Zero2008. I was going to suggest that it would be great if someone made a small app that could do all this automatically. But I have one question:

VPNetMon shuts down your browser when it detects that the VPN has disconnected. But isn't it already too late? As soon as the VPN disconnects, aren't the URLs you were browsing instantly logged by your ISP? Before VPNetMon can shut your programs down?

 

Its simple. Just use a software firewall to control outbound connections.

 

How do you do that, arran? Which (freeware) firewall can you use to do this and how do you configure it?

 

That doesn't seem to be problematic for XeroBank when the VPN connection (rarely) drops, because the TAP adapter seems to retain routing priority. VPNetMon would have killed the program(s) of concern before you reset the connection. YMMV with other VPNs and anonymity services.

However, VPNetMon might well be too slow if you unthinkingly terminated the VPN connection. In that case, the TAP adapter would immediately lose routing priority (having been disconnected). Having nonfunctional TCP/IP on the physical NIC -- either by specifying a bogus DNS server, or by deleting the route -- would protect you while VPNetMon did its thing.

There is another issue that I haven't mentioned (as I recall, anyway). At any given time, there may be many processes automatically accessing the internet -- OS and app updaters, time synchronization, email clients, IM clients, IP checkers, etc. Depending on your level of paranoia, you may want to do some or all of that manually. Indeed, you may want to restrict some access to your true IP, and some to your VPN IP.

 

I have deleted the route and also succeed but if I check the netstat -r after some time, the route has come back. Is it because DHCP?
Does this happen also on you, guys?

Even though the route has come back, ip isn't leaked. I have checked it with generated torrent file which runs in your torrent application and you can go and check the the reported ip in this website: http://www.checkmytorrentip.com/#

There is also introduced this tip and also one more, which, I think is what Steve's technique does.

Copied directly from there :


A couple more points.

You may need to set a static local IP address if you have flaky wireless. Otherwise if you briefly lose your wireless connection (and therefore local IP address) while on VPN and your VPN doesn't drop, when your PC reconnects back to your wireless, your original route will automatically be added, and so even though you deleted it, it'll pop back up. So in the Control Panel under networking, turn off DHCP and assign the 192.168.0.8 address manually. That way that route will never be added back unless you add it yourself.

After you manually add your routes back, it make take some time before DNS works again. I've never figured out why the delay, so sometimes it's faster to reboot your computer after you lose the connection (this is why VMWARE is so much easier).

Tip 1: Create .bat files with the route add/del commands in it, that way you can just click a short cut.

Tip 2: Also create a shortcut to cmd with this Target: %SystemRoot%\system32\cmd.exe /k "netstat -R" . That way you never have to go to Start->Run->cmd->netstat -R each time you want to check your routes.

Tip 3: Use a virtual machine (like vmware) to connect to a VPN, that way your normal day to day traffic won't be affected..



Are you using a virtual machine, hierophant?

 

Right now, I'm not. I'm just using XeroBank on a Win XP box. When I want to be especially anonymous, I use a Win XP VM -- residing on a TrueCrypt volume and running in VMware Player -- and tunnel other anonymity services through XeroBank. I've also used Linux VMs in that way. And lately, I've been playing with a Win 7 VM in Win Server 2008 Hyper-V, accessed via Remote Desktop. I do think that VMs are the way to go, because you can sandbox activities (work/play/finances) and identities.

 

This is going way over my head. I don't even know what a TAP adapter is...also does Xerobank have this fine functionality when used with TOR or only when used with Xerobank's premium VPN?

Hierophant, can you explain exactly how to specify a bogus DNS server? Is that in itself a simple solution to this problem? Deleting the route is a function of netstat -R, i suppose. But I have deleted the route with Netstat -R and still had internet connectivity when the VPN quit. But I'm not sure I did it correctly.

Regarding VPNetMon, this page (http://vpnetmon.webs.com/) says "For running VPNetMon you need a VPN connection created already in the Network preferences."

But Hotspot Shield and UltraVPN aren't set up in Network Preferences. You start them with an icon in the system tray. I wonder if there's a way to set them up in Network Prefs.

This is all so complicated. Is it possible to just run VMWare with your VPN and does this protect you from the disconnection perils as well as the Flash and Java perils? I will admit I don't know anything about VMWare and have never run a virtual machine, so unless it's easy for a non-techie it won't work for me.

Or if you can do it with a simple firewall setting, that would be great.

 

gumbyy if you are using a wireless connection, the route can come back even though you deleted it, as said in the text which I copied from http://www.checkmytorrentip.com/#. However, I also got the route back when I checked it again about thirty minutes later after i deleted it, although I have a wired connection. Maybe it because of my router and DCHP. Since the ip didn't leak to the tracker, both Xerobank and cryptocloud clients stopped it, I guess.

If you used a VMWare, you would still have to do same process to your virual machine because it runs an Operating system in virtually mode. In addition, that machine could leak dns if you haven't done settings properly, so I recommend to skip that and use sandboxie if you want to have a more secured web browser.

You may choose to try Steve's method but I cannot say how it's done because I am learning it also myself. Firewall settings might be an option too but I don't know are them easier to configure than setting a static local IP address and are them as effective; it could be a case that the data would still leak if you use a firewall method.

Edit:

1. Open the Start menu and select Control Panel
2. network connections

There you should see for example "a TAP-Win32 Adapter V9"

But according to Hierophant, you should seek your physical adapter not the virtual adapter.

 

This is really simple, if you don't get distracted by the unfamiliar business of mucking with your computer's networking setup.

When you use OpenVPN, it creates a virtual TAP-Win32 network adapter on your computer, and connects to a remote network. Via that virtual adapter, your computer is now part of that remote network, with an IP address (e.g., 10.4.*.*) that's dynamically assigned by that remote network's DHCP server.

In setting up the connection, the OpenVPN script assigns a routing priority to the virtual TAP-Win32 network adapter that's higher than the routing priority of the physical network adapter(s). That insures that network traffic will use the virtual adapter. BTW, "adapter" and "connection" are sometimes used more-or-less synonymously.

When the VPN connection is broken, traffic shifts to the functioning adapter with the highest routing priority. That's probably a physical network adapter, with a non-anonymous public IP address.

If you want to prevent that, you need to disable that connection in some way. We've been discussing two approaches -- (1) assigning a fake DNS server (e.g., 1.0.0.0) to the adapter, or (2) deleting the route that adapter uses to connect to the internet. Either works, and you could do both at the same time.

However, neither works for very long unless you manually configure TCP/IP on the physical adapter, specifying the IP address, Subnet mask, Default gateway, and DNS servers. Otherwise, the adapter will get all of that from your network's DHCP server, which is typically the broadband modem/router (or a hardware firewall, or perhaps a dedicated server).

Also, from a security perspective, it's best to (1) manually configure TCP/IP for all computers on your network, (2) assign IP by MAC in your DHCP server, and (3) restrict the IP range appropriately in your DHCP server. Although that's perhaps unworkable for large networks, it's not so bad for homes and small offices.

 

WOU, a very good summary

Could you summarise this also? (how it's done)

 

OK, let's say that you have the following devices on your network ...

00-90-7F-XX-XX-XX 192.168.111.1 Firebox X5 Edge
00-24-E8-XX-XX-XX 192.168.111.2 Dell R710
00-24-E8-XX-XX-XX 192.168.111.3 Dell T7500
00-1F-33-XX-XX-XX 192.168.111.4 ReadyNAS Pro

The IP address of the Firebox is fixed. You start by listing the MAC address for each device, and deciding what IP address each will have. Then, you enter the MAC-IP pairs in the address reservation table in your DHCP server. In my case, that's the Firebox.

Once you've done that, and rebooted the DHCP server, you reboot each of the other devices, and verify that they have the right IP addresses. If all is cool, you set 192.168.111.2-192.168.111.4 as the IP address pool in the DHCP server, and reboot it. Now, only the three specified devices can connect to your network. If you wanted to connect another device, you'd assign it 192.168.111.5, add the new MAC-IP pair to the DHCP address reservation table, and set 192.168.111.2-192.168.111.5 as the IP address pool.

 

Asus,
99% of the time I am using Wifi. I only rarely have a wired connection. And to help explain why I am interested in this topic, the Wifi at the hotel where I am living now is VERY flaky and is constantly cutting out, then returning a few minutes later. Only seldom do I experience a long, extended, uninterrupted session here.

I think it was a JonDo webpage that also once mentioned using a Sandbox. But I am only dimly aware of the sandbox concept and don't know how to use them to solve this problem.

Well, I don't see any TAP-Win32 adapter in my network connections window. And I am using UltraVPN right now, which uses OpenVPN. All I see is "Internet Connection," "Local Area Connection 3" (which I use on those rare occasions when I have plug-in internet) and "Wireless Network Connection."

Then, below that, under the heading "Virtual Private Network," I have an icon for "ItsHidden," which is a VPN that I set up but have only used once.

I don't see entries for UltraVPN and Hotspot Shield VPN, which I use a lot. these programs only seem to make their connections known by their icons in the system tray, which change color depending on connection status.

We really need someone to write a program that will solve this problem automatically! I would volunteer but I don't know computer code from a ham sandwich.

 

Okay, but as I mentioned above, I do not see that TAP adapter in my network connections window (I am using XP SP2) although i am using UltraVPN right now.

Okay, my hotel's normal connection is the Wireless Network Connection in my network connections window, which is a Broadcom 802.11g network adapter. I right click it, choose Properties, Internet Protocol (TCP/IP), Properties...and it is set to Obtain IP and DNS addresses automatically. If I am going to change this I need to know the correct IP address...is that the address I get from the "What is my IP?" websites? I mean when I'm not using the VPN.

If I enter that IP in TCP/IP properties, then enter a fake (1.0.0.0 as you suggest) DNS server address, is that all I need to do? Will the hotel Wifi connection still be able to access the internet so that I can access my VPN, even with this fake DNS address? And yet NOT be able to access the internet when I unexpectedly lose the VPN connection? Simply by giving it a fake DNS address? Without having to delete the route?

Perhaps I am not understanding you correctly.

Thanks, everyone, for your help. It's amazing how many approaches there are to this.

 

this thread gave me some great insight on a few things.

 

This is very strange. I just tested UltraVPN on a Win XP SP2 VM. Initially, connected with XeroBank via OpenVPN, I saw the TAP-Win32 Adapter V9 in Network Connections (as I have since installing XeroBank on that VM). After downloading the UltraVPN installer and creating an account, I disconnected from XeroBank and closed OpenVPN. After installing UltraVPN, and connecting, I could see no TAP-Win32 adapter in Network Connections. Even so, running "ipconfig /all" at the command prompt showed both the AMD PCNET Local Area Connection and a TAP-Win32 Adapter V9. Finally, after exiting from UltraVPN, and connecting to XeroBank, I STILL couldn't see a TAP-Win32 Adapter V9 in Network Connections!

WTF! It appears that UltraVPN has somehow altered the properties of TAP-Win32 Adapter V9 such that it doesn't appear in Network Connections.

Any ideas?

No, you don't use the IP address that you get from whatismyip.com -- that is the external internet IP address. What you're setting in TCP/IP properties is the computer's IP address etc. on the local network. You can very likely just use the values that you see initially by running "ipconfig /all" at the command prompt, which were obtained automatically. However, I can't say for sure without knowing how your hotel's network is set up.

The "fake DNS server" approach prevents your computer from resolving domain names to IP addresses. Given that websites typically use domain names, rather than numerical IP addresses, this should protect your anonymity. However, if you're using software that connects via numerical IP addresses, blocking DNS lookups wouldn't be enough. In that case, deleting the route would be the best approach, I believe.

With that in mind, and this is crucial, you need to establish the OpenVPN connection before assigning a fake DNS server to your physical Local Area Connection. If your physical Local Area Connection doesn't have a working DNS server, it probably can't establish the OpenVPN connection, because it can't resolve domain names to IP addresses. That's definitely the case with XeroBank. I suppose that one could hack the login script using just IP addresses, but that would probably not be reliable. In the case of XeroBank, each entry domain name resolves to several IP addresses. If you hard coded one of them, you couldn't connect if it were busy or down.

Perhaps I'm not being clear. It wouldn't be the first time

Yes, this is a great forum

 

I believe that Hotspot Shield does the same thing. It also doesn't appear in Network Connections.

Thanks. I will try this.

But does this protect me from my ISP knowing where I surf? I mean, won't the ISP still log the domain name, even if they don't log the IP? (I mean if you lose your VPN connection) Domain names can be pretty descriptive, don't you think? They usually indicate the subject matter of the website, and that's something that we want to keep private from the ISP. That's the whole point of this exercise. Also if the ISP has the domain name they can visit the site and see what you are surfing.

I'm just using the typical everyday programs that everyone uses. Firefox, etc.

 

Bloody hell this is like reading a Japanese forum, I have no idea what you guys are about. I thought by connecting to xerobanks VPN I was as safe as houses and anonomous!! After reading this thread I'm bloody confused..

 

@JB007

I can imagine that this may be confusing. What we've been discussing are ways to ensure that there are no communications of any kind between your computer and the internet, except for those routed through the encrypted VPN connection. In particular, we've been discussing what happens if the VPN connection goes down, or if you accidentally disconnect.

Based on my experience with XeroBank, for P2P clients as well as for simple browsing, there is no problem when the VPN connection drops. When that happens, which is rare, your computer simply loses internet connectivity. The OpenVPN tray icon changes from green to yellow, and hovering over it shows a message that it's connecting. However, without intervention, it will never reconnect. I believe that's intentional. Your computer won't regain internet connectivity until you manually disconnect (and perhaps then reconnect to XeroBank).

When you manually disconnect from XeroBank, starting either with a working connection (green icon) or non-working connection (yellow icon), the icon turns red, and you regain regular non-XeroBank internet connectivity.

In order to maintain your anonymity, you need to close all applications that are accessing the internet before manually disconnecting from XeroBank. You're protected as long as the icon is yellow, but not when it's red.

Let's say that you're running a P2P client. You check your computer in the morning, perhaps, and you see that XeroBank has disconnected (yellow icon). When that happened the first time, BTW, I freaked. However, after some testing, I confirmed that my true IP hadn't leaked. Anyway, all you do is shut down the P2P client, disconnect from XeroBank, reconnect to XeroBank, verify that you're anonymized, and then fire up the P2P client.

So, what we've been discussing is how to block internet connectivity and maintain anonymity even when the VPN is totally disconnected (red icon). That's nontrivial because the VPN connection is in fact using the physical connection, so you need to disable the physical connection in ways that don't prevent the VPN connection from maintaining itself.

@gumbyy

Yes, I see that the OpenVPN Tap-Win32 adapter can be hidden in Network Connections. What I don 't understand yet is how to unhide it. I gather that one must edit the Registry.

I'll have more to say re your other questions after some testing.

 

Instead of reading endless dribble of longwinded posts in here I can narrow a solution down for you to just one simple word. "Firewall"

 

Arran,

The question of whether you can solve this problem with a simple firewall configuration is one that I am very interested in. Can you tell us exactly how you do this? Or give us a link that explains it? I have previously heard some people assert that a firewall will do the trick, but others say it won't.

 

Hiero,

I did not realize that you could use Xerobank with OpenVPN. Googling it, I see that there are two ways:

XB Portable OpenVPN:
https://www.wilderssecurity.com/archive/index.php/t-178149.html

Or XeroBank for OpenVPN:
http://support.xerobank.com/wiki/doku.php?id=using_openvpn_instead_of_xb_vpn

Which of these two ways do you recommend? I don't have OpenVPN installed now, unless perhaps UltraVPN installed OpenVPN as part of its installation.

I would love to try Xerobank with OpenVPN. Also I get confused sometimes--when we refer to Xerobank do we mean Xerobank's VPN or the XB Browser? When you referred previously to Xerobank not having this problem with losing your anonymity when the VPN disconnects, were you referring to Xerobank used with OpenVPN, with TOR, or with Xerobank's premium VPN?

You seem to be saying that using Xerobank browser with OpenVPN solves this disconnection-anonymity problem without having to enter baffling ip codes and issue complex command line gobbledygook. If that's the case I will just use Xerobank exclusively.

I've had some troubling experiences with Ultra. A few days ago, the Ultra icon was green, indicating I was connected, but the "what is my ip?" websites were all showing my local IP!

And Hotspot is a royal pain. It tries to prevent you from connecting to Google and often hijacks whatever page you're on and takes you to some Anchorfree page.

 

@gumbyy

I apologize for the confusion. By "XeroBank", I mean the paid XeroBank service, using its own network, not Tor. The XeroBank installer includes both XB VPN and XB Browser. The XB VPN client uses OpenVPN. Although one can connect to XeroBank using straight OpenVPN, I haven't done that. Also, although the XB Browser is a secured version of Firefox, one can use any browser.

Although UltraVPN also uses OpenVPN, it configures it differently than the XeroBank installer does. In particular, it sets a flag somewhere that hides the TAP adapter. I don't know how to undo that. Uninstalling UltraVPN might do it. If not, it might require editing the Registry. I plan to play with it when I have time. Perhaps someone who knows OpenVPN could comment.

Regarding Xerobank and the disconnection-anonymity problem, I know that there is no apparent internet connectivity after the XeroBank OpenVPN icon turns yellow and reports that it's connecting (but never connects). I also know that, after several hours in that state with a stalled torrent, the tracker didn't list my true IP. However, I routinely hard code TCP/IP setup, so my experience may not apply if you're using DHCP. And in any case, I don't have Wireshark or firewall logs for such disconnection events, so I don't know what did or didn't leak.

 

Hiero,
I don't know what Wireshark is, but is there a method or program or website that lets you see exactly the info that your ISP sees and logs?

I installed OpenVPN and its GUI yesterday. When I tried to run it for the first time, I got a message that "OpenVPN GUI is already running". (or words to that effect). I finally figured out that I was getting that message because the UltraVPN icon was in the system tray, although I was not connected to Ultra. When I got rid of the UltraVPN icon, I was able to start OpenVPN, and it's icon was identical to UltraVPN. Moreover, I was able to login to OpenVPN with the same username and PW that I use on UltraVPN.

It's hard to avoid the conclusion that UltraVPN and OpenVPN GUI are the same program.

Re Xerobank, I guess you mean that if I use XB VPN, I have the option to connect to OpenVPN and don't have to use the paid service.

I have a suspicion that the XB VPN system tray icon will also be identical to the UltraVPN icon, since your description of its color-changing behavior matches that of Ultra and Open. And I guess i will be able to use my same Ultra username and PW when I use XB to access Open.

i wonder is there any difference at all among these programs that use OpenVPN?

BTW, OpenVPN, like Ultra and Hotspot, did not put a TAP adapter icon in my Network Connections.

 

Any software firewall with outbound protection will do if you configure it to only allow apps to connect to the internet thru your vpn program. You just need to learn how to configure it, go and read the firewall forums.