I installed and tested each VPN, in Windows and OSX. And analyzed traffic captures, looking for leaks. It was a lot of work.
I have a couple questions about this. 1) I noticed in the iVPN setup guide for Linux, that it says to us iptables to route all traffic through the VPN and to disable IPv6, but only in the directions for using NetworkManager, not in the directions for using OpenVPN on it's own. Aren't the leaks an issue both with NetworkManager and with OpenVPN on its own? 2) If you disable IPv6 entirely, isn't that going to break a lot of websites these days? and more and more so? 3) Once you setup iptables to send all traffic through the VPN, does this mean you will have to manually edit the iptables rules every time you want to go off the VPN and then back on, etc.?
Yes, leaks are also a risk using the straight OpenVPN daemon. However, in my experience, the daemon tends to fail closed. Network Manager tends to fail open. But yes, it's best to use iptables and disable IPv6 for both. I'll recommend adding a warning to the directions for the daemon. It's not a huge problem yet. But it will be. Still, having IPv6 disabled is better than having it bypass the VPN. If IPv6 matters to you, you can use one of the VPN services that route it and don't leak (such as FrootVPN and Perfect Privacy). Yes, you have to use different iptables rules. But that's very easy with iptables-persistent. The default rules, /etc/iptables/rules.v4 and /etc/iptables/rules.v6, load during boot. But changing active rulesets is easy: Code: # iptables-restore < /etc/iptables/vpn-rules.v4 # iptables-restore < /etc/ip6tables/vpn-rules.v6
Hi mirimir, Thanks as always for the thoughtful reply. Can you point to a good guide for setting up iptables to use with a VPN? I've looked around, but they all seem a little bit more complicated and not self-explanatory, than I thought it would be. That left me feeling like I was not going to be sure I did it correctly. Also do you have any thoughts about packages/scripts like VPN-Firewall (https://github.com/adrelanos/VPN-Firewall) and vpnfailsafe (https://github.com/wknapik/vpnfailsafe)? Cb
Sure /etc/iptables/vpn-rules.v4 Code: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A FORWARD -j DROP -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth0 -d a.b.c.0/24 -j ACCEPT -A OUTPUT -o eth0 -d w.x.y.z -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j DROP COMMIT Your LAN is a.b.c.0/24, and w.x.y.z is the VPN server. /etc/iptables/vpn-rules.v6 Code: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT I've used VPN-Firewall, but have come to prefer iptables-persistent. I like the vpnfailsafe design, but I've never used it.
Thanks! So my LAN is the IP address my router assigns to me? Does this mean that on my laptop I will have to change this in iptables, every time I'm in a different location? Also isn't eth0 the ethernet connection, what about wlan0 or something like that for wifi? Sorry if these are very basic questions. And with the VPN server I could put as many lines in there as I want, to cover the different servers from my VPN provider that I think I might use?
Well, a.b.c.0/24 is the LAN subnet, specified in the router setup. Your router might assign a.b.c.d to your laptop, a.b.c.e to another device, and so on. You only need that rule if you want to access other devices on the LAN. Otherwise, it's not needed. If you switch among locations, you could have separate rulesets for each one. The "-o eth0" option in the rules for LAN and VPN server is arguably optional. Perhaps it's less secure, but not hugely. If you switch between local networks a lot, it's probably best to drop it. Then you can reach the specified VPN server(s) wherever you're connected. If you're using public WiFi, for example, and you have a rule allowing access to your home LAN, it just won't match anything. And yes, you can have as many rules for VPN servers as you like.
Okay, thanks for the further explanations. * I'm curious what you think about the rules that the AirVPN client apparently sets for iptables. They are somewhat different and more extensive. This is where I start to get bewildered, when there are different guides that say different things, ostensibly to reach the same end. From: https://airvpn.org/faq/software_lock/ Code: # Flush iptables -F iptables -t nat -F iptables -t mangle -F # Flush V6 ip6tables -F ip6tables -t nat -F ip6tables -t mangle -F # Local iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Local V6 ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT # Make sure you can communicate with any DHCP server iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT iptables -A INPUT -s 255.255.255.255 -j ACCEPT # Make sure that you can communicate within your own network if Private Network option is enabled iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT # Allow incoming pings if Ping option is enabled iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Allow established sessions to receive traffic: iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow TUN iptables -A INPUT -i tun+ -j ACCEPT iptables -A FORWARD -i tun+ -j ACCEPT iptables -A OUTPUT -o tun+ -j ACCEPT # Block All iptables -A OUTPUT -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP # Block All V6 ip6tables -A OUTPUT -j DROP ip6tables -A INPUT -j DROP ip6tables -A FORWARD -j DROP
Well, first thing, these are iptables commands, which you could put in a bash script, not rules files like iptables-persistent uses. This is housekeeping stuff that iptables-persistent handles. I don't get why you'd need the local IPv6 stuff. But then, I don't have IPv6, except in my testing environment. I've never had a problem without this. But it wouldn't hurt. First, they have versions for all LAN types, which is confusing. But I suppose that you could have rules to allow multiple LANs that you're using. But second, I wouldn't want rules allowing input from other LAN devices. My rules allow output to other LAN devices, but only related/established input. I guess, but see no reason for it. The "-i tun+" thing is just a wildcard for all tunnels. I don't see why you need more than tun0. Crucially, I see no reason to allow forwarding or input on the tunnel. Unless you're running a server with a forwarded port. Which is not such a good idea. That's cool. So, does that make sense?
That helps immensely. Thanks so much for taking the time to read through that and comment on it. I am starting to grasp how some of this stuff works and the concepts behind it. Thanks again.
@cb474 -- The new stuff is up at IVPN: https://www.ivpn.net/setup/gnu-linux-terminal.html https://www.ivpn.net/knowledgebase/191/How-do-I-prevent-VPN-leaks-using-iptables.html Thanks again for bringing it to my attention
Thanks for the update. Glad to see that info up on the iVPN site. * This is only tangently related, but I noticed that it is possible to use AirVPN's client, Eddie, to connect to services other than AirVPN. They even provide a guide for doing this: https://airvpn.org/topic/19909-eddie-with-other-providers-or-custom-openvpn-configuration-files/ Perhaps some iVPN users might be interested. It does all the iptables stuff and blocking ipv6.
I guess I simply wish iVPN had a Linux client. Maybe that's what you meant. My one issue with the AirVPN client, which has lots of good options (including modifying some of the things that it does with iptables) is that it requires root privileges. I hate to give general root privileges to a third party app like that. They said in the future they will limit this, but it's not in the near future.
OK, sorry I wasn't thinking. I also wish that they had a Linux client. But their focus now is smartphones. They just did iOS, and are working on Android. They do what their customers ask for, I guess.
Yeah, I can see where Linux is not the top priority. It's nice that at least AirVPN and Mullvad have Linux clients.
What do you think about using ufw for preventing dns leaks? Such as in this guide: https://www.reddit.com/r/VPN/commen...way_to_set_up_ubuntu_so_that_it_will/comog21/ It's seems like a very straightforward method (assuming it's just as good). That's actually what iVPN technical help referred me to, after saying they do not provide a guide because ever Linux distro is different. (In fact, I'm just noticing that in Arch there is not iptables-persistent package, not even in AUR. This is the first time ever I've come across a package that Arch doesn't have at least in AUR. Interesting. Probably iptables-persistent is too easy for the "Arch way"?) * Also, I'm wondering what you think about using resolv.conf to configure a DNS server (like Google, OpenDNS, somebody else) other than the VPN. It has the advantage of allowing the system to still resolve DNS if the connection drops. And I'm wondering if separating trust between the VPN and some other DNS service is actually more private. Maybe not since I guess if the VPN wants to they know every site you're visiting anyway.
Sure, ufw is just another way to manage iptables. That guide gives you essentially the same rules. I have no clue. But this seems pretty similar: https://wiki.archlinux.org/index.php/Iptables I'd call that a DNS leak. I don't want the system to reach anything directly except for VPN servers. But you can, of course, use any DNS server with your VPN. But there's no chance of hiding anything from the VPN, unless you work through another VPN
Thanks for the thoughts. Yeah, I guess now that I think about it more, on a single hop VPN connection there's no point sharing one's activity with a separate DNS server, since your VPN service knows what you're doing anyway. Why trust more people than you have to? I'll check out the Arch iptables link later. The site seems to be down right now. Thanks for that too.
In Boleh forum page, there seems to be a post referrring to Mirimir's thread and the admins' replies follow. However, I couldn'd see a satisfactory answer regarding to the "Dns Hijacking". Do you guys think that this issue may have been checked out during the upgrade process? https://www.bolehvpn.net/forum/index.php?topic=10219.0
With DNS leak protection activated, you won't get DNS leaks aka hijacking. With their gateway-based leak protection, the VPN won't reconnect if your uplink gets interrupted. But there won't be any leaks until you terminate the VPN client. So you just need to shut down stuff that you don't want using the naked ISP uplink before you terminate the VPN client. As Pit Boss says, you need to add your own firewall rules if you want better leak protection. Linux iptables rules are here: https://www.ivpn.net/knowledgebase/191/How-do-I-prevent-VPN-leaks-using-iptables.html I could probably hack Windows and OSX firewall rules, but maybe someone who knows those systems better could share.
