Beware of airVPN Connections!

Keep your IP address hidden if VPN disconnects

 

Merisi

Air will stand by you. If you go over to their forums there is a post just today about a server of THEIRS in Denver (Diadem). The server host company was alleging to have received numerous complaints of abuse or copyright infringements from Air users. Air states that they are false/unproven claims but rather than go through the fight they simply shut down the server in that city. They will NOT sell you out. Most of us Air users are just privacy advocates but if someone feels the "need" to download a file/song etc.... they should have the smarts to hop over to a Netherlands server where DMCA notices are disregarded without issue.

 

Palancar, thank you for your post. It makes me feel a lot more reassured to read it. We're just going through an uncertain time regarding privacy and the internet. Apart from my connection dropping at times Air was been pretty solid and very easy to use.

 

I mean no disrespect but if your goal is to obfuscate your IP (for whatever reason) and you put some value behind an icon that changes color to represent some connection status - - - you are far less "hidden" than you think. Again no disrespect but you should rethink your strategy.

BTW an easy way to guarantee your identifying IP is safe should your vpn drop - delete the default gateway that took ya to the vpn dance.

Example:
Connect from ISP to VPN as normal, once connected delete the route set between your LAN and ISP as your VPN is now the default gw. I think powershell provides a similar capability as *IX 'route del default gw 192.168.1.1'

I've not seen a windows based firewall that would reliably do what your after - you need an IP Tables type solution (aka more than port open/close)

 

Thanks for the reminder

We've danced around this for years on Wilders.

There are ancient threads that include instructions for saving normal routing, deleting the default route, and then saving the new routing. Then you can write shell scripts for enabling one or the other.

There's a far better solution: don't use Windows

 

I see no issues with a well constructed firewall rule set. I have intentionally tried to "crash and burn" my connection and its never betrayed me. This method also permits strong DNS control, locking things down to ONE dns or its all dead, period. Even the resolution IP's; are locked down to my selected small list (related to VPN entrances) or the system is dead in the water. Its solid and tested. A significant rules "world" is a much better comprehensive solution than removing the default table in my opinion.

 

Actually up until more recently I would know that my VPN connection was interrupted because all of a sudden I had no internet access. Nothing on my computer could connect until I manually disconnected my VPN. I would noticed the icon change *after* I lost connection. I know that using a firewall is the best option. And I plan on learning how to do that when I get a chance.

But here's the thing. I know way more than the average computer user and I do not yet know how to create the firewall rules for a VPN. In fact, there have been users here asking for tutorials. People who know a lot more than I do. There are a lot of people using VPN's today. And almost none of them know that they even need to worry about this sort of thing, much less how to create firewall rules. Xerobank blocked all internet when it was interrupted. Cryptohippie does too. And so does Riseup VPN and Autistici. Riseup is free. Download it and try it. Turn off your wireless card for 4 or 5 seconds and then turn it back on and see what happens. You won't have any internet at all. Nothing can connect.

Again I know that creating firwall rules is a much more secure choice. But what about the vast majority of VPN users? I think that it is increditbly irresponsible not to provide at least the basic protection that other providers have offered their users. Especially when you KNOW that your service disconnects and reconnects without warning.

That sounds like a good idea. How do you do that? What is a default gateway? What is a "route set"? What is a power shell. Is this something that you can just do in a few seconds? Again, I know way more than the average computer user and I don't understand what your describing. How about the vast majority of people who use VPN's? They will never even hear any of this. But if this is something that is easy to describe I would appreciate you explaining it. Thanks for your input.

 

The old XeroBank how-to is available at <https://web.archive.org/web/20101130041327/https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/>.

Anyone care to update that for Windows 7/8?

 

For DNS I just went into all of the adapters and added the German Privacy Foundation DNS servers. So even if I am just connecting through my ISP I am using the German Privacy DNS. I have tested it many times with the GRC website and it seems to work okay.

https://www.grc.com/dns/dns.htm

 

I've posted the rule sets I use in Comodo more than once in here in the past, but have no idea where they are now. But no matter the VPN what you said in the OP holds true. Even the ones that have clients that are supposed to disconnect automatically when the VPN drops... it's much safer to depend on your FW rules instead.

In fact I got into the habit of adding a block rule to the bottom of all my app rules now. Not only for security but ease of use for when I use a VPN. All I have to do is change the source add. from my LAN zone to VPN zone and I'm good to go.

 

I used to do that too.

 

I haven't installed Comodo but I plan on learning how to do this. Mirmir posted a link with instructions from the Comodo website.

Is this something that you have to do every time you connect? Or is it something that you just have to do once?

 

Do you think it is a pretty good option? What do you do now?

 

You only need to configure it once.

 

Its alright.

I tend to use DNS Leak Fix, or versions of it that vendors work into their products which are sometimes called kill switches. It changes your adapters so even if the internet went down you just lose connection with a broken adapter.

 

What if your using a program like VpnetMon instead to simply disconnect your internet in case your VPN drops?

I found this far easier then running comodo and trying to add rules myself or do you still think its best to learn to add the firewall rules in ?

 

But if you use a DNS Leak on the client, that is useless because the Client sets its own DNS's in the adapters.

 

In my experience dnsleaktest.com is or at least was inaccurate, I have had no leaks on dnsleaktest.com but over at GRC queries are been received by my ISP's servers. Now I only use GRC's Nameserver test.

 

Yes, why would you not use grc? I used the same two tests on every new connection.

grc.com/shieldsup
grc.com/dns

Works for me.

 

Been playing around with dns leak test website and GRC

I find dnsleak simple and easy to use but yeah it missed one of my DNS servers even under basic and advanced test... GRC is more longer to run but always found all my DNS servers.

I still feel for simplicity and ease/speed of use http://ipleak.net/ cant be beat

 

The GRC test doesn't take that long, and it gets them all, so why take chances?

 

Quite true, for the few seconds extra I noticed GRC is 100% spot always while ipleak not always 100%

Both nice, but GRC does it right each time, think ill move to GRC as the new default

 

There's a description on GRC of how the DNS test works. Although I don't claim to fully understand it, there's some clearly hard-core stuff going on.