disconnecting internet when vpn drops

Discussion in 'privacy technology' started by wakawaka, Dec 12, 2013.

Thread Status:
Not open for further replies.
  1. wakawaka

    wakawaka Registered Member

    Joined:
    Dec 11, 2013
    Posts:
    3
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Wow, that brings back some old memories ;)

    Seriously, disconnecting when the VPN drops is misguided.

    What you want are routing and firewall rules that don't allow anything out or in except through the VPN tunnel. In Windows, you can use Comodo, and there are instructions for that on the AirVPN forums. In Linux, you can use adrelanos' VPN-Firewall.
     
  3. S.B.

    S.B. Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    150
    For a different and easier solution to your question, you might want to consider using Mullvad as your VPN provider. Mullvad's VPN GUI includes check-box options for (1) blocking the internet on connection failure (i.e., loss of connection to Mullvad); and (2) stopping all DNS leaks. Specifically, see the following in Mullvad's FAQ section:

    What if the connection is broken?

    That depends on the option Block the internet on connection failure. When it is not selected protection is lost but the internet connection keeps working. When it is selected the traffic destined for the tunnel will be blocked until Disconnect or Quit is selected from the menu or until the connection is reestablished.
    In addition, Mullvad addresses your earlier IPv6 question by blocking IPv6 as the default behavior; thus, see the following in Mullvad's FAQ section:

    How do you handle IPv6?

    We are working on tunneling IPv6 just like IPv4. Until then the default behaviour is to block IPv6 to prevent leaks. If you don't want the Mullvad software to block IPv6 set disable_ipv6 = False in the [Client] section in Settings -> Advanced.


    Mullvad's speeds are quite good and their prices (5 EUR per month for up to 3 simultaneous users) are reasonable

    __
     
    Last edited: Dec 13, 2013
  4. chiraldude

    chiraldude Registered Member

    Joined:
    Jul 3, 2010
    Posts:
    157
    All this depends on how committed you are to blocking unencrypted traffic. For the average person just wanting to stay private, the software firewalls should be sufficient.
    For the truly paranoid, software cannot provide 100% certainty. A hardware router/firewall is the only way to be sure all traffic is encrypted. No idea where to purchase such a device though.
    This hardware would be able to block everything outside of the VPN tunnel plus, it should inspect ALL the data inside of every packet, performing statistical analysis to make sure no plaintext data is being transferred.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Hardware firewalls run software. You can run pfSense on dedicated hardware as a perimeter router/firewall. I do. You can also run pfSense VMs as VPN gateways, or as unified security management systems running Snort etc. Basically, you bridge your machine's network adapter to the pfSense VM's WAN, and then bridge the pfSense VM's LAN to a host-only adapter.
     
  6. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    174
    Location:
    io
    For ease of use and simplicity you can do what S.B mentioned if you find a VPN provider like mullvad, its own software protects against disconnections to the internet and DNS leaks.

    Also programs such as VPNetMon and VPNCheck (for windows) can also do the same thing they monitor your internet connection so fast that if your VPN was to disconnect it would block your entire internet.They also have features to close programs like IE/Chrome/firefox or your torrent app or any other app from accessing the net and can offer DNS leaks also.

    The more advanced way round would be to replace your router with a tomato compatible router like the Asus RT-N16 which supports VPN and can disconnect your internet or build a dedicated pfsense firewall router from an spare or old or 2nd hand pc which can do the same but much better.

    Super paranoid like myself and one could use a pfsense firewall pc, which is correctly set up to block internet if VPN disconnects and also then further backed up with a VPN with inbuilt support like mullvad or VPN software that blocks internet/dns leaks is an even safer option :)
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    If you use pfSense as your perimeter router/firewall, and you have enough NICs, I believe that you could run a VPN client, and then route the tunnel to a second LAN. pfSense can run Tor, so it might even be possible to have three LANs: 1) straight Internet; 2) access via VPN; and 3) access via Tor tunneled through VPN. You could also do it, I think, using vLANs and a smart switch.

    But I've never tried it.
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I just tried Mullvad again a couple of minutes ago. I went ahead and bought a sub. I tested the feature that blocks internet traffic. It worked! I disconnected my internet and waited a couple of minutes. My browser could not connect. I reconnect the internet and after a couple of minutes Mullvad was reconnected.

    So of the VPN's that I have tried Mullvad, Cryptohippie, and Riseup will not allow your real IP through if the internet is interrupted. Unfortunately airVPN and Boleh do not.
     
    Last edited: Dec 16, 2013
  9. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    174
    Location:
    io
    that is amazing to know I never knew pfsense could channel each nic for a specific purpose still my paranoid nature I would have to have 100% all go through a VPN :)
     
  10. Paranoid Eye

    Paranoid Eye Registered Member

    Joined:
    Dec 15, 2013
    Posts:
    174
    Location:
    io
    Yup reason why I went mullvad myself although I may try another one for a bit and see how it goes. I feel its bad service air/boleh if the client does not have ip/dns leak features. I know many will argue that its an easy fix then they should post up to date and correct guides which "work" to offer a fix. Or heavens forbid release a client and do what most are already doing :)
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    :)

    Anyway, pfSense can do many cool things, otherwise only (as far as I know) seen in expensive enterprise-level routers and firewalls.
     
  12. Alexandru

    Alexandru Registered Member

    Joined:
    Jan 18, 2014
    Posts:
    15
    Location:
    Netherlands
    Mirmir thanks for your great explanations here. I have read more or less all of your posts *puppy*

    I have a setup of 2 VPN client gateways on my pfsense router and routing the specific clients through it. All are fool proof in case of disconnects.

    For online banking I´m bypassing the VPN gatways on the pfsense router directly from my virtual box machine to the ISP.

    PfSense is a great router software.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    @Alexandru

    That's very cool :thumb:

    Thanks for sharing :)
     
  14. Phil McCrevis

    Phil McCrevis Registered Member

    Joined:
    Mar 25, 2012
    Posts:
    97
    Location:
    US
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
  16. vivalib

    vivalib Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    2
    With great thanks to the Wilders community, I am on my way to setting up a more secure and private system.

    A special thanks to mirimir for the very generous logical/technical support and privacy guides he has provided.

    Following the privacy guides I have set up a Adrelanos VPN firewall, and am able to start it fine but I cannot figure out how to turn it off. I cannot find the process running in the processes list, yet I know it's functioning as I do not get internet access without an openVPN connection. I have not yet installed the init script for it.

    Anyone know how to turn off the Adrelanos firewall?

    The reason I would like to turn it on and off at will is that I am still installing, configuring, and testing the system.

    I am currently trialing AirVPN and their recommendation for a linux VPN firewall is Firestarter. Anyone have any thoughts on Firestarter or UFW (default Ubuntu firewall) as compared to Adrelanos?

    Since I will be running this single box system with VirtualBox and pfSense does this mean I can set up a VM pfSense to handle the dropped VPN connections to other VM workstations and not have to use a VPN firewall on the host OS?

    Thanks,
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    That's not unique to pfSense.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Thanks :)

    You need the init script to get start, stop, restart and status. I don't have it installed anywhere now, but this should work:

    sudo killall vpnfirewall

    Firestarter, Shorewall, UFW etc are all more-or-less user-friendly front-ends for Linux iptables. I trust Patrick Schleizer's (formerly known as adrelanos) knowledge of iptables. You could get the same iptables setup using any of those front-ends, and you might do better. But I don't recommend that.

    I'm not sure that I understand what you're asking.

    If you're running a VPN client on the host machine, you want it firewalled. If you're just running a VPN client in a pfSense VM, and no VPN client on the host machine, you don't need a firewall on the host.

    You could have one, as another level of protection. However, that would block all connections from the host machine except to the VPN server that the pfSense VM is using. In other words, you couldn't use the host machine for anything that required an Internet connection.
     
  19. vivalib

    vivalib Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    2
    I tried that before I installed the init script and after and I get an error message in terminal that it cannot find the process after starting it manually. It appears that the vpnfirewall is running since I can only internet access with a valid openVPN connection with the server specified in the VPN server list. Comparing snapshots of the running process list before and after the vpnfirewall service is started, I still cannot find the process...

    I also tried:

    sudo service vpnfirewall stop

    "stop" appears to be one of the arguments vpnfirewall accepts but that didn't work either.

    Perhaps I'll leave this until later and just try to configure the VPN through pfSense VM to control dropped connections to other VM's as you describe.

    Sometimes I don't either. I'm a novice at linux and networking as a whole so the learning curve has been very steep. I'm still trying to get a handle on the concepts and terminology.

    Despite my not being able to phrase the question properly you managed to answer it concisely and more. :thumb:

    Thanks Again!

    vivalib
     
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  21. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    I can confirm for you that UFW firewall is so easy to setup its ridiculous. Further down in the thread you read over at Air, there is a "how to" for setting up ufw in linux. Its roughly five steps and works without a hitch. Its rock solid for what you describe you want. I use it on my HOST linux OS, along with a configured AirVpn connection to use as desired. Why? Although some will argue its not necessary, I want to be able to update my host monthly. When I do the update I also want to use a vpn connection and provide dropped connection protection while doing so. When I boot the host ufw is enabled and it does not allow the host to surf the internet except through the vpn, which is DOWN unless I manually connect it. The host ARPs to the gateway so the router is found, but that is it. Its one very simple terminal command to enable or dis-able UFW for when you want to. I leave it on by default to "cover my bacon".
     
  22. Alexandru

    Alexandru Registered Member

    Joined:
    Jan 18, 2014
    Posts:
    15
    Location:
    Netherlands
    Until i got my pfSense box I decided to use the cheap solution. Windows Firewall.

    1. Allow only public network --> tun/tap device
    2. Forbid homenetwork going outside except your DNS IP/Port and OpenVPN

    Thats all.
     
Loading...
Thread Status:
Not open for further replies.