How to keep from blowing your anonymity when you lose the VPN or Tor connection?

Wireshark is a "network protocol analyzer" aka packet sniffer. With it, you can record network traffic on any adapter that your computer can see. For most of us, that means the computer's physical network adapter(s) and any virtual network adapter(s) that we've created (e.g., using OpenVPN, VMware Player or VirtualBox). It's also possible to monitor traffic across network switches.

Wireshark shows you what's leaving your computer on whatever adapter you're monitoring. Your firewall logs (from the software firewall on your computer, and also from the perimeter hardware firewall that you may have on your network) show you what's leaving for your ISP. However, many firewalls don't filter or log all types of packets, so it can be confusing.

You're almost right. UltraVPN is a service that (like XeroBank) uses OpenVPN to establish the connection. You can use OpenVPN to establish a connection to any network that you have credentials for. All that you did was login to UltraVPN.

No. OpenVPN is just open-source software for establishing a VPN connection. XeroBank is an anonymity service. There is no OpenVPN service. XB VPN is just a "wrapper" for OpenVPN, set up to connect to XeroBank.

UltraVPN just uses the default OpenVPN tray icon, whereas XeroBank substitutes its own custom tray icon. The color behavior is the same, however.

No. To reiterate, both UltraVPN and XeroBank use OpenVPN. You could use OpenVPN to connect to any network, as long as you have proper credentials. Each remote network -- UltraVPN, XeroBank, other anonymity networks, your employer or whatever -- will have its own IP address, certificates, username and password.

Yes, there is. However, that's a contentious issue. It's very hard for users to assess anonymity networks. AFAIK, the best evidence is reputation.

Right. Once you install UltraVPN, it appears that the TAP adapter is hidden. I don't know how to get it back (yet).

 

Ok, this is a very interesting topic. Currently I am using an OpenVPN provider and am pretty happy with the service. However I would very much like to stay anonymous when I think I am, so this is a big deal.

What I want to know: is there any way to "spoof" a failed VPN connection? How could you test if you are really secure? My problem is that my provider very rarely has dropped connections (it happened only once and I quickly reconnected without testing anything). So how could I know the behavior on the event it loses the VPN connection?

 

Arran,

I googled it quickly and came up with only this:

StrongVPN Forum / Firewalling your PC to only use the VPN connection
http://www.strongvpn.com/forum/viewtopic.php?id=294

but some people in that thread are having problems with the instructions. What do you think?

 

I'd be gobsmacked if OpenVPN were vulnerable in that way.

You could tell from Wireshark (on physical NIC) and firewall logs (local and perimeter). However, given that spontaneously-dropped connections are so rare, you'd need to maintain months of logs, which is nontrivial. Instead, I've been using two tests: (1) dropping the connection by disconnecting the network cable for several seconds; and (2) disconnecting via the OpenVPN menu. I'm testing the three approaches discussed in this thread. We could all do that, and compare results.

 

the instructions look straight forward to me,. I guess the ones complaining there must be noob's

 

Ok, finally my OpenVPN connection dropped tonight so I was able to see what happens! The OpenVPN icon on the taskbar turned yellow and it says "Reconnecting to *ServerName*". However my internet did NOT revert back to the unsecured connection. So the behavior is fine. If the connection drops I get no internet, which is what I want. So all is well.

I believe the reason this works is due to the batch scripts that are running to plug the DNS leaks. These batch files were provided by my privacy host and they cause DNS requests to only go through the VPN. The scripts automatically run when the OpenVPN initiates a connection and also when it closes. However it did not run when the connection dropped unexpectedly. So this cripples communication that relies on DNS (although I guess an IP based connection might still go through). Still better than nothing though.

These batch files should work with an OpenVPN host that provides you with *.ovpn config files. If the config file was named 'SomeServer.ovpn' then the files to plug the DNS leak are called 'SomeServer_pre.bat', 'SomeServer_up.bat', and 'SomeServer_down.bat' and are located in the "Program Files/OpenVPN/config" folder. Here are the scripts:

*_pre.bat:

Code:

@echo off
setlocal


echo Checking for active internet connection...
set ActiveNet=

FOR /F "tokens=2,3* " %%j in ('netsh interface show interface ^| find "Connected"') do set ActiveNet=%%l

echo Active internet connection is "%ActiveNet%"

echo %ActiveNet%>ActiveNet.txt

@ping 127.0.0.1 -n 4 -w 1000 > nul

*_up.bat:

Code:

@echo off
set /p ActiveNet=<ActiveNet.txt

echo Locking down DNS leaks for "%ActiveNet%"
ipconfig /flushdns

netsh interface IPv4 set dnsservers "%ActiveNet%" static 0.0.0.0 both validate=no

@ping 127.0.0.1 -n 4 -w 1000 > nul

*_down.bat:

Code:

@echo off

echo Reseting network to normal

set /p ActiveNet=<ActiveNet.txt
netsh interface IPv4 set dnsservers "%ActiveNet%" dhcp
ipconfig /flushdns
del ActiveNet.txt

@ping 127.0.0.1 -n 4 -w 1000 > nul

And if something goes wrong use this script to return to normal settings (can be on the desktop):
NetworkReset.bat:

Code:

@echo off

set /p ActiveNet=<"%PROGRAMFILES%\OpenVPN\config\ActiveNet.txt"
echo OK to reset - %ActiveNet% - to normal?
pause

netsh interface IPv4 set dnsservers "%ActiveNet%" dhcp
ipconfig /flushdns

del "%PROGRAMFILES%\OpenVPN\config\ActiveNet.txt"

@ping 127.0.0.1 -n 2 -w 1000 > nul

Keep in mind I did not write these scripts, nor do I know if they will work with all OpenVPN configurations. Please note that I believe these may only work on Windows Vista/Seven 32-bit. Maybe they may help somebody.

 

OK, I've confirmed that the firewall approach works for me. After connecting to XeroBank, I created three rules: (1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP. After disconnecting from XeroBank, I had no internet connectivity. With Wireshark on the physical NIC, I could see packets addressed to various external IPs, and I could see in the firewall log that all non-LAN traffic had been blocked.

Perhaps that's not surprising. OTOH, if it really is that simple, I'm left wondering about rationales for the other approaches. Is it that some don't trust firewalls?

Edit: Or is it that providers prefer approaches that don't involve users configuring firewalls?

 

Thanks Hiero. I had thought that OpenVPN was a free VPN network, not just software. So I guess UltraVPN is the free network, not OpenVPN.

So if you use XB VPN with OpenVPN, what network can you connect through? Only XB's premium service and TOR? I had mistakenly thought that OpenVPN was another connection option that would be faster than TOR.

That's an important issue. Without the TAP adapter icon I don't know if you can use VPNetMon. Did you try uninstalling Ultra?

 

Hiero,

Wonderful that you were able to confirm this. Did you also confirm that the firewall blocked Flash and Java from bypassing the VPN and revealing your real IP address?

Which firewall approach did you use? The one whose link I posted (StrongVPN)? Or a different approach? It would be immensely helpful to the non-techies amongst us (such as moi) if you could tell us exactly what you did -- like, step by step instructions, and also what firewall you used.

I am still in the early stages of my privacy and security education and don't know anything at all about firewalls. When you say you "created three rules", perhaps everyone else here understands what you mean, but I don't know how to create rules in a firewall, and don't know if this is easy or difficult.

I would like to try some of these approaches and see if I can duplicate JustJohnny's success but right now my computer is in the repair shop.

 

XeroBank doesn't leak true IP in any of the Metasploit decloak.net tests, so there's nothing to confirm. However, I have played with some VPNs that do fail the Flash test, and could check that with them. I'm not sure when I'll have a chance, however.

I use Symantec Endpoint Security. However, the steps were basically the same as in the link that you posted. In whatever firewall you're using, there should be a screen for configuring firewall rules. If you don't have a firewall yet, other than Windows firewall, you might as well use the one in the link that you posted.

It's easy. Really.

Best wishes

 

Yes.

XB VPN is basically "repackaged" OpenVPN. With XB VPN (essentially OpenVPN) you can connect to the XeroBank premium service. I've never used XB Browser with Tor, and don't know how that works.

No, I haven't worked on that further. It might work to uninstall both UltraVPN and XB VPN, and to then reinstall XB VPN.

 

Perhaps ForceBindIP would be useful for scenarios in which a separate network connection is used for the privacy service.

 

I don't understand this at all I am afraid.

If you are using Tor and Privoxy / Polipo then your browser is set up to route all traffic through default Privoxy / Polipo port 8118 whose file is set up to route traffic through Tor port 9050.

If Tor fails then no traffic is sent. You can try this by cancelling Tor using the Vidalia GUI and all browsing traffic will stop and web pages will no longer be found.

Right?

 

Thanks dumpydonk. it's good to know that Tor has no problem. Perhaps I shouldn't have mentioned Tor in my original post, since I haven't used it in a long time and am now really just interested in securing VPN connections.

 

Hi Hierophant and others. Sorry to bring back this old thread from the dead.

I've been busy and have just gotten around to trying to set up the firewall to make sure that I have no connectivity when my VPN goes dead. I'm running into problems because the instructions at http://www.strongvpn.com/forum/viewtopic.php?id=294 are based on an older version of PC Tools Firewall Plus and in the new version the interface is different.

Moreover, I can't follow StrongVPN's instructions (I don't use Strong VPN, I am just trying to adapt their instructions to the free VPNs I do use) because step 6 says "6. Now click on the "Settings" button in the PC Tools Firewall window.
Select the "Adapters" tab.
StrongVPN Regular - Highlight your "Wan Miniport (IP) - PCTools Driver"

StrongVPN OpenVPN - Highlight your "Tap-Win32 Adapter V9 - PCTools Driver"

Under "Zone" set to Allow All Traffic

Select the "Filtering" tab and uncheck "Application Filtering Enabled"

...because the adaptor tab doesn't exist in the new PC Tools Firewall, seems to have been replaced by a "networks" tab. But under the networks tab, there is no TAP adapter listed, just as there is none listed in Network Connections for any of my VPNs except "ItsHidden" which I never use. Not even ItsHidden appears in PC Tools firewall's Networks tab.

Incidentally, earlier Hierophant and I were puzzled by the fact that installation of UltraVPN seems to make the TAP adapter disappear from Network Connections. I think I have found it, but it's not called TAP adapter, it's called Local Area Connection 6 and it's listed under "LAN or High speed internet" category in XP Network Connections, not the Virtual Private Network category where it ought to be. When I hover my mouse over Local Area Connection 6 a box appears with the words "TAP-Win32 adapter V9". I only have this one TAP adapter even though I have about 4 free VPNs installed on my system.

Anyway, the VPNs I have that are based on OpenVPN -- e.g., UltraVPN and ProXPN -- I am not worried about since by default they seem to display the behavior that Hierophant noted before -- when you lose the VPN connection there is no connectivity until you manually select Disconnect.

The problem is Hotspot Shield. I don't think it is an OpenVPN app -- I don't know what kind of protocol it uses. But I do know that when it accidentally disconnects, the computer still has connectivity, which is what I want to prevent. So I would love to set up a firewall just for Hotspot to make sure there is no connectivity when it disconnects. I use Hotspot a lot because it seems faster than the other free VPNs.

But as you can see, I've run into problems with the instructions I found online. So I'd like to use Hierophant's simple approach of creating 3 rules, but I need more info.

Hierophant wrote:
(1) block all traffic; (2) permit LAN traffic; and (3) permit traffic to/from the XeroBank entry IP.

But PC Tools firewall Plus needs more info than that. To create a rule, I have to go through a series of multiple choice questions such as:
Check: "where the ethernet type is"
click below on "Undefined" and select "IP"
click on "where the remote ip is"
click below on "Undefined" and in the "Match Remote IP address" window enter the IP from step 1 and click "OK".
Click "Next" and on select "Allow"

There are even more choices to make:'where ethernet type is' can be IP, IP V6, IP V4, 802.1x, ARP, Customize or Other. So how can I follow Hierophant's 3 step process with the PC Tools firewall?

Would be very grateful if Hierophant or someone else would elaborate and give something like step by step instructions for creating these simple rules

 

Besides VPNetMon there is also VPNCheck http://www.jothodesign.com/vpncheck/

For French speakers there is VPN Lifeguard http://sourceforge.net/projects/vpnlifeguard/

Some VPN providers such as Mullvad have custom clients that address this issue. I believe MetroPipe does as well.

 

Just get a good piece of vpn software that works. The one I like is VPN4all.com it starts on reboot and shuts down all your internet if the connection breaks. Not complicated and cheap.
The problem with free services is that you have to be a techie to deal with stuff like this. Rather pay a few bucks and get it right.

 

I hope, this fits in here.

Checking the IP during TOR-connections, it will change.
I assume to see the ExitNode IP?
Do the EntryNode and the 'man in the middle' also change?

Question is:
Do I blow my anonymity when TOR changes its IPs?

I have noticed two things
- logged into a Forum, I move around without noticing the IP change.
- logged into a Forum, I am still connected to that Forum but have to login again after an IP change.

Is my original IP revealed at any time?

 

I just tested out Lyx's method of deleting the entry in the routing table, and it does indeed work. It also seems like a fairly solid method without much room for error. The way I tested this was by setting up a Torrent to download (a legal Linux iso ) after I was connected to my VPN. I am using a PPTP-based VPN, but I assume this should be the same thing for OpenVPN. Then I unplugged the cable from my router that links to the cable modem. After about 45 seconds the VPN connection was dropped. At that point I reconnected the cable. After a short while I could see the Torrent had started downloading again, but this time over my ISP's connection and hence with my real IP. This is not what we want.

So I disconnected from the VPN, stopped the Torrent and set everything back to normal. Now I reconnected again. This time after I was connected to the VPN I executed the command to delete my default route to my router. This had no effect on the VPN connection, and I was able to restart the Torrent, no problem. Now I unplugged the internet connection from my router once again. As before the VPN connection was dropped after about 45 seconds. I plugged it back in. However, this time, the connection did not revert back through my ISP. BitTorrent stalled and I was not able to browse the web or ping any addresses (named or by IP). I then added the default route back in and after that I could connect to the internet again through my ISPs connection. I repeated this whole process again, but instead of unplugging the cable I merely disconnected from the VPN by right-clicking on the icon. Again, the connection was totally dead until I manually restored it. So as far as I can tell, this method is rock solid. Very nice.

I have wrote some simple batch scripts to do this automatically, which will probably be helpful for people that aren't comfortable with the command-line. Its also easier in general, so there is no reason not to use them. However, make sure you edit them to reflect your default gateway (aka your router) as it might have a different IP. In the script below I used "192.168.1.1" as that is common, but yours might be "192.168.2.1" depending on your brand of router. You can see how this should look by typing in a command window:

route print

Near the top you should see something like:

Destination: 0.0.0.0
Netmask: 0.0.0.0
Gateway: 192.168.1.1
Interface: 192.168.1.10

It is important that both destination and netmask are "0.0.0.0". Gateway is what you are looking for (this is your router that then links to the internet). Interface will be your LAN IP. So what it says for Gateway is the IP that should be in the script below. Open Notepad and copy-paste the following code and then save with the appropriate name (*.bat). To run it you *must* right-click and do "Run as Administrator" (Vista and 7). On XP you can probably just double-click.

RouteKill.bat

Code:

@echo off

echo Killing Default Route

route delete 0.0.0.0 192.168.1.1

RouteRestore.bat

Code:

@echo off

echo Restoring Default Route

route add 0.0.0.0 MASK 0.0.0.0 192.168.1.1

So just to be clear: you connect to the VPN as normal. Then you run "RouteKill.bat". Now you are protected. If the VPN drops you should be safe. Once you want your internet back, run "RouteRestore.bat". Seems to work good for me. Like I said before I am using PPTP but I think it should work for OpenVPN as well. If anyone else wants to test this, please do so and let me know.

 

The way I'm seeing this it's not that complicated, you're just trying to prevent your DNS from leaking and getting connected to your ISP if the VPN connection dies.

Yep...

Also I'm not a networking guru, networking has been a bit of a weakness, but I see it one way here.

1. We want to stop DNS from leaking.
2. We want to keep ourselves protected from a dropped VPN connection.

Ok the way I see this, it's real simple, but maybe I'm wrong so if I am I'd like to have someone point this out.

1. Get a primary and secondary DNS from your VPN and use those, now no more DNS leak.

2. In the TCP/IP assign it to a fake IP.

Bingo, from what I now see, I've stopped a DNS leak and if my VPN dies, I'm not getting online because of the fake IP...

 

@DasFox

OK, here's an experiment. Secure your VPN interface as you prefer. Then terminate the VPN connection, and kill the OpenVPN daemon. Test by browsing http://www.google.com. That, of course, should time out. Google IPs such as 66.102.7.99 should also time out. If they don't, your VPN isn't secure.

 

So what I said works right? I don't see why it wouldn't?

Also forgot to mention use a software firewall and have it only allow outbound on the VPN...

In regards to DNS leaks is just using the DNS provided by the VPN going to help stop this? Your assigning the DNS you want, but is there a way for the real DNS to appear or no? As long as you assign a primary and secondary DNS from the VPN then you are good or is the ISP DNS still going to appear?

THANKS

 

OK. Unless you block outbound with a firewall, you can connect to numeric IPs, even with no accessible DNS server, or local DNS cache.

All interfaces other than the VPN need to be static. Otherwise, they'll get DNS servers from the local DHCP server.

De nada.

 

You actually don't need any firewall if you put in a fake IP, you're not getting online. 'Use the following IP address', isn't using DHCP....

You can't connect if you've given a FAKE static IP, I'm not talking about a real static IP.

I'm just saying in the TCP/IP preferences on a Windows machine, in the section;

'Use the following IP address'

Give it some fake IP in case you drop the VPN and you're not getting online...

So now, what's wrong with this approach? Seems like everyone is trying to make it like you have to go through some complicated procedure to protect against a drop and to me this looks pretty simple like what I've explained above...

1. So if you use DHCP, then 'Use the following IP address' and put in a fake IP.

2. If you happen to use a static IP and not DHCP, then also put in a fake static IP.

3. Either way, with 1&2 above, giving a fake ip, you're not getting online...

 

OK, I see what you mean. Sure, if you break an interface's TCP/IP by using a bogus static IP that's not on the same network segment as your gateway, you won't connect through it.