How would I know if my VPN disconnects?

Would the computer just use my normal connection to get out? I would like it if my VPN disconnected I couldn't access the net.

 

If the VPN disconnects, you will lose Internet connectivity. But that's only the case while the VPN client software is still running. If you then kill the VPN client software, you will regain Internet connectivity. That's what you would normally want, right? If you want an extra layer of protection, you can use a firewall to block all Internet connectivity except through the VPN.

 

Under normal circumstances, I'm pretty sure you wouldn't? I've been doing it a certain way for so long I forget, but I thought before that when my VPN went down I was oblivious to it until/unless I looked and saw a yellow OpenVPN icon instead of green... and that my ISP connection would take over, even with OpenVPN client still open? I can't say this with 100% conviction, but that's how I remember it.

Anyhow, to make sure you notice it, and also make sure that nothing accesses the net when the VPN drops:

With an outbound firewall create a VPN Zone with the IP add./range of that assigned by your VPN. Then incorporate this zone into your rules. For example, this is my rule set for svchost.exe (I use Comodo DNS):

1) Allow UDP Out, from VPN Zone, to IP 156.154.70.22, Source Port Any, Dest. Port 53.

2) Allow UDP Out, from VPN Zone, to IP 156.154.71.22, Source Port Any, Dest. Port 53.

3) Block IP In/Out, Any, Any, Any

4) Block TCP/UDP In/Out, Any, Any, Any, Any

* If you want to allow DHCP as well, then create another rule:

Allow UDP Out, from VPN Zone, Dest. Add. - Any, Source Port - 68, Dest. Port - 67

... also, delete the DNS server addresses out of your ISP's connection in "Properties". This now takes care of DNS leaks.

Now we want to stop individual programs from leaking/working if your VPN connection drops. Incorporate that VPN Zone into some of your predefined rules, for example that of "Web Browser". For the source address of all the outgoing rules, set it to your VPN Zone. And once again place block rule(s) at the end (bottom) of it. What this does is of course allow your VPN connectivity, and if that were to go away it would block any traffic.

If there are any inbound rules you want to set up then you'd use the VPN Zone as the Dest. Add. instead of source. For example a port set up for a P2P/Torrent client.

After my VPN connects I also go to "View Active Connections" (Comodo FW) and set up a specific rule for OpenVPN allowing only the exact addy's/ports it's using, to make it tighter.

Before you reboot your computer each time you'll want to change your svchost.exe rules back to allow your LAN (not just VPN Zone) to access that DHCP & DNS, or it might not assign you a new IP. It only takes a minute, and after awhile you'll get used to it (I used to forget at first).

This is all a minor inconvenience, but well worth the couple minutes it takes with each reboot for peace of mind.

 

If you want to be 100% certain that your Internet browsing will stop when the connection fails, use an SSH tunnel instead of a VPN, but there aren't too many SSH tunnel providers left, it needs for you to change the browser proxy settings.

I know of Cotse.net providing SSH tunnels and they have a tutorial on how to do this on their page.

 

In any Operating System with OpenVPN you do not loose internet connectivity unless you have a firewall rule setup to prevent getting back online, or some other program to prevent this and some VPN clients can be set up to prevent this, but if you don't take any of these steps, if the VPN drops, you are still connected and you can still get back online exposing yourself.

For Windows, the simplest thing to do is use VPNCheck;

http://www.guavi.com/

 

Properly configured VPN services use "redirect-gateway def1". It's either in the client config file, or the server pushes it. If you don't see that in the connection log, don't use that service. If it's there, you will have no Internet connectivity if the VPN goes down (until you terminate the client).

I agree that using a firewall is good insurance.

 

I only thought this was to redirect the traffic over the tunnel is all...

I'll play with this and let you know how it works for me...


THANKS