My VPN Testing Site is Finally Up

Discussion in 'privacy technology' started by mirimir, Jun 16, 2016.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    No, I've been working on other stuff. Sorry :(
     
  2. The Count

    The Count Registered Member

    Joined:
    Jun 13, 2016
    Posts:
    122
    Location:
    France
    Difference between your site and ipleak.net?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    I installed and tested each VPN, in Windows and OSX. And analyzed traffic captures, looking for leaks. It was a lot of work.
     
  4. bolehvpn

    bolehvpn Registered Member

    Joined:
    Oct 10, 2011
    Posts:
    84
    Location:
    Malaysia
    hi all! We are rolling out IPv6 on all our servers and will update when it is done :D
     
  5. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    I have a couple questions about this.

    1) I noticed in the iVPN setup guide for Linux, that it says to us iptables to route all traffic through the VPN and to disable IPv6, but only in the directions for using NetworkManager, not in the directions for using OpenVPN on it's own. Aren't the leaks an issue both with NetworkManager and with OpenVPN on its own?

    2) If you disable IPv6 entirely, isn't that going to break a lot of websites these days? and more and more so?

    3) Once you setup iptables to send all traffic through the VPN, does this mean you will have to manually edit the iptables rules every time you want to go off the VPN and then back on, etc.?
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Yes, leaks are also a risk using the straight OpenVPN daemon. However, in my experience, the daemon tends to fail closed. Network Manager tends to fail open. But yes, it's best to use iptables and disable IPv6 for both. I'll recommend adding a warning to the directions for the daemon.
    It's not a huge problem yet. But it will be. Still, having IPv6 disabled is better than having it bypass the VPN. If IPv6 matters to you, you can use one of the VPN services that route it and don't leak (such as FrootVPN and Perfect Privacy).
    Yes, you have to use different iptables rules. But that's very easy with iptables-persistent. The default rules, /etc/iptables/rules.v4 and /etc/iptables/rules.v6, load during boot. But changing active rulesets is easy:

    Code:
    # iptables-restore < /etc/iptables/vpn-rules.v4
    # iptables-restore < /etc/ip6tables/vpn-rules.v6
     
  7. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Hi mirimir,

    Thanks as always for the thoughtful reply.

    Can you point to a good guide for setting up iptables to use with a VPN? I've looked around, but they all seem a little bit more complicated and not self-explanatory, than I thought it would be. That left me feeling like I was not going to be sure I did it correctly.

    Also do you have any thoughts about packages/scripts like VPN-Firewall (https://github.com/adrelanos/VPN-Firewall) and vpnfailsafe (https://github.com/wknapik/vpnfailsafe)?

    Cb
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Sure :)

    /etc/iptables/vpn-rules.v4
    Code:
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j DROP
    
    -A FORWARD -j DROP
    
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -o eth0 -d a.b.c.0/24 -j ACCEPT
    -A OUTPUT -o eth0 -d w.x.y.z -j ACCEPT
    -A OUTPUT -o tun0 -j ACCEPT
    -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -j DROP
    
    COMMIT
    Your LAN is a.b.c.0/24, and w.x.y.z is the VPN server.

    /etc/iptables/vpn-rules.v6

    Code:
    *filter
    
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    
    COMMIT
    I've used VPN-Firewall, but have come to prefer iptables-persistent. I like the vpnfailsafe design, but I've never used it.
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Thanks!

    So my LAN is the IP address my router assigns to me? Does this mean that on my laptop I will have to change this in iptables, every time I'm in a different location? Also isn't eth0 the ethernet connection, what about wlan0 or something like that for wifi? Sorry if these are very basic questions.

    And with the VPN server I could put as many lines in there as I want, to cover the different servers from my VPN provider that I think I might use?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Well, a.b.c.0/24 is the LAN subnet, specified in the router setup. Your router might assign a.b.c.d to your laptop, a.b.c.e to another device, and so on. You only need that rule if you want to access other devices on the LAN. Otherwise, it's not needed. If you switch among locations, you could have separate rulesets for each one.

    The "-o eth0" option in the rules for LAN and VPN server is arguably optional. Perhaps it's less secure, but not hugely. If you switch between local networks a lot, it's probably best to drop it. Then you can reach the specified VPN server(s) wherever you're connected. If you're using public WiFi, for example, and you have a rule allowing access to your home LAN, it just won't match anything.

    And yes, you can have as many rules for VPN servers as you like.
     
  11. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Okay, thanks for the further explanations.

    *

    I'm curious what you think about the rules that the AirVPN client apparently sets for iptables. They are somewhat different and more extensive. This is where I start to get bewildered, when there are different guides that say different things, ostensibly to reach the same end.

    From: https://airvpn.org/faq/software_lock/

    Code:
    # Flush
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    
    # Flush V6
    ip6tables -F
    ip6tables -t nat -F
    ip6tables -t mangle -F
    
    # Local
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    
    # Local V6
    ip6tables -A INPUT -i lo -j ACCEPT
    ip6tables -A OUTPUT -o lo -j ACCEPT
    
    # Make sure you can communicate with any DHCP server
    iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT
    iptables -A INPUT -s 255.255.255.255 -j ACCEPT
    
    # Make sure that you can communicate within your own network if Private Network option is enabled
    iptables -A INPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A OUTPUT -s 192.168.0.0/16 -d 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
    iptables -A OUTPUT -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
    iptables -A INPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
    iptables -A OUTPUT -s 172.16.0.0/12 -d 172.16.0.0/12 -j ACCEPT
    
    # Allow incoming pings if Ping option is enabled
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
    
    # Allow established sessions to receive traffic:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Allow TUN
    iptables -A INPUT -i tun+ -j ACCEPT
    iptables -A FORWARD -i tun+ -j ACCEPT
    iptables -A OUTPUT -o tun+ -j ACCEPT
    
    # Block All
    iptables -A OUTPUT -j DROP
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    
    # Block All V6
    ip6tables -A OUTPUT -j DROP
    ip6tables -A INPUT -j DROP
    ip6tables -A FORWARD -j DROP
    
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Well, first thing, these are iptables commands, which you could put in a bash script, not rules files like iptables-persistent uses.
    This is housekeeping stuff that iptables-persistent handles.
    I don't get why you'd need the local IPv6 stuff. But then, I don't have IPv6, except in my testing environment.
    I've never had a problem without this. But it wouldn't hurt.
    First, they have versions for all LAN types, which is confusing. But I suppose that you could have rules to allow multiple LANs that you're using. But second, I wouldn't want rules allowing input from other LAN devices. My rules allow output to other LAN devices, but only related/established input.
    I guess, but see no reason for it.
    The "-i tun+" thing is just a wildcard for all tunnels. I don't see why you need more than tun0. Crucially, I see no reason to allow forwarding or input on the tunnel. Unless you're running a server with a forwarded port. Which is not such a good idea.
    That's cool.

    So, does that make sense?
     
  13. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    That helps immensely. Thanks so much for taking the time to read through that and comment on it. I am starting to grasp how some of this stuff works and the concepts behind it. Thanks again.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
  15. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Last edited: Mar 5, 2017
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Wow! That is pretty cool :) But actually, I wish that IVPN did that with their client ;)
     
  17. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    I guess I simply wish iVPN had a Linux client. Maybe that's what you meant.

    My one issue with the AirVPN client, which has lots of good options (including modifying some of the things that it does with iptables) is that it requires root privileges. I hate to give general root privileges to a third party app like that. They said in the future they will limit this, but it's not in the near future.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    OK, sorry :( I wasn't thinking. I also wish that they had a Linux client. But their focus now is smartphones. They just did iOS, and are working on Android. They do what their customers ask for, I guess.
     
  19. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Yeah, I can see where Linux is not the top priority. It's nice that at least AirVPN and Mullvad have Linux clients.
     
  20. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    What do you think about using ufw for preventing dns leaks? Such as in this guide:

    https://www.reddit.com/r/VPN/commen...way_to_set_up_ubuntu_so_that_it_will/comog21/

    It's seems like a very straightforward method (assuming it's just as good).

    That's actually what iVPN technical help referred me to, after saying they do not provide a guide because ever Linux distro is different. (In fact, I'm just noticing that in Arch there is not iptables-persistent package, not even in AUR. This is the first time ever I've come across a package that Arch doesn't have at least in AUR. Interesting. Probably iptables-persistent is too easy for the "Arch way"?)

    *

    Also, I'm wondering what you think about using resolv.conf to configure a DNS server (like Google, OpenDNS, somebody else) other than the VPN. It has the advantage of allowing the system to still resolve DNS if the connection drops. And I'm wondering if separating trust between the VPN and some other DNS service is actually more private. Maybe not since I guess if the VPN wants to they know every site you're visiting anyway.
     
    Last edited: Mar 5, 2017
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Sure, ufw is just another way to manage iptables. That guide gives you essentially the same rules.
    I have no clue. But this seems pretty similar: https://wiki.archlinux.org/index.php/Iptables
    I'd call that a DNS leak. I don't want the system to reach anything directly except for VPN servers. But you can, of course, use any DNS server with your VPN. But there's no chance of hiding anything from the VPN, unless you work through another VPN :)
     
  22. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    Thanks for the thoughts. Yeah, I guess now that I think about it more, on a single hop VPN connection there's no point sharing one's activity with a separate DNS server, since your VPN service knows what you're doing anyway. Why trust more people than you have to?

    I'll check out the Arch iptables link later. The site seems to be down right now. Thanks for that too.
     
  23. oblue

    oblue Registered Member

    Joined:
    Nov 13, 2010
    Posts:
    18
    In Boleh forum page, there seems to be a post referrring to Mirimir's thread and the admins' replies follow. However, I couldn'd see a satisfactory answer regarding to the "Dns Hijacking". Do you guys think that this issue may have been checked out during the upgrade process?

    https://www.bolehvpn.net/forum/index.php?topic=10219.0
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    With DNS leak protection activated, you won't get DNS leaks aka hijacking. With their gateway-based leak protection, the VPN won't reconnect if your uplink gets interrupted. But there won't be any leaks until you terminate the VPN client. So you just need to shut down stuff that you don't want using the naked ISP uplink before you terminate the VPN client.

    As Pit Boss says, you need to add your own firewall rules if you want better leak protection. Linux iptables rules are here: https://www.ivpn.net/knowledgebase/191/How-do-I-prevent-VPN-leaks-using-iptables.html I could probably hack Windows and OSX firewall rules, but maybe someone who knows those systems better could share.
     
  25. oblue

    oblue Registered Member

    Joined:
    Nov 13, 2010
    Posts:
    18
    That's good to know, thanks Mirimir.
     
Loading...