My VPN Testing Site is Finally Up

Discussion in 'privacy technology' started by mirimir, Jun 16, 2016.

  1. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    340
    I tried following the guide, using iptables-persistent, but ran into a couple problems.

    1) When I tried to enable the vpn-rules.v4, I got an error:
    Code:
    iptables-restore v1.4.21: Can't use -o with INPUT
    
    Error occurred at line: 27
    It looked like all other INPUT lines had "-i" not "-o", so I changed it to "-i" and then did not get an error. But I don't know if that was the right thing to do.

    2) Once I had the rules enabled I could not connect to the internet. I could connect to the VPN server without a problem. But in a web browser I just got an error that there was no internet connection. I commented out the following line, because I did not think I needed it, but maybe that was mistake. Is this needed to connect to my router?
    Code:
    # You may want rule(s) to allow LAN access. There can
    # be multiple rules, one for each LAN that you use. If
    # also using WiFi, add another rule, with "-o wlan0",
    # instead of "-o eth0".
    
    #-A OUTPUT -o eth0 -d x.y.z.0/24 -j ACCEPT
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    1) Oops :( Yes, that should be "-A INPUT -i eth0 -s 255.255.255.255 -j ACCEPT".

    2) No, you don't need to allow LAN access to connect to the Internet through your router. I mean, you said that you could connect to the VPN server. You would need that rule, however, in order to log into the router, to administer it.

    Do you have the rule "-A OUTPUT -o tun0 -j ACCEPT"? That should give you Internet access as long as the VPN is connected. Unless the VPN somehow isn't tun0. So which interfaces do you see by running ifconfig?
     
  3. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Just something to keep in mind guys... I have my VPNs client in case I need it (for a server I dont normally use), but I usually just use network-manager's VPN feature, along with iptables to force everything through the tunnel (and block all incoming over the tunnel [except established]).

    Basically, just because your VPN doesnt have a client doesnt mean you need to mess with openvpn config files or the CLI while at a coffee shop somewhere. My VPN provider doesnt recommend it, but they're probably assuming the average guy doesnt take the time to setup iptables (in case the connection drops).

    Also, watch out if you use libvirt- if your init starts it after iptables (or UFW) it will overwrite some rules and allow your VMs to send packets outside the tunnel...
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Can you say more about libvirt, please?
     
  5. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Yeah sorry about that- I wasnt really specific enough. I have systemd as my init (Arch), use iptables for enforcing no leaks (only allow out on tun0, allow no in except established), and use libvirt along with a couple of virtual machines.

    However, libvirt injects some rules and I didnt know that. One time my VPN connection dropped (doesnt happen often hence why I hadnt noticed before), and magically my VMs were still sending packets despite iptables rules clearly making that impossible. Turns out the rules injected by libvirt are very relaxed.

    See this article for more details (towards the bottom): https://jamielinux.com/blog/force-all-network-traffic-through-openvpn-using-iptables/

    I eventually set systemd to load iptables after libvirt, but that only worked sometimes (I'd sometimes have to manually restore iptables rules in order to prevent leakage for my VMs if the connection dropped). Finally I "fixed" it by setting iptables to load after libvirt, but also having ExecStartPre=/usr/bin/sleep 1 in iptables systemd multi-user.target.wants. A dirty hack, but even trying other things like requiring graphical.target and all that to come up first simply didnt work.

    This works for me in that my desktop isnt even loaded before everything is up and working correctly.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    OK, thanks. I've never used libvirt. What are advantages over just using VBoxManage etc?
     
  7. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    One can use a grsecurity kernel with libvirt (Vbox needs some protections disabled), and libvirt can also be built with apparmor support to isolate VMs from one another as well as from the userspace of the host OS (by auto-generated apparmor profiles at VM launch that are very strict). KVM (managed by libvirt) can also do PCI passthrough of GPU cards to a Windows guest for native-like gaming performance on a virtual machine; I dont use this but many do. KVM generally has slightly better performance, virsh is at least as good as VboxManage (virt-manager isnt quite as nice as Vboxes GUI, though still good), and KVM has a smaller attack surface than Virtualbox.

    Virtualbox is great though... it comes down to preference, how your host is configured, and what features you need. KVM/libvirt was better for me overall...
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Thanks :)

    I've pretty much stuck with VBox because I'm lazy. But there's also the issue that I want to proselytize, and VBox VMs are already a stretch for many folks.
     
  9. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Oh yeah, Virtualbox is vastly superior for that cause. Its much more pretty and its integration tools are top shelf. Its also cross platform which is nice for many reasons.

    KVM/libvirt is a bit more "stick shift" and while it can be excellent, it requires more work and its interface isnt as pretty (even the CLI).
     
  10. Ya5h Kh4n

    Ya5h Kh4n Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,039
    mirimir,

    What you have to say about Windscribe VPN?
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
  12. Ya5h Kh4n

    Ya5h Kh4n Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    2,039
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    I'll probably do another test series eventually. It's boring and tedious, to do more than a few.

    What I'll do first is write up a detailed how-to.
     
  14. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Fantastic piece of work and I'm a beginner when it comes to VPNs. I'm currently evaluating VyprVPN on my Windows 10 PC and Android devices. I have two questions:

    [1] Which VPN protocol did you select from the four available for VyprVPN? (They are OpenVPN, L2TP/IPsec, PPTP and Chameleon).

    [2] Do you plan to extend your tests to VPNs for Android?

    JPC
     
    Last edited: May 29, 2017
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    I only tested VPNs with OpenVPN protocol.

    Testing Android and iOS would be hard, without a cellular test lab. If I wanted to stay semi-anonymous, anyway. I could use VMs, I know, but it seems iffy to extrapolate from virtual smartphones to real ones.

    More generally, it was tedious work, and I'm not sure when I can stand to do more of it.
     
  16. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Hi,

    Many thanks for your reply.

    Regarding my second question, do you think it would be something that a cellular test lab might consider doing? Or indeed anyone else with sufficient knowledge and inclination to do the work? Or even the VPN providers themselves. If, for example, VyprVPN were aware of the leaks that your tests expose, perhaps they could repeat the tests and extend them to other platforms, e.g. Android. Just my train of thinking.

    JPC
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    De nada :)
    You'd think that someone would be testing, wouldn't you? I do. I think that the VPN industry is important enough to warrant an independent testing lab. But then, look at software.

    Anyway, I'm probably too close to IVPN now, for other providers to trust me.
     
  18. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Yes, now that VPN providers are plentiful, we end-users need an independent body to put VPNs through their paces. Perhaps the likes of AV-Comparatives could branch out into this rapidly-developing market. With reference to VyprVPN, would you have any objection to my pointing them to your VPN Testing website? I am interested to see how they will respond to your findings. As I mentioned previously, I am currently evaluating VyprVPN (on Windows 10 and Android).

    JPC
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    Yes, something like AV-Comparatives.
    Sure, that's fine. I didn't contact VPN providers, and none contacted me. There is a message for providers: https://vpntesting.info/For-VPN-Providers.html

    Do mention that the testing data is a year old.
     
  20. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Hi mirimir,

    When you tested VyprVPN, did you enable DNS Leak Prevention in the Options settings? Or perhaps that isn't relevant in the way you configured the tests?

    JPC
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    I don't remember. My notes indicate that I used "VyprDNS".

    I can check, if you really care. I'd need to load the VM from backup.
     
  22. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Hi mirimir,

    I would be interested in knowing if you did enable DNS Leak Prevention on VyprVPN. Hope it doesn't inconvenience you too much.

    JPC
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,873
    OK, I'll check.
     
  24. JDawg

    JDawg Registered Member

    Joined:
    Aug 25, 2015
    Posts:
    20
    Mirimir you made me feel much better the VPN's u listed as really good i have and tested them for leaks. Nothing showed at all. Thank you for all your hard work!
     
  25. jaypeecee

    jaypeecee Registered Member

    Joined:
    Aug 21, 2007
    Posts:
    79
    Location:
    UK
    Thanks, Mirimir.

    JPC
     
Loading...