Discussion in 'privacy technology' started by mirimir, Jun 16, 2016.
Mirimar have you performed any testing on windows 10?
I have been testing Windscribe for a few weeks on their 10GB/month free plan. Performance is good, plus it includes a Firewall (kill switch). Their unlimited normal rate appears to be $9/month, but I just received a 66% discount offer (good until the end of the month) to upgrade for $29.99/year. So far I don't see any negatives to this Canadian VPN service.
This is what their FAQ claims about IPv6 and DNS leak protection: https://windscribe.com/faq
Nope, just Windows 7.
I used "VyprDNS" with "DNS Leak Protection". Also, "Kill Switch" active. This was with version 18.104.22.16814 of their Windows app.
I've never looked into it.
Thanks for the feedback, which is very helpful.
I upgraded to the paid version of Windscribe, and so far so good. With access to the additional locations, I am able to connect to several locations much closer to home now. The ping times and network speed tests are all very good with my high speed broadband connection.
The only nagging thing I have noticed is that various DNS lookups sometimes lag during web page loads. I also noticed this with several other VPN's I trialed. Is this a common issue with VPN, or something worth reporting to support?
If I drop the VPN connection and use Google DNS, all pages load very quickly.
Are you using DNS Servers provided by Windscribe when connected to the VPN tunnel?
Yes, so far I don't see any other option ...
try this.it worked for him.
@imdb thanks for the link! Interesting read, but I don't see any options like that in my VPN preferences. I'm sure that the providers must differ in what settings they expose to the user.
My best option is probably to email support and see if there is anything to change.
it's nothing to do with your vpn client.righ click your lan connection, click properties, under networking tab click "tcp/ipv4", click properties,click "advanced" and untick "automatic metric" and then manually assign a value for "interface metric" as stated in that link.
Ahhh, thanks, that is the clue I needed. I assumed he was referencing the VPN client.
That option is something I have obviously overlooked, having spent many years since dial-up internet days configuring network adapters and TCP/IP. Seems that there are a few options that you don't typically mess with, or question, to set up a working network config. I will have to look further into what that does ...
But good news! That seems to have done the trick. The DNS latency now seems to have dropped to what I would consider normal for my direct ISP connection!
glad you got it sorted out.
All good now. Really liking Windscribe here. The "Firewall" feature, included in the free and paid versions, works well. You can set it to automatic, so network connections are blocked if the VPN connection is interrupted. Also there is the option to allow LAN traffic, or not, when the firewall is on. Plus they offer 10GB/month in their free plan, same service as Pro, but with a limited number of servers to choose from.
Another VPN I tested with their 3-day trial was NordVPN, but their "Kill Switch" really left me scratching my head. It just lets you create a list of apps that you want it to kill if the VPN drops. Not really a network firewall at all. Seems popular though, and the reviews are generally favorable. Not for me, though ...
So hey, could someone who uses the AirVPN client check Network Lock options for me?
Running W10 x64.
Did work out where the "interface metric" is, it is already in Manual as above. Is that number that need to be changed and to what number please anyone?
What about eddie's lock do you need checked?
Is there an option to allow pings when the VPN connection is down?
And if there is, what's the default setting? To allow, or block?
Also, can one specify what hosts to allow pings to?
I'm mostly interested in the OS X version, but also for the Windows one.
I'm asking because getting to the VMs that I used for testing is a bit of a hassle.
I am sorry, but I don't have the ability to run OSX. However, I believe eddie to be the same regardless of platform. The screenshot was taken in Windows.
So is "Allow ping" checked by default in a fresh install?
I'm guessing that the "Addresses allowed" box isn't restricted to pings.
So I'm wondering whether "Allow ping" applies only to the VPN tunnel.
I can't imagine why you'd want to allow pings to bypass the VPN tunnel.
Yes it is
I would assume that as well.
I believe that it does, or else why would the option be listed under "network lock."
The only thing I can thing of is that AirVPN is pinging their own server in order to give accurate latency, so users can select the best/fastest server for themselves.
My question was ambiguous. What I meant: So I'm wondering whether "Allow ping" allows pings to bypass the VPN tunnel.
And from what you say, it looks like it does.
So damn, it looks like they do allow pings to bypass the VPN tunnel. By default. And I do get that they might want their client to periodically ping their VPN servers. As you say, so users can use the lowest latency ones.
But still, that doesn't make sense to me, as the default setup. Maybe if they only let their client ping stuff. And better, just their VPN servers. But to allow any process to ping anything, bypassing the VPN tunnel, is dangerous. Maybe torrent clients, for example, ping peers or trackers or whatever. So adversaries could log that traffic, to use in identifying swarm members. And who knows what malicious, or merely just insecure, apps are pinging stuff routinely. And how that might deanonymize VPN users.
Bottom line, when you enable something like "VPN firewall" or "network lock" or whatever similar feature, it ought to block all non-VPN traffic by default. Now, I'm sure that expert users of VPN clients would delve into all of the options, and configure things to their liking. But, I designed my testing protocol with naive users in mind. Or at least, naive users that don't want stuff to leak. Where one leaked packet might deanonymize them. And for their initial use, not after mastering the app. So yes, I enabled whatever leak-protection features that I could find, but I didn't dig through all of the options.
Anyway, I need to restore that VM host and the relevant VMs, and check just exactly how I configured things.
And by the way, I'm going to update my site soon. I'll focus on the testing procedure. I'll write it as a how-to guide, with more background about the various steps. I do cover the basic approach at https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-leak-test but still ...
So then, the current results will be presented as examples. And I'll make it clear that I did the testing in mid 2016. And that I'm not planning on doing more tests, unless someone offers to pay me enough. Frankly, it's a horrible combination of tedious and nerve-wracking. I don't want to be wrongly accusing VPN clients of leaking, after all
And not only that. It's a pointless exercise. There are so many VPN services. And they're continually coming up with new, improved clients. Even the job of tracking client updates for 20-30 of them would be substantial. Plus the fact that most people are now using Android and iOS, and I have no clue how to test those apps anonymously. Maybe restricted to WiFi connectivity. But that wouldn't be realistic. And I'd need a room-sized Faraday cage
The far better option, I believe, is to teach people how to do their own leak testing.
However, I'm not going to explain how to get IPv6 connectivity, using a private VPN server. Only a few would actually do that, and they can handle it themselves. But of course, people who have IPv6 can test for IPv6 leaks.
mirimir - A couple of points that need to be considered; first is that the pinging option was in the network lock page. (Read more about that here.) That doesn't necessarily have anything to do with the VPN itself, it just need that pings can be allowed should the lock be on and the VPN not connected. Also, I can't stress this enough, I never trust vpn software. I always have a backup for "network locks" and "kill switches." The can be something as simple as running a strict that will kill apps on VPN disconnect (taskkill /f /im qbittorrent.exe) or firewall based rules that prevent anything but the VPN from connecting (TAP address filtering with Comodo preferred over Windows Firewall) Is it extra work? Yuuup. But it's more secure. I'd be interesting in hearing what AirVPN has to say on the issue of pinging.
Separate names with a comma.