Contrary to any of my (here, misguided) ramblings, the Comodo rules are at <https://forums.comodo.com/firewall-help-cis/configuring-to-block-all-nonvpn-traffic-t91413.15.html>.
PRQ are great people, for sure But their VPN service is not safe for casual use as a "hide my IP" service. I've never used it, but it's my understanding that it's totally open, with no firewall. It's just as if you were there in Sweden, and got a direct Internet uplink. That's a good thing, if it's what you need. But it's dangerous, unless properly secured.
Riseup responds the same way that Cryptohippie responds when the internet connection is interrupted. The icon turns yellow and stays that way until you manually disconnect it. You have no internet connection until you right click and tell it to disconnect. It blocks everything. I checked the browser and my antivirus update etc. and nothing can connect. And it never reconnects on it's own. You have to deliberately disconnect the VPN or everything is blocked. I used Cryptohipie for 3 years and just assumed that this was just the way that all VPN's worked. That's why I was *shocked* when I switched to airVPN and saw that it would disconnect and allow the bare connection through, immediately, and then reconnect.....or sometimes not reconnect. I wonder how many times it did this when I didn't notice? I have left the room and come back to notice that the VPN was disconnected. Normally I only would have noticed when I opened the browser and Google was google.com instead of Google in the Netherlands or somewhere else. If I was already browsing or in my email I would not have known unless I saw the icon turn grey. That is just completely unacceptable to me. When I tested Mulvad, I turned off the wireless card for a few seconds. Exited the browser and then opened it back up. Then with the browser open I would reconnect and as soon as I could see that it was connected in the systen tray I would click the home button. It immediately went to google.de. If I left the wireless connection off longer, Mullvad would disconnect completely and have to reconnect. But there was no internet connection until it reconnected and as soon as it did I clicked home and it went directly to google.de. So Mullvad works a little differently than Riseup and Cryptohippie. And with Mullvad you have to check the option "Block internet on connection failure". But from what I can tell it does work. Some say it is an easy fix to prevent airVPN from leaking or allowing your bare connection through. An easy fix??... Well, first you have to install Comodo firewall. And then you have to learn how to configure it. There are a lot of average people who use VPN's now. What percentage of common everyday people know how to configure a firewall? Just ask any average computer user if they know how to configure a Firewall. And of all of the people who use airVPN, how many of them do you think go to the forum and read it and post and even know that this is a serious issue? I would guess that it is a very small percentage of their users. The vast majority of their users are left in the dark. I can't help but wonder.....is this type of feature something that is just beyond their knowledge and expertise? Is this something that requires some special skills that they don't have? Otherwise why would they leave the vast majority of their users open to this vulnerability. I mean, if an ISP wanted to see what a user was doing, all they would have to do is interrupt their connection for a couple of seconds and see. Am I right? And if you were in a gmail account like I was and it disconnected suddenly, allowing the bare connection through, then that account was no longer anonymous, and it was no longer private from my ISP. Anyway, I would have prefered to stay with Cryptohippie but I needed to cut back on spending for a while. So I needed a less expensive alternative. And as far as I am concerned, Mullvad is the way to go. I am very pleased so far and the speeds are excellent! Riseup is great but it is not meant for a lot of downloading and that kind of thing, and it is very slow compared to Mullvad. I am very pleased with Mullvad so far!
@caspian What matters, I think, is how the OpenVPN client handles failure to connect. Let's say that the OpenVPN server gets temporarily overloaded, or there's a disturbance in the Net, or whatever. Sometimes, the openvpn process gets wedged under those circumstances. If the OpenVPN client keeps running after its openvpn process has stopped, it can maintain its tap interface as active. And so there's no Internet connectivity. That's what the icon is telling you by changing color. Direct Internet connectivity isn't restored until you kill the client. If the OpenVPN client instead totally gives up, direct Internet connectivity is immediately restored. The switch from Windows XP to Windows 7/8 may explain some of that. I still think that it's safer to run a firewall, such as Comodo.
I am using PIA, and like it a lot. It is very fast. I have tested the kill switch, and it seems effective. I basically just choose disconnect, and an internet connection is no longer available. When using Utorrent, I also use Vpnetmon in conjunction. This will also kill the connection if the VPN goes down One problem with PIA, is, on rare occasions after i exit the program, I cannot connect to the internet. I have to choose trouble shoot, and get the message " DHCP is not enabled for wireless network connection " I then have to choose fix this problem
I can't try it out right now, but if you are on RiseUp!, and disconnect from the VPN - no traffic flows out of your regular Ethernet/Wireless adapter? I'm trying see how this: verb 3 client dev tun remote xxx.xxx.xxx.xxx auth-nocache auth-user-pass ca RiseupCA.pem Causes a block to all traffic, .vs this: client dev tun proto udp remote xxx.xxx.xxx.xxx resolv-retry infinite nobind ns-cert-type server cipher AES-256-CBC comp-lzo verb 3 explicit-exit-notify 5 reneg-sec 900 I don't know how to make the connection drop the VPN (Yellow), while still keeping internet connectivity alive through the physical NIC. Edit: Guess disabling just the TAP may work.
Those don't make sense to me. The first config doesn't specify proto, and the second one doesn't specify "ca RiseupCA.pem". I wonder if UDP vs TCP is the key difference, because UDP is stateless.
The first is a default RiseUp! .ovpn, the second is an Air .ovpn. They both use OpenVPN...so I'm trying to figure out how people are having RiseUp! block all traffic on VPN drop? Here are RU's pages: -https://help.riseup.net/en/vpn-howto- -https://help.riseup.net/en/openvpn-windows-
OK, from man openvpn <http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html> we see: So we know that they're both using UDP protocol. We also see: I'm guessing that "explicit-exit-notify" is killing the client when the connection dies, which restores the direct Internet connection.
I wish that airVPN would "maintain it's tap interface as active". And I am sure that learning how to configure a firewall is the safest thing to do, but most people don't even know that this is a problem and most people have never even tinkered with configuring a firewall. I am willing to bet that most of the people who subscribe to airVPN don't even know that there is a forum, or have never been to it. So most of their users are vulnerable. I have never had a VPN disconnect as much as air. Mirmir, do you know how difficult it would be for air to configure their VPN to behave the same way that Riseup and Cryptohippie do, by not allowing internet access until the VPN is disconnected manually? Is this something that requires some special knowledge? Is it something that is really complicated ?
If the internet connection is interrupted for a few seconds the icon in the systen tray turns from green to yellow. Same with Xerobank and same with Cryptohippie. So the VPN is still connected I guess to the adapter (as Mirmir explains) but all internet activity is blocked. So you have to right click on the icon and tell it to disconnect before internet access is restored. Then you would have to reconnect the VPN again after that. So if you are in an email account or at a website and the internet is disconnected and then reconnected, airVPN will automatically disconnect the VPN and allow your normal internet connection through, immediately. So you could still surf the web and use your email only you would no longer be anonymous because you would be surfing with your own IP. And you may not even know it. I have had it disconnect for a few seconds and then reconnect by itself. Out of the corner of my eye I could see the icon turn gray with the little message that it had disconnected. And then I have seen it reconnect without any action on my part. So if I wasn't looking at the screen at that moment or if I went to get a cup of coffee it could disconnect and then reconnect without my knowledge. It was very very rare that Cryptohippie would ever disconnect. But I would *always* know because I would start clicking on emails or web pages and nothing would respond. Because all internet was blocked. That gave me time to exit any browsers and reconnect without revealing my identity. Using airVPN without downloading and installing Comodo and learning how to configure it properly is like ~Comment removed~ playing Russian Roulette It is just not a safe thing to do.
@caspian I hear you, and I agree that it's far safer for VPNs to fail closed, with the tap adapter active but no VPN connection. And I have no clue why some Windows clients do that, while others fail open, with the physical adapter regaining priority. But even for the VPNs that do fail closed, with an inactive yellow icon, it's important to have backup protection against leaks. I'm out of touch with Windows, so I'm left with the "use Comodo" mantra. I gather from others that it works. Perhaps another Windows user could take a look at the Comodo setup, and flesh out the setup so it's totally user-friendly.
Nice find. I wonder if removing that from the .ovpn would band-aid the problem for those without firewall rules?
Thanks I don't see that the AirVPN server is pushing it, so removing it in the client config might well change the behavior. Anyone want to test that?
Thanks so much for your imput as always, Mirmir. We are so lucky to have to have you hear at Wilders.
If you are using a laptop, just push the wifi button and turn it off for a few seconds. Or if you have a router, just unplug the router for a few seconds. Maybe air has never disconnected on you. But maybe it has and you just didn't see it. But it has for me on several occasions and evidently I am not the only one.
My thoughts on a VPN are that it might be a good idea to change your VPN every few months. I say this because for a number of reasons, the most obvious being that the VPN your using could be a honeypot trap. There are other reasons as well. But I think one of the keys to being anonymous is to constantly change. Look different. Change your VPN every few months, change your browser fingerprints, change your OS, change your email and so on. It may be that you will use a VPN for a few months, change and go through several other VPN over a few years and then return and go through the whole process all over again. Any opinions on this tactic?
While I agree the ideas good and I do similar, one point or another your VPN or any other would see your real ISP IP address so if you come back to it after a year or two they could still get you. True if given the time frame most would just ignore or forget it but in today's world they can easily get paperwork approved and be outside your front door within hours. Perhaps using Tor after you have connected to your VPN or connecting to say a 2nd VPN via tunnel from 1st VPN and alternating that 2nd VPN provider so it works a bit like Tor may work out a bit safer I feel. What you can do also is change the VPN servers, perhaps daily even. Changing your broadband ISP is good also, but if any adversary really wanted you bad enough they could easily probe away and get you. This is the reason why I feel its good to do as much as you can your end. Full Disk Encryption with plausible deniability is a must, a kill switch or further protection. You need to get into the minds of these adversaries think of what they may do once they are in your system.... they can make up any number of evidences on you. Even a single saved doc or a single bookmark and they "got" you, while you can never be 100% prepared you must somehow.
I think Boleh VPN is your best bet because they are P2P friendly, and they are very fast. They also have a no logging policy. Their client uses Open VPN technology so everything is encrypted as well. I've been using them for years, and have been very happy with them.
lol. (You) -> (VPN) -> (Tor) -> (Internet) "Browser Bundle Preferably" (VPN / No Logs / No US/UK / Unlimited/ Leak Protection) (Tor / No JAVA/FLASH/ Block Rules Strict NoScript/ No Personal Info) Its as simple as this, no spy tactics and no changing a VPN ever couple months. If you don't make a mistake or give out your information there is no conceivable way of tracking you. If you want to go the extra mile and make it practically impossible by today's standards encrypt your HDD with Truecrypt AES with a password that's made from letters numbers and symbols that are 20 digits long. I don't get it, seriously why don't people understand this is all you need. Plz.
