Running VPNs at application level?

Discussion in 'privacy general' started by Simply the Best, Jul 23, 2010.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  2. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    You could run a Windows or Linux VM in VMware Player (which is free). Prebuilt Linux VMs are available. For Windows, you'd probably need to create your own VM using VMware Player and an installation CD with a valid license. Such a Win XP / Win XP setup is usable on an old notebook with a single-core CPU.
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    See for example http://www.technize.com/connect-different-applications-to-different-internet-connections/. Isn't this what you're trying to do?
     
  4. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    Some VPN providers such as Ivacy have an software allowing to select which application has to connect through vpn, and which app doesn't (but this software only works with pptp and l2tp/ipsec connections, not openvpn). In the future, if the user's demand is strong enough, many others vpn providers will propose same kind of ability.

    You can use SSH tunneling as well (but in that case, UDP flow is not tunnelized, only TCP one, as with Tor)



    The easiest and most efficient way imo to secure your vpn connection is to use route deletion as explained here (see the FAQ).

    You can use a .bat file for that, so 2/3 mouse clicks are sufficient.

    Virtualization is very good idea too (and you can use vpn through vpns), although a bit less simple imo, and (as you notice) a bit ressources consuming.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    Here's a relevant topic in the ForceBindIP forum: http://www.r1ch.net/forum/index.php?topic=1648.0.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    If you want to test stuff, you could install Returnil. I would at least try http://blog.dmbcllc.com/2008/08/26/bypass-vpn-for-regular-traffic/, in conjunction with ForceBindIP. If that doesn't work, then make your physical connection have a higher priority than the VPN connection, and use ForceBindIP to bind those programs that you wish to use with the VPN connection.
     
    Last edited: Jul 25, 2010
  8. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    What you say is true. You only use the VPN for the stuff you don't want associated with you. And you don't use it for anything that identifies you. And, if there are multiple types of stuff that you don't want associated with you, or with each other, you use a different VPN for each type. And if there's stuff that you REALLY don't want associated with you, you route a VPN running on a VM through another VPN running on the host, and you encrypt everything (host, container holding guest files, and guest).
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Does your OpenVPN server.conf file have the line push "redirect-gateway def1"? If so, maybe removing it would help.

    More linkage:
    http://forums.untangle.com/openvpn/3797-openvpn-tunnel-web-traffic.html
    http://www.openvpn.net/index.php/open-source/documentation/howto.html#redirect
    http://www.ultravpn.fr/forum/index.php?topic=477.0
     
  10. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I'm sure that you could do that, although I don't know how. I suspect that it'd be harder than specifying which traffic uses the VPN and which doesn't.

    It's hard enough to lock down VPNs so there's no leakage. Attempting to route each app's traffic differently seems pointlessly risky.

    You don't need all your apps on the VM - just browser, email client, torrent client and whatever. You want to use those only via the VM, and never for anything that's associated with you IRL. It's not just accounts and such. Keep your interests compartmentalized. For example, I never read Wilders except as hierophant via XeroBank, and I don't talk about Wilders with IRL friends.
     
  11. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I have an XP box and a Win 7 x64 box. There is a VPN connection courtesy of JanusVM on the XP box, but the XP box isn't bootable right now. I've never worked with OpenVPN before.

    I'm not sure if what you want can be done or not. You may wish to browse the forums for some popular VPNs.
     
  12. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Avoid UltraVPN, IMHO. It hides the TAP adapter, using OpenVPN flags, and the setting persists for subsequently-installed VPNs. I never figured out how to reverse it (just deleted the VM I was using).
     
  13. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    Avoid SSH tunnels, IMHO.
     
  14. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    I haven't done Usenet for years. Why so much memory? Can you force it to use a disk cache? Perhaps it's possible to have your VM host use disk for memory.
     
  15. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    AFAIK, OpenVPN links are the best mix of security and simplicity, if you want all traffic routed. For routing specific apps, that may not be so. And I wouldn't go that route.
     
  16. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Hi Simply the Best,

    VPN's are not by nature intended to run at the application level - i.e. VPN's are networking software and by their very nature will never be able to manifest at that level.

    -- Tom
     
  17. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83

    Concerning route deletion, it could looks complicated, but is really simple and very efficient. You could see my post in this thread. I currently use this method. My VPN being connected, all I have to do is to type in my comman window:
    And in fact I even don't ave to type this: I only click on a .bat file containing this command.

    Ivacy Monitor do this job:

    In protection mode, enable "application started via secure launch". Then, choose your connection mode (e.g. IPsec to russian server), then click on "connect", and then start e.g. µTorrent in clicking on "µTorrent" in Secure Launch window.

    As a result µTorrent, and only µTorrent, is "hooked" by Ivacy vpn.


    So:

    1) If you start (without Secure Launch) e.g. your browser , you will navigate outside the vpn, with your ISP IP.

    2) If for some reason the vpn disconnects, all µTorrent's connection close, preventing your ISP IP to be revealed on the Torrent network you was participating.

    Your two wishes (secure connection + hability for some apps to connect trough vpn, some others bypassing it) seem to come true :)
     
  18. Lyx

    Lyx Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    83
    At the time being, Ivacy Monitor doesn't work with non ivacy vpn (for non ununderstandable reasons). And it works with ivacy L2tp/Ipsec vpn (and pptp, too).

    But having at least one vpn able to do what you attempt is already better than nothing. Better than "impossible, nowhere, never".

    Moreover, the fact that at least one vpn provider succeeded to built a soft allowing certain applications to be linked through the vpn, leaving others going through your normal connexion, proves that it is entirely possible. As coders working at Ivacy are not much more hyperbrained than their competitors, on can hope that what Ivacy has been able to do, others coders are able to do, too.

    So, if your demand is strong enough, the vast majority of vpn providers will some days offer applications such as ivacy moditor, doing the same job (or even better) than Ivacy monitor does, but for their own vpn.

    A good challenge for coders (if coders are reading this thread).
     
    Last edited: Jul 30, 2010
  19. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,096
    Hi Simply The Best and Lyx,

    What both of you appear to be talking about is to essentially force an application to use a VPN, n'est pas?

    If so, it sounds reminiscent of using the wrapper(s) torkify or torify to make applications use either tork or tor respectively. You may want to look at the code for those wrappers to be able to concoct such a wrapper for your applications to access your VPNs.

    In any event, it seems like it would be worth a try, eh?

    -- Tom
     
Thread Status:
Not open for further replies.