Why Should I Use a VPN

Discussion in 'privacy technology' started by merisi, Jan 3, 2013.

Thread Status:
Not open for further replies.
  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I won't attempt competing with CubonesCastle :)

    VPNs are essentially virtual CAT6 (or fiber) cables. So you could think of your AirVPN connection as a CAT6 cable from your computer to AirVPN's Singapore exit server. In effect, your Internet gateway is no longer your ISP connection. It's now AirVPN's Singapore exit server's ISP connection. Latency aside, it's like your computer was in Singapore, hooked up to some AirVPN LAN.

    And you could think of your Mullvad connection as a CAT6 cable from your computer to Mullvad's Swedish exit server. Except that your computer is now effectively in Singapore :) "Really", that virtual Mullvad CAT6 cable runs to Singapore inside the virtual AirVPN CAT6 cable, and then goes from there to Sweden.

    And of course, given how the Internet works, all that stuff is virtualized inside other virtual stuff :) I rather love this AirVPN graphic:


    [​IMG]
     
  2. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    I guess if i look long enough at your explanation it must become clear to me... it will come to me i'm sure !thanks anyway.
    Main thing , if it all works as it should i will have fair protection ;i can watch youtube from host + vm at the same time , so speed is good.( compared to Tor)
    when you feel so inclined could you have a look at my other questions ?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes. That is, if you're just running one VM, with outer VPN in host and inner VPN in VM, you set the VM's network adapter to NAT.

    Using non-ISP DNS servers for both host and VM (different ones for each!) is a good first step. Better is blocking DNS etc leaks. Firewall rules for both Windows and Linux have been posted on Wilders.

    In both host and VM, check a few "what is my IP address" sites. Also use the DNS leaktest URL or -http://www.grc.com/dns to see what DNS servers are being used for each.
     
  4. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    ok this is set.

    Had some problems with DNS leaking, il describe it for the benefit of other "chained vpn "users:
    At first ,the host was leaking my providers DNS server.
    I changed to google DNS server.
    Now the leak was gone, but after reboot the leak was back again, it seems the "Change adapter settings" are not persistent ,due to "Network Diagnostics cannot be run without the Diagnostics Policy Service." problem.
    Instead of fixing this services problem i use dnsfixsetup.exe which runs a batch file when you connect to a VPN server
    which does the following:
    1. Before connecting to the VPN, set static IP address properties if you are using DHCP
    2. After connecting, remove DNS settings for the primary interface
    3.After disconnecting, switch back to DHCP if neccessary or reapply original static DNS servers
    So no more leaks.
    BUT... i started the vm, in Mulvad settings i ticked "Stop DNS leaks" but now in the host my isp dns leaked again ;the reason :
    the "Stop DNS leaks" " Removes all non Mullvad DNS servers while connected. "

    EDIT: Removes all non Mullvad DNS servers( on the host) while connected

    So the Google nameservers are removed , and the host reverts to the isp nameserver again.hence leaks again.
    Unticking this setting solved the problem, no more leaks.
    Atm i only run windows fw, i stopped using a fw ,getting annoyed by all the popups....
    But i might have to use one now .
    there are also Comodo FW settings on the Airvpn forum as well.
    The host gives a Airvpn server ip and inside the vm i get the Mullvad server ip, so i guess i'm good !
    Thank you both for helping me out here !:thumb:
     
    Last edited: Mar 10, 2013
  5. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    i wrote:
    the pc was not used for a while, when i came back the host leaked dns again,so the script was overruled somehow ?
    i don't think i altered anything,( i do use Sandboxie but i used "disable forced programs" so the browser would run unsandboxed )
    i checked the script log, no problems.
    i guess i do need a firewall to prevent leaking while using the vpn's
     
  6. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Just change all your adapter DNS settings to German Privacy Foundation. Then no more leaks.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes.

    For the Windows host, use the Comodo rules.

    For the Linux VM, use shorewall with the rules described below. These instructions are based on ones from the old XeroBank site (RIP).

    Code:
    Install shorewall.
    
       sudo apt-get update
       sudo apt-get install shorewall
    
    Add these shorewall config files (see below):
    
       /etc/shorewall/rules
       /etc/shorewall/policy
       /etc/shorewall/interfaces
       /etc/shorewall/routestopped
       /etc/shorewall/zones
    
    Edit /etc/default/shorewall so shorewall runs at startup:
    
       startup=1
    
    The commands for controlling shorewall are:
    
       sudo shorewall start
       sudo shorewall stop
    
    Your /etc/resolv.conf should look like:
    
       domain localdomain
       search localdomain
       nameserver 10.X.Y.Z
       nameserver 10.X.Y'.Z'
    
    Those are the VPN service's private nameservers. If you're
    not getting them automatically as the VPN connects, you may
    need to edit /etc/resolv.conf manually. You can get them
    from the OpenVPN connection log. After doing that, make the
    file read-only:
    
       sudo chattr +i /etc/resolv.conf
    
    But you'll need to make it writable if you want to edit it.
    
       sudo chattr -i /etc/resolv.conf
    
    Here are the files
    
    /etc/shorewall/rules
    #############################################################################################################                         
    #ACTION SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/
    #                                               PORT    PORT(S)         DEST            LIMIT           GROUP
    #SECTION ESTABLISHED
    #SECTION RELATED
    SECTION NEW
    
    # Allow this machine to connect to any server using UDP port 1194 [change if using TCP or other port]
    ACCEPT  fw              net             udp     1194
    
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    
    
    /etc/shorewall/policy
    ###############################################################################
    #SOURCE         DEST            POLICY          LOG             LIMIT:BURST
    #                                               LEVEL
    # Block this machine from accessing NET ZONE accept for exceptions in /etc/shorewall/rules
    fw              net             REJECT
    
    # Allow this machine to access the VPN ZONE for everything
    fw              vpn             ACCEPT
    
    # Block anything from the NET ZONE to all other zones
    net             all             DROP            info
    
    #
    # THE FOLLOWING POLICY MUST BE LAST
    #
    
    # Block everything else
    all             all             REJECT          info
    
    #LAST LINE -- DO NOT REMOVE
    
    /etc/shorewall/interfaces
    ###############################################################################
    #ZONE   INTERFACE       BROADCAST       OPTIONS
    
    # Assuming you are using built in ethernet of eth0 [change if you're using eth1]
    net     eth0            detect
    
    # VPN Interface
    vpn     tun0            detect
    
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    
    /etc/shorewall/routestopped
    ############################################################################### 
    #INTERFACE      HOST(S)                 OPTIONS 
    eth0            - 
    
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE 
    
    /etc/shorewall/zones
    ############################################################################### 
    #ZONE   TYPE            OPTIONS         IN                      OUT 
    #                                       OPTIONS                 OPTIONS 
    fw      firewall 
    net     ipv4 
    vpn     ipv4 
    loc     ipv4 
    
    #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    
    
     
  8. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    I know very litlle about networking but i dont see how another dns server than google will prevent my isp dns server "returning", could you explain this please ?
     
  9. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    Thank you for the code, i understand the fw rules take care of stopping a connection if the wrong dns server is being used ?
    If this is the case i still have to find a solution for the actual leaking ,is it not?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    No, the shorewall rules stop all incoming and outgoing connections via eth0 to anything except servers using the protocol (UDP or TCP) and port (1194 or whatever) that you specify. Basically, that's OpenVPN servers. It's possible that some other program could get out using those settings, but not likely without targeted attack.

    If you're using URLs as OpenVPN servers (e.g., foo-bar.xyzvpn.baz) you'll need to stop shorewall while connecting. That's because, with shorewall running, your machine can't reach a DNS server to get the IP address for the OpenVPN server. If you're just using a.b.c.d as your OpenVPN server, it should connect with shorewall running.

    The rules also allow outgoing connections through the VPN tunnel, and responses. That's analogous to basic NAT firewall rules on normal machines: anything gets out to the Internet, but only responses to what got out get back in.

    The rules allow connections to any DNS server that's reachable through the VPN tunnel. So specifying non-ISP DNS servers is also crucial. It's best to use the VPN's private DNS servers, which are reachable only through the VPN tunnel (having IP addresses that aren't Internet routable).

    The Comodo firewall rules do analogous things for the host. Again, your DNS queries should only go out through the VPN, and it's best to use the VPN's (the one on the host) private DNS servers.
     
    Last edited: Mar 10, 2013
  11. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    @mirimir
    Thanks for the explanation ,i do undersand it now, iĺl get to work on it tomorrow'let you know how i get on.
     
  12. jesusjesus

    jesusjesus Registered Member

    Joined:
    Jul 21, 2009
    Posts:
    61
    Hi Vpn Professionls,

    The problem I see with a VPN for me is watching tv in my country via websites. Content is georestricted to my country. The vpn's I was looking at don't have an exit server in my country. If I want to watch a tv show for 2 hours on main computer with vpn, does that really mean my only choice is to shut down vpn for 2 hours and so be without that privacy shield for that period?
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    That depends. Do you care whether anyone (the TV content website, your ISP, etc) sees that you're watching the TV shows? If you do care, you need a VPN with an exit in your country. But it sounds like you don't.

    Otherwise, you could just go without the VPN. But it sounds like that doesn't work for you. Probably you're browsing, doing email, etc as well as watching TV.

    The simplest solution would be to do everything requiring the VPN in a virtual machine. Just about any modern computer can easily run one VM. Would that work for you?
     
  14. jesusjesus

    jesusjesus Registered Member

    Joined:
    Jul 21, 2009
    Posts:
    61
    Is it possible for the Virtual Machine window to be Non-Vpn direct connection while the computer outside of the VM is connected to VPN?

    That would be best for me as I want everything gong through the vpn exceept for a handful of websites that need my real geolocated IP.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    I've never done that, but I think that it's possible.

    You'd connect with your VPN as usual on the host machine.

    Instead of NATing the VM to the host, which is the default, you'd bridge to the host network adapter. The VM would get its IP from your router, and wouldn't go through the VPN.
     
  16. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    The promised progress report:
    ( @mirimir, for now i have not setup shorewall rules , i did try understanding the script , but iḿ too dense i guess...)
    Any how, i think i am leakproof , this is the setup:
    Host win 7 x64 , Airvpn on host
    Virtualbox with Xubuntu, Mullvad vpn on guest
    Airvpn on the host has its own Airvpn dns server
    I followed this advice :
    "force the following DNS in your physical network card (ethernet and/or wireless):
    10.4.0.1 as primary (preferred) DNS
    10.5.0.1 as secondary (alternate) DNS
    In the above case please consider that your system will not be able to resolve names when disconnected from the VPN,
    therefore you'll need to edit your hosts file to add the resolution for airvpn.org in order to allow connection in case you use the Air client
    , put 85.17.207.151 airvpn.org 212.117.180.25 airvpn.org in the Hosts file"

    And :
    "Follow these Comodo fw rules to prevent any leak in case of unexpected VPN disconnection.

    If i want to use my isp connection the fw rules block this, this is wanted behaviour , to prevent unwittingly using the isp if the vpn drops.
    So to use my isp i would have to disable the fw ; A problem with this would be, if at some moment i enable airvpn again , but forget to enable the regular firewall again. I would be unprotected.
    So i setup a new fw profile ( i could not find a possibility to create a new rule, so i created a new empty config file and imported it.)
    I deleted all global rules and put this rule in:
    "Block IP In/Out From MAC Any To [...Air IP addresses...] Where Protocol Is Any "

    I would switch between the two profiles, instead of activating and de-activating the firewall. So, if itry a connection to the VPN and have the wrong profile, the connection can't be established and this would be an "alert" to remind me to switch profile.

    (Also in this second fw profile i added a rule to block all Virtualbox connections, so the vm is unable to connect trough the host if vpn in the host is inactive)

    So now the vm:
    Mullvad setting to "Block the internet on connection failure" works without failure , so as soon as the airvpn in the host is lost the vm guest is blocked.
    As a second precaution i have an application fw rule in the host:
    "Block IP Out From IP Not In [10.4.0.0 - 10.9.255.255] To MAC Any Where Protocol Is Any"
    if the host disconnects from the VPN the guest machine will have all its outgoing packets (in the host itself) blocked by Comodo firewall.

    It was some work to get all this working without leaks , but if you want to have a similar setup these steps should help.ottherwise just ask me.
    Mail support from Airvpn is outstanding, very fast responses en good , non boilerplate advice.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @qwax

    Congratulations!

    With a little editing, you'd have a tutorial :)

    Maybe someone wants to replicate the setup?

    To better see what's going on, you could install Wireshark on the host, and see what gets out the network adapter with various failure tests. For example, you could try killing the OpenVPN process in the host. Although I don't use Wireshark in Windows, this link seems useful: -http://www.infosecramblings.com/2009/01/12/wireshark-and-windows-7/.

    I don't know what Mullvad does to prevent leaks. It might be useful to look at /etc/resolv.conf and /etc/network/interfaces with nano. And also the rules in /etc/ufw, but you need to run "sudo su" before it'll let you. I'm not saying to change anything. Just look at each file, and see what Mullvad is doing.
     
  18. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    Thanks ,you amongst others helped me along.
    This is why i described the steps somewhat "expanded"

    I had actually been thinking along these lines ,i recently watched a few youtube tutorials,but it is a bit of a learning curve , i might do this when i have some time.

    I myself would not be interested in the inner workings of these files ;but if you think it might be useful to yourself ,to dissect,i can look at these files.
    You would have to coach me though , with all this "sudo this and sudo that"stuff.:p
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    It'd just be useful to know whether their "block leaks" thing actually did block all leaks :) Maybe I'll just get a Mullvad account and check it out.

    I'll be happy to help with anything, as I can.

    For what it's worth, "sudo <some command>" does the command as root. But just that command. Typing "sudo su" gives you a root command line, so everything you do afterward, until you type "exit", is done as root. You can also type "sudo leafpad" (or "sudo gedit" in Ubuntu) and get a GUI text editor as root. But you gotta be careful working as root ;)
     
  20. qwax

    qwax Registered Member

    Joined:
    Feb 3, 2013
    Posts:
    41
    I guess you know you get a few hours free to test their service.

    Thanks,
    I would really have to get aquainted with this commandline stuff again ,MSdos memories:D
     
  21. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    803
    ok so after some more troubleshooting ive found out that setting mulvads nameserver instead of the ip in pfsense vm fixed it and actually works with my setup not to mention ive had a tiny little firewall rule set wrong in pfsense , lols , hey mirimir any more tweaks i should do or suggestions , ive been using it for a while now and am pretty satisfied with the results already, if you have anything to add on top do tell , or if i should switch to a better more sophisticated setup if thats even possible , i recon xubuntu still being the best choice in this matter as well as the rest wheve been usin ;)


    p.s> i recon theres still no hope for incognito tor as of this time, i see the dev has split the branches into seperate categorys
     
    Last edited: Mar 27, 2013
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @happyyarou666

    I'm glad that it's working :)

    And yes, ra is taking Incognito down a path where the Tor gateway interacts with the workstation in ways that pfSense couldn't (without radical surgery, anyway). But I gather that he will update Tor in the old gateway as releases make it to the OpenWRT repo.
     
  23. retialox

    retialox Registered Member

    Joined:
    Jun 16, 2013
    Posts:
    3
    hi everyone i'm new in this forum and most of all i'm new about security and privacy and this forum was the most complete of all the results i've found because it has also lots of comments and opionions from many users. I've read many threads about using vpn and tor, i've read all the possible combinations (me-->isp-->vpn-->tor-->internet) and also the tutorials in this threads (how to use whonix with pfSense and also how to encrypt data through it relays ecc.) But i can't understand how the vpn can be used through tor process (i understand it hides my tor usage from my isp), i mean vpn encrypts the data i send but if i use this setup (i've already read in this thread a similar setup the 1# vpn hide tor usage 2# encrypt tor exit node traffic but i don't want that)
    isp--->vpn--->tor--->vpn--->internet when my data is going through tor the vpn has already decrypted the data ? .. My problem is that i can't understand how to prevent eavesdropping from tor exit node. Is this process correct ? if not how can use end-to-end encryption ? Is Tails a valid alternative ?

    me--->isp--->vpn (encrypts data)--->tor node 1# encrypts the encrypted data from vpn-->tor 2#(exit node) removes all the "onion layers" so we've got again the encrypted data from vpn ---> vpn client than decrypts the data --->internet

    Of course all of this process is in the case i trust more the vpn than tor exit node

    I'm sorry for the "viking" language but i'm a foreign from a far far away land X:ninja: and also because i've asked so many questions but i can't stop my thirst of knowledge *puppy*
    i've tried to explain my problem in the easiest way possible thanks for the patience :D :D
     
  24. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Welcome, retialox :)

    Let me try a simple answer first.

    In the setup "You--->ISP--->VPN--->Tor--->VPN--->Internet", you're using two different VPN providers. So it should really be "You--->ISP--->VPN1--->Tor--->VPN2--->Internet".

    When your traffic goes through your ISP, it's encrypted at least five times, in succession:

    to VPN1 server
    to first server in Tor circuit
    to second server in Tor circuit
    to third server in Tor circuit
    to VPN2 server
    [to Internet site, potentially]

    There'a also information for reply packet routing, correspondingly encrypted so that each server only knows the two other servers that it connects to.

    Does that help?
     
  25. retialox

    retialox Registered Member

    Joined:
    Jun 16, 2013
    Posts:
    3
    thanks for the answer and welcome :D i take some time to reorganize what i want so that i can explain easily (i hope :'( )

    1st my goal is to have an anonymous encrypted connection and of course a better level of privacy: by reading in this forum i understand that tor network is a very good option and also vpn so i'm searching a way to use both with good speed of browsing though my first option was using only tor because it was free i don't like that the exit node (a random person) can read my package, i prefer that a vpn i trust can read it :doubt:

    as i thought it's useless in terms of speed of browsing unless i have two vpn premium accounts so that i can use full speed .. my interest is to prevent tor exit not to eavesdrop is this a possible way ? because if i've understood with this setup : ......to third server in Tor circuit (decrypts the package as if it was tor normal procedure without vpn encryption and so this nod can eavesdrop)--->vpn2 server
    I don't understand if the package that comes from VPN1 server is decrypted before it enters tor network or it only hides me from my ISP.

    It would be really nice to know something about replying packet routing because what i've found it's really messy and i don't understand very well :ninja: :ninja:

    again thanks for your time :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.