Sciencemadness Discussion Board
Not logged in [Login - Register]
Go To Bottom

Printable Version  
 Pages:  1  ..  3    5  
Author: Subject: Reliable VPN services?
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 3-12-2018 at 08:30


P2P is not really important for me, but good to know they support this. I have downloaded a movie occasionally in the past, but that's only a few (less than 10 over the last 5 years) and they were old ones (from the 1970's and 1980's), so I do not worry too much about that. I can imagine, however, that heavy downloaders may feel really anxious about their past downloads. The fines are high, IIRC the fines may be as high as EUR 12500 if you are a distributor and EUR 150 per movie if you download several of them. They pick out people who download several movies in a short time or who download recent movies, which still are actively distributed in NL, e.g. as blurays just after retirement from cinemas.

The internet kill switch indeed is important to use. I use the Linux version of nordvpn (you can download this command-line tool from their website) and it works very easily. Just set killswitch to on and it is applied each time you connect to one of their servers. I never had a connection down, so I do not really know whether it works. Do you know of a method to bring down a connection without doing a neat disconnect (in that case the kill switch of course does not work, you manually revert back to normal internet access)?




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
LeakTaker
Harmless
*




Posts: 2
Registered: 3-12-2018
Member Is Offline


[*] posted on 3-12-2018 at 09:06


Nobody mentioned dns leak, which allows isp or vpn or onion to see what hostnames you accessed using 2nd vpn or vpn or another onion/tor.
To check are you vulnerable just visit: https://www.dnsleaktest.com/
Although your vpn app is supposed to take care of this, there are many universal programs that allow you to choose to use dns over vpn or dns over proxy. But just because you are allowed to use different DNS does not have to mean that you are in fact using it. Your ISP or even VPN may be tricking you. That's what dns leak test is.

Btw, tor is best for anonymous access without logging in to sexual, dangerous, emberrasssing, weird sites. It is not recommended for account websites where you have to use real identity such as money, social media... It is also not recommended to use it for downloads, but just to get link to downloads which you can later download using vpn or proxy or normal internet.

Do not confuse dns over vpn/proxy/onion as dns tunneling, which is illegal, and used by many people to circumvent internet bill, and such principle is used by famous apps like your freedom, slow dns, dns over vpn which are available on google play, and some maybe on iphone, and linux, windows... This stuff is used to give you internet access if you don't have it at all, while the first one i just talked about is only used to conceal you privacy and is visible in many programs such as proxifier as "resolve through proxy" and similar.

[Edited on 3-12-2018 by LeakTaker]
View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 3-12-2018 at 15:38


Quote: Originally posted by woelen  
Do you know of a method to bring down a connection without doing a neat disconnect (in that case the kill switch of course does not work, you manually revert back to normal internet access)?


No, not really. I just check by pinging Google after disconnecting the VPN with the kill switch enabled. And I check my torrent client to stop downloading after I disconnect my VPN.

Quote: Originally posted by LeakTaker  
Nobody mentioned dns leak, which allows isp or vpn or onion to see what hostnames you accessed using 2nd vpn or vpn or another onion/tor.

[Edited on 3-12-2018 by LeakTaker]


Doesn't ipleak.net check this? Or am I missing something?
View user's profile View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 3-12-2018 at 17:18


There are some applications that use a pre-configured DNS server. IPLeak probably wouldn't notice.

I'm going to be very clear about my position on this: a VPN operated by an entity that you do not control is just a tinfoil hat. I don't use one; if I were to do sneaky things on the Internet (I do not, of course), I would use methods that I am 100% sure I can trust. At what point is it worth the CIA/FBI/NSA/BBQ/Interpol/Girl Scouts' time and effort to bribe a Nord employee to plant a monitoring device, etc.? They probably don't even need to do that.

If you insist on using a VPN, the best way to prevent DNS leaks would be to use a physical firewall/router that connects your local network to the VPN and actually intercepts and rewrites any DNS requests. For some people that might seem like overkill, but then again, what exactly are you using a VPN for, what are the consequences of a DNS leak, and is it overkill or not?


[Edited on 4-12-2018 by JJay]




I'm no longer involved in this forum.
View user's profile View All Posts By User
WGTR
International Hazard
*****




Posts: 831
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 3-12-2018 at 18:05


Woelen, it depends on what your VPN client is doing to the route tables when it starts up. It wouldn't hurt to check the routes before and after it starts, just to see what's going on. Depending on options that get pushed to the client when it starts, I've seen OpenVPN (my client of choice) delete the default route, and replace it with its own route to the TUN interface. On shutdown, it tears down the TUN interface and re-adds the original routes.

I've also seen the default route get moved to a higher metric, so if the TUN interface fails, the old default route comes back into play (causing traffic leakage outside the tunnel if the connection crashes).

If you want to crash the VPN client ungracefully, then perhaps

kill -SIGKILL [PID]

would do it, once you determine the client's process ID. If you want to crash things rather violently, then you can try overwriting parts of the application in RAM, although I would suggest playing with this using a LiveCD, not on your regular install.

Personally I wouldn't trust a software "kill switch" and wouldn't use it, since it is just one more piece of software that may or may not work when you expect it to.

I've done some testing with these types of setups. I've normally done what JJay mentions, in that I use a hardware firewall router. I would recommend locking down the entire network using the router, and whitelisting only your VPN's IP address. That is your kill switch. Not every firewall router has a packet filter, but several TP-Link and D-Link routers do. If you want, I can throw out some part numbers.

What is the best way to verify that there are no leaks or vulnerabilities through the network? Audit the software yourself. I'm currently developing a network packet filter that is designed to functionally act like a brick until an IP address is manually added to the keypad on the unit (no web interface included). All other traffic is dropped (including ICMP, DNS, etc). It's taking a while since I'm developing it from scratch, for an FPGA. There will be no operating system, just a few thousand lines of code that someone can look through if they want to (as opposed to a million or so for a Linux OS). The idea is to make it easy to audit for security.





View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 3-12-2018 at 23:33


Quote: Originally posted by WGTR  


Personally I wouldn't trust a software "kill switch" and wouldn't use it, since it is just one more piece of software that may or may not work when you expect it to.


I use the Vuze torrent client for that reason, it has a second switch, killing the connection when it drops

Quote: Originally posted by JJay  
. At what point is it worth the CIA/FBI/NSA/BBQ/Interpol/Girl Scouts' time and effort to bribe a Nord employee to plant a monitoring device, etc.? They probably don't even need to do that.
[Edited on 4-12-2018 by JJay]


I'm mostly worried about legal agencies (in Germany regular lawyer offices) who don't use sophisticated means to hunt down up-loaders. It actually is not illegal to download when you already posses a copy of the downloaded material. The automatic uploading is the problem. What these agencies do is that they buy a copy and start downloading this work, they see the IPs uploading it and hunt those down. There is a torrent client developed at a Swiss university that actually allows you to download without uploading, I guess these agencies use something like this so the don't upload themselves.

A simple VPN that disconnects when the connecting is lost should be sufficient to deduce these guys... I hope.
View user's profile View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 4-12-2018 at 00:13


I would think that most VPN providers would ignore subpoenas from other countries, so VPNs probably defeat lawyers. I don't think a VPN provider will defeat a government, though.

I've actually modified torrent software so that it doesn't upload before. It's not that hard to do. Of course, I didn't share it with anyone....

While it can't really be condoned, a VPN will probably protect you from anti-piracy groups if you're downloading torrents and whatnot. Personally, I just stick within the bounds of fair use and don't worry about it.






I'm no longer involved in this forum.
View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 4-12-2018 at 00:23


Hmmm, now I start to think it could possibly be a concern that NordVPN distributes services in the EU and that an EU judge could judge any company servicing the EU to obey it's judgment. Although they could still say they don't log anything so they don't have anything to hand over.

If they don't have anything to hand over it is no problem, if they do I think it is legally possible for some judges to claim the information.
View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 00:28


I looked into the routing table on my Linux system.

If I do a "netstat -rn" I see two entries. One to 0.0.0.0 via 192.168.1.1 and one to 192.168.1.0/24 directly. Both are associated to the same interface (ensp3s0 or something like that, in the good old days they used eth0, eth1 and so on, nowadays they use hard to remember long names for interfaces).
If I start the command-line tool "nordvpn connect <country code> <srvr nr>", then I get a set of new entries, using a pseudodevice tun0, but the original entries also still exist, but they are not used anymore. I am not a real network expert, so I do not really understand how this works. Apparently the new route has higher priority and the old route is not used anymore.

I also have an 192.168.2.0/24 network, which can be reached from the 192.168.1.0/24 network, through the router with IP-address 192.168.1.1 (I added a static route in that router to make this possible). This 192.168.2.0/24 network cannot be reached anymore from my Linux box when the VPN connection is active. From this I conclude that the original route through 192.168.1.1 is not used at all, once the VPN is active.

So, it would be better to have these original routes completely removed? Is that possible? The VPN software itself needs those routes to go from my PC to the VPN server, isn't it?


[Edited on 4-12-18 by woelen]




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 00:43


Quote: Originally posted by Tsjerk  
[...]The automatic uploading is the problem. What these agencies do is that they buy a copy and start downloading this work, they see the IPs uploading it and hunt those down. There is a torrent client developed at a Swiss university that actually allows you to download without uploading, I guess these agencies use something like this so the don't upload themselves.
[...]

I think that even when you are only downloading your IP-address may be detected. The agency may have a copy of the work and may advertise itself as seeder and may use a specially developed version of the torrent software. Your bittorrent client connects to all seeders, including the agencies' one. As soon as such a connection is setup, the agency has your IP-address.
The agency can even be legal in this way, because it can advertise itself as seeder so that others connect to it, but it does not need to actually upload any data. It only needs the connection for getting the IP-address.




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 4-12-2018 at 00:46


I would check /etc/resolv.conf and make sure it is pointing at a nameserver operated by your VPN provider and **NOT** at your ISP's nameserver. If it's pointing at 8.8.8.8 or 1.1.1.1 (Google's and Cloudflare's nameservers), that might not be so bad, but it's not completely ideal.



I'm no longer involved in this forum.
View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 4-12-2018 at 00:59


Quote: Originally posted by woelen  

I think that even when you are only downloading your IP-address may be detected. The agency may have a copy of the work and may advertise itself as seeder and may use a specially developed version of the torrent software. Your bittorrent client connects to all seeders, including the agencies' one. As soon as such a connection is setup, the agency has your IP-address.
The agency can even be legal in this way, because it can advertise itself as seeder so that others connect to it, but it does not need to actually upload any data. It only needs the connection for getting the IP-address.


I will try to find the name of this "legal" torrent client. It could very well be possible that the IP address of the downloader is visible, but as far as I know only uploading is prosecuted at the moment, because legally seen it is easier.


Edit:
VPNs nowadays are way more stable compared to a couple years ago. Four years ago the would go down every 12 hours or so.

Edit2:
I have a very strong feeling NordVPN bandwidth is limited to 2 mb/s, downloading up to 2 goes fine, but close too that (1.98) internet becomes very slow and it never goes past 2. Not too bad, 2 mb/s is fine.

[Edited on 4-12-2018 by Tsjerk]
View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 02:20


NordVPN is much faster than 2 MByte/s. I obtained a speed of over 10 MByte/s (which is 80 Mbit/s). My internet connection, however, is much faster, it has appr. 400 Mbit/s download speed.

I tried yesterday with a torrent client, just to see how the VPN performs. I used a server in France, which is not too far from NL. I searched on a torrent site, 1337X.com and searched for a fairly recent movie (I selected Maze Runner or one of its sequels, don't remember exactly which one, but it was a few GByte of data). I selected it, because it showed a fairly large number of seeders. It took me some fiddling to find out how to use a torrent downloader, but I ended up using the standard Ubuntu builtin program, called transmission. From the torrent site you can download a little file (a magnet file ???) and you can open this with transmission. Once you open this, it takes minutes before the download actually starts (why??? I almost closed the program because nothing seemed to happen). Once started, the speed slowly builds up, starting at just a few kbytes per second, but after a few minutes I reached 10 - 11 MByte per second and then the movie is in in just 10 minutes or so.

After this experience with torrents I can conclude that my VPN link is quite good, but the overall experience was really bad. The bad experience is not because of the VPN, but the torrent site is horrible: porn and other very dubious stuff on the site, the site opens new windows with full size ads for so-called sexy-games, gambling and whatever other crap. I could not even close these windows normally, they contained a script, which moved away the mouse pointer from the close button of the browser window as soon as I entered a certain region around that. I also had popups which prompted me to install something and again, I could not use the close button on these popups. I had to use the Linux kill command to get rid of this crap. This was a one-time experience, never again :(
I cannot imagine that people spend a lot of time on this kind of websites. It really is the lowest of the lowest and shows how deep people can fall :(

[Edited on 4-12-18 by woelen]




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 4-12-2018 at 03:16


I'm sorry I didn't warn you for the crap you just saw...

https://yts.am/

This is a decent site to get torrents.
View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 04:25


No need to say sorry, it was my own choice to go to that site.
But for future tests or real downloads I will use your link :)




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
WGTR
International Hazard
*****




Posts: 831
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 4-12-2018 at 07:34


Quote: Originally posted by woelen  
I looked into the routing table on my Linux system.

If I do a "netstat -rn" I see two entries. One to 0.0.0.0 via 192.168.1.1 and one to 192.168.1.0/24 directly. Both are associated to the same interface (ensp3s0 or something like that, in the good old days they used eth0, eth1 and so on, nowadays they use hard to remember long names for interfaces).
If I start the command-line tool "nordvpn connect <country code> <srvr nr>", then I get a set of new entries, using a pseudodevice tun0, but the original entries also still exist, but they are not used anymore. I am not a real network expert, so I do not really understand how this works. Apparently the new route has higher priority and the old route is not used anymore.


If you use "netstat -rne", you'll also get the metrics for each rule...just a bit of additional information. The 0.0.0.0/0 via 192.168.1.1 route is your default route to the gateway . Under the "Flags" label it should also have a "G", designating that it's a gateway. 192.168.1.0/24 is the network of the interface card itself. Any traffic addressed to 192.168.1.0/24 goes directly to this network, as this rule is more specific than the default gateway rule. The more specific the rule, the higher its priority in the rule table. Traffic addressed anywhere else goes to the default gateway. If I wanted to confuse you, I could bring up how traffic is network translated as it passes through the gateway, but I'll restrain myself today.

When the VPN starts up, I'm willing to bet that it is adding routes 128.0.0.0/1 via 10.5.0.1 and 0.0.0.0/1 via 10.5.0.1 through the tun0 interface. The IP address of the tun0 interface may be different. Those rules would be more specific than the original default gateway, and so would take higher priority. A rule would also be added for the VPN to the interface card, perhaps 213.134.123.321/32 via 192.168.1.1, so that it can connect to its server (without this rule it would try to connect to its server through its own tun0 interface, causing an impossible and unfortunate situation). If I'm actually guessing right, then it seems like there is no actual "kill switch", at least not the way I would define it, since the original default route is not being removed. If the VPN client crashed then the rules related to the tun0 interface would disappear, leaving the default route in place (and leaking your traffic outside the now non-existent VPN tunnel).

Quote: Originally posted by woelen  

I also have an 192.168.2.0/24 network, which can be reached from the 192.168.1.0/24 network, through the router with IP-address 192.168.1.1 (I added a static route in that router to make this possible). This 192.168.2.0/24 network cannot be reached anymore from my Linux box when the VPN connection is active. From this I conclude that the original route through 192.168.1.1 is not used at all, once the VPN is active.


Traffic addressed to 192.168.2.0/24 also goes through the default gateway, and your router handles where to send those packets in your case. When the VPN switches your default gateway to its tun0 interface, those packets get tunneled through to the VPN server, which doesn't know what to do with them (this address range is hopefully blocked at the VPN anyway).

If you want access to the 192.168.2.0/24 network while the VPN is operational, then you can run

"sudo ip route add 192.168.2.0/24 via 192.168.1.1"

Quote: Originally posted by woelen  

So, it would be better to have these original routes completely removed? Is that possible? The VPN software itself needs those routes to go from my PC to the VPN server, isn't it?


If it were me, I would remove it after the VPN is already running:

"sudo ip route del 0.0.0.0/0 via 192.168.1.1"

To re-add it later, you just use:

"sudo ip route add 0.0.0.0/0 via 192.168.1.1"

If you know what server IP you will be connecting to, then you can manually add the route to that server:

"sudo ip route add 123.456.789.012/32 via 192.168.1.1"

...and then permanently delete your default route to 192.168.1.1, if you only intend to use the internet with the VPN. If the VPN client shuts down, then you'll have to re-add the default route to 192.168.1.1 before you can access the internet again without the VPN.

You should be able to specify what server address to connect to in the config file (for OpenVPN). However, if you don't know what the address is or how to specify it, then don't delete the default route until after the VPN is already running. Otherwise the VPN probably wouldn't be able to connect initially. Once it starts, however, the VPN client should add its own route to its server via 192.168.1.1.


[Edited on 12-4-2018 by WGTR]




View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 12:12


WGTR, you have quite some network knowledge and a good understanding :o
The setup, after connecting to NordVPN is like you explained.

Originally I have
Code:
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 enp3s0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0


and after switching on the VPN I have the following lines added:
Code:
185.169.255.97 192.168.1.1 255.255.255.255 UGH 0 0 0 enp3s0 0.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0 128.0.0.0 10.8.8.1 128.0.0.0 UG 0 0 0 tun0 10.8.8.0 0.0.0.0 255.255.255.0 U 0 0 0 tun0


It adds a specific rule for the real interface enp3s0. This now can only be used to go to 185.169.255.97, the VPN server.
It adds two general rules, one for 0.0.0.0/1 and one for 128.0.0.0/1, so that all possible internet addresses are covered.
It adds one for going to the 10.8.8.0/24 segment, which is the local network on tun0.

I now fully understand how this works! Thumbs up to WGTR :)

The nordvpn program also changes my /etc/resolv.conf, it is changed to
Code:
# Generated by NordVPN nameserver 103.86.96.100 nameserver 103.86.99.100

Good to see that it replaces the ISP's DNS servers.




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
WGTR
International Hazard
*****




Posts: 831
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 4-12-2018 at 13:10


I'm glad that it helps you!

Is this with the "kill switch" enabled? I'm wondering how that is intended to work.




View user's profile View All Posts By User
woelen
Super Administrator
*********




Posts: 6631
Registered: 20-8-2005
Location: Netherlands
Member Is Offline

Mood: interested

[*] posted on 4-12-2018 at 13:38


@WGTR: This indeed is with the kill switch enabled. I also checked the routing table without kill switch, but there is no difference. Apparently the kill switch is implemented in another way, but I do not have any idea how it works.

@Tsjerk: With my NordVPN account, I have one peculiar issue.
I first need to login. Simply use "nordvpn login" from the Linux prompt and supply email address and password.
Once you are logged in, you can use "nordvpn connect" to connect.
As long as the connection is up, it remains up. It is stable. I tested it for half a day and it remained stable and active.
Now, I disconnect and switch off my PC.
Tomorrow, I start the PC. If I issue the command "nordvpn connect" then it connects again, but I cannot go to the internet. The connection is totally dead. I can use DNS though (e.g. nslookup). If I use the command "nordvpn login", then it says I am logged in already.
The only way to get things working again is logging out, logging in and then connecting. This is annoying, especially if you want to make automated scripts, based on WGTR's suggestions. How is it behaving on your side?



[Edited on 4-12-18 by woelen]




The art of wondering makes life worth living...
Want to wonder? Look at http://www.oelen.net/science
View user's profile Visit user's homepage View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 4-12-2018 at 14:14


Quote: Originally posted by woelen  


The nordvpn program also changes my /etc/resolv.conf, it is changed to
Code:
# Generated by NordVPN nameserver 103.86.96.100 nameserver 103.86.99.100

Good to see that it replaces the ISP's DNS servers.


That's good. It's important to be aware if you are running any programs that use DNS servers specified in their own configuration. These are generally programs that need to do a lot of DNS calls - crawlers, scanners, bulk email software, server daemons, filesharing programs, etc.

I ran into a situation recently where one of my daemons was leaking information over DNS to some faceless entity that I knew nothing about... while I revealed nothing that could identify me personally (and there wouldn't have been any consequences if I had since what I was doing is legal), if I had allowed the information leak to continue, a sophisticated and vigilant entity could have used traffic analysis to detect what I was doing. I decided against that.




I'm no longer involved in this forum.
View user's profile View All Posts By User
WGTR
International Hazard
*****




Posts: 831
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 4-12-2018 at 15:31


After exercising a bit of googling, I would not rely on the kill switch, if there's a good reason to be using one in the first place. I only say that with the hopes of helping people. It's better than using nothing at all, but is probably intended to be more user-friendly (but less effective) than the better options that exist. If the VPN client crashes for any reason, the kill switch can crash with it, and leave any running applications free to access the internet through the default route. I came across some anecdotal internet stories about this type of experience.

Aside from arranging the route tables as I suggested earlier, a hardware firewall router can be used as a packet filter. I have verified that this is possible with the DI-604 and the TL-R402M, two inexpensive routers.

s-l1600.jpg - 112kB s-l16002.jpg - 68kB

The router can be instructed to block all traffic, except for traffic to and from the VPN's IP address. If this kind of router is used at the same time as removing the default gateway from the routing table, then the network is very secure against leaks outside the tunnel for normal people, and maybe a few abnormal ones :(. Learning how to use the iptables command can also add a third layer of protection.

In the spirit of JJay's mention of DNS calls, there is additionally spyware, malware, and legitimate software that can "phone home" or otherwise unmask your identity if the system contains information that has been previously linked to you. Ubuntu makes dealing with this easy with the availability of liveCD images that can be downloaded and used to boot up a fresh system completely to RAM. On my home system I access the internet exclusively with liveCDs. In the unlikely event that I encounter malware, I simply reboot and it's gone. If I want to save anything, an external drive can be plugged in after the machine has been disconnected from the internet. It took some practice to get used to working this way, but now I do this just as a matter of course, and it feels "normal".

Of course, Linux liveCDs can be customized with your own software and settings, but that's another topic altogether.

There are other ways to set up secure networking. Some people swear by using a virtual machine that has its network access tied to the tun0 interface, for example. No tun0 interface, no internet for the VM. Instead of VM containers, I prefer using physically separate machines. In other words, first there is a firewall router, then a machine that runs a VPN (or Tor, etc), that routes traffic from a second machine, that encapsulates traffic from possibly a third machine, and so on. Once you start playing with this type of stuff, it is so fun and mentally engaging.

As I mentioned before, I'm starting from one end of the network by implementing a custom built high security packet filter. Eventually (if I don't die from old age first), I'll work my way through implementing a complete, secure, communications appliance. The overreaching idea throughout the whole process is to keep the hardware modules simple, small, and with each layer of complexity implemented in separate hardware. The goal of this is to keep the codebase of each module small such that it both avoids vulnerabilities related to large code size, and realistically allows it to be audited.


[Edited on 12-5-2018 by WGTR]




View user's profile View All Posts By User
LeakTaker
Harmless
*




Posts: 2
Registered: 3-12-2018
Member Is Offline


[*] posted on 5-12-2018 at 07:00


I always wanted to understand iptables, route, routing tables...
Found best tutorial on this so far, see chapter 5 - ip routing: https://www.microsoft.com/en-us/download/details.aspx?id=878...
Heard somewhere that via ip routing we can exclude some apps or websites from vpn.
Also, we can use vpns over vpns, if we suffer from paranoid schizophrenia aka paranoia: https://www.bestvpn.com/privacy-news/chaining-vpn-servers-do...
Also, I recommend everyone to use some gui tool for managing such stuff, it won't give you headache like command line, for example good for windows is NetRouteView by NirSoft.
Also, I noticed that when we use vpn on android and some firewall that utilizes iptables, actually it won't block apps that you tell it to.
Also, some vpn apps allow you to exclude apps by app itself, so no need for routing table knowledge there. https://www.expressvpn.com/support/troubleshooting/split-tun...

[Edited on 5-12-2018 by LeakTaker]
View user's profile View All Posts By User
JJay
International Hazard
*****




Posts: 3320
Registered: 15-10-2015
Member Is Offline

Mood: resigned

[*] posted on 5-12-2018 at 07:25


VPNs over VPNs might not be such a bad idea. But if you're paying for both VPNs with your credit card, you might be better off without a VPN.

s-l1600.jpg - 356kB

One of these will let you connect over a distance of greater than two city blocks to a Starbucks. Of course, when the SWAT team raids Starbucks, they may have devices that they can use to draw a line to your position if you don't pull the plug on your antenna. For this reason, it is suggested to refrain from attracting SWAT teams to Starbucks.




[Edited on 5-12-2018 by JJay]




I'm no longer involved in this forum.
View user's profile View All Posts By User
Tsjerk
International Hazard
*****




Posts: 1293
Registered: 20-4-2005
Location: Netherlands
Member Is Offline

Mood: Mood

[*] posted on 5-12-2018 at 11:55


Quote: Originally posted by woelen  

@Tsjerk: With my NordVPN account, I have one peculiar issue.
I first need to login. Simply use "nordvpn login" from the Linux prompt and supply email address and password.
Once you are logged in, you can use "nordvpn connect" to connect.
As long as the connection is up, it remains up. It is stable. I tested it for half a day and it remained stable and active.
Now, I disconnect and switch off my PC.
Tomorrow, I start the PC. If I issue the command "nordvpn connect" then it connects again, but I cannot go to the internet. The connection is totally dead. I can use DNS though (e.g. nslookup). If I use the command "nordvpn login", then it says I am logged in already.
The only way to get things working again is logging out, logging in and then connecting. This is annoying, especially if you want to make automated scripts, based on WGTR's suggestions. How is it behaving on your side?



[Edited on 4-12-18 by woelen]


I have no problems, but I use the Windows client. Mine just start with Windows and connects automatically while starting.
View user's profile View All Posts By User
WGTR
International Hazard
*****




Posts: 831
Registered: 29-9-2013
Location: Online
Member Is Offline

Mood: Outline

[*] posted on 5-12-2018 at 15:43


Woelen, if you're willing to give it a try, I suggest using OpenVPN instead of the NordVPN GUI. It's easy to install. OpenVPN allows you to specify a path to a user/password file within the .ovpn configuration file, making the login process automatic. A Linux script to do all this and modify the routing table should be trivial.

I'm trying out a trial version of a NordVPN subscription, and I have this working with OpenVPN. Here's what I suggest:

1. Install OpenVPN

sudo apt-get update
sudo apt-get install openvpn

If the package isn't found, then you may have to update your source repositories for whatever distribution that you're using. For my Ubuntu distribution, I go to System Settings>>Software&Updates>>Ubuntu Software, and make sure that all the check boxes are checked. Alternately, my sources list is located at /etc/apt/sources.list, if I want to edit it directly. I make sure that each line ends with "main restricted universe multiverse", and then re-run step 1. After installing OpenVPN, I set my sources list back to what it was previously.

2. Go to NordVPN and download the .ovpn file for your server of choice at https://nordvpn.com/ovpn/. There are a lot of them available. The ones in Switzerland begin with the chX format (ch108.nordvpn.com, for example). A quick peek at https://nordvpn.com/servers/ will give you the names of the servers in various countries.

3. Create a small .txt file with your username and password. On the first line, enter your email (or whatever your username is), and on the second line enter your password, with no spaces or tabs anywhere. Save it and close.

4. Open up the .ovpn file for editing with a text editor. One of the lines will begin with "auth-user-pass". After this add a space, and then the path to the .txt file that contains your user/pass. For example, I created a file named 'user.txt' in my Downloads folder at '/home/ubuntu/Downloads/user.txt'. In the .ovpn file, I copy this file path after "auth-user-pass":

auth-user-pass /home/ubuntu/Downloads/user.txt

5. Save and close. Now, you can start OpenVPN on the command line:

sudo openvpn --config '/home/ubuntu/Downloads/ch108.nordvpn.com.tcp443.ovpn'

It will start OpenVPN and automatically log in with your username and password.




View user's profile View All Posts By User
 Pages:  1  ..  3    5  

  Go To Top