PDA

View Full Version : How To Secure Your Vpn Connection



Renk
22.10.09, 17:38
This µtuto is not mine, but extracted from the valuable FAQ of Check VPN & Proxy Torrent Ip Address (http://checkmytorrentip.com)


How can I secure my VPN?
There are 3 good ways.
1. You can use a firewall. See Tutorial for Utorrent with Comodo Firewall 3 (http://tinyurl.com/624ot2)

2. Try a well configured OpenVPN client over PPTP. There are 2 reasons for this. Some OpenVPN configs won't drop your routes while reconnecting where as PPTP always drops your routes while reconnecting. This is an extra layer but I have seen OpenVPN eventually give up/crash and then you're still exposed. Next, DNS request go through your main connection and not PPTP.

3. Use the route command. Here's a tutorial I wrote for XP / VISTA / Windows 7:


A computer uses a "routing table" to decide where to send it's data packets. In XP/Vista, you can see your routing table by using the following command inside the cmd shell:

netstat -R

You'll see many lines but the only one that is of interest is the 0.0.0.0 line and it looks like this:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.8 20

What 0.0.0.0 sort of means is "any IP address". And Gateway is where to send the data. Interface is your IP address. So anytime you have data to send to any IP address, it'll be sent to the 192.168.0.1 (your router) IP address which then funnels to your local ISP.

When you log onto VPN, you end up with a new second 0.0.0.0 line:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.8 20
0.0.0.0 0.0.0.0 91.122.72.211 91.122.72.23 10

So your computer has two routes it can pick from. Now this is where the Metric number comes in. Metric means cost. Because the metric is lower on the second route (10<20), it "costs" less, and so your computer always sends data via the VPN route, and your data is secure :)

Now the problem is that when your VPN line drops, your original routes still exist so you'll continue to seed/leech under your local IP address. So the solution is AFTER you've logged onto VPN (not before otherwise you won't have any routes to log onto the VPN), delete your original route with this command:

route delete 0.0.0.0 192.168.0.1

Now your routing table will look like this:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 91.122.72.211 91.122.72.23 10

And if your VPN line drops, you lose that route, so there are no more 0.0.0.0 routes and your external connection will be immediately cut off. If you want to access the internet you'll need to add the original route back with this command:

route add 0.0.0.0 mask 0.0.0.0 192.168.0.1 IF 8

The "IF 8" mean "interface 8". The number 8 may be different on your computer, look at the output of netstat -r to get the correct number of your interface.

A couple more points.

You may need to set a static local IP address if you have flaky wireless. Otherwise if you briefly lose your wireless connection (and therefore local IP address) while on VPN and your VPN doesn't drop, when your PC reconnects back to your wireless, your original route will automatically be added, and so even though you deleted it, it'll pop back up. So in the Control Panel under networking, turn off DHCP and assign the 192.168.0.8 address manually. That way that route will never be added back unless you add it yourself.

After you manually add your routes back, it make take some time before DNS works again. I've never figured out why the delay, so sometimes it's faster to reboot your computer after you lose the connection (this is why VMWARE is so much easier).

Tip 1: Create .bat files with the route add/del commands in it, that way you can just click a short cut.

Tip 2: Also create a shortcut to cmd with this Target: %SystemRoot%\system32\cmd.exe /k "netstat -R" . That way you never have to go to Start->Run->cmd->netstat -R each time you want to check your routes.

Tip 3: Use a virtual machine (like vmware) to connect to a VPN, that way your normal day to day traffic won't be affected.