Jump to content
Not connected, Your IP: 54.87.17.177
Briland

[Question] Run AirVPN as Non-Primary network adapter?

Recommended Posts

I know a lot of the forum discussion is targeted at preventing leaks while using the service but my question turns in the completely opposite direction; Is there a way, easy or hard, to setup AirVPN as a secondary network adapter.  I want all of my network traffic to run through my direct connection, aside from specific applications I can already bind to secondary network adapters. This is to ensure lowest latency in the majority of my applications (especially VOIP) while preserving anonymity and utility in the programs I choose.

 

Edit: I imagine this post may help me, But the question still stands, is there a simpler or more straightforward way to accomplish this.

Share this post


Link to post

Hello!

 

The explanation in the link you provided looks relatively straightforward to me. I have to admit that I didn't try it out myself. It may seem a little overwhelming at first but I think you should pick out what you think to be useful for your purposes and just try it out.

 

You could also read about virtualization&virtual machines and compartmentalization.

There's a very interesting paper by Joanna Rutkowska about the Qubes OS and its software compartmenatlization approach:

 

http://www.invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf
 

 

There's a tutorial as well providing an insight into what's possible and how to use it.

 

https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf
 

 

You would need a CPU capable of VT-x and VT-d. There's a list with what's been tested so far:

 

https://www.qubes-os.org/hcl/
 

 

Regarding your question you can assign a network/VPN VM to specific apps while others (e.g. password manager) stay disconnected (you don't assign a netvm). It is a sophisticated approach that needs time getting used to it and reading to understand what and how to do it. Once you are satisfied with how your Vms work you can easily make a backup with one click.

 

You should read the documentation carefully before using the mailing list (google groups) if you get stuck. In the latest version you can even use Windows-based AppVMs.

 

https://www.qubes-os.org/doc/UserDoc/
 

This could be a nice, secure and very organized way of achieving your goal. Have fun!

Share this post


Link to post
Posted ... (edited)
On 4/30/2015 at 10:11 AM, Briland said:

..

But the question still stands, is there a simpler or more straightforward way to accomplish this.

 

Basically, on Windows, no. In order to have a program bind to the VPN interface and be able to get general traffic through it, the VPN gateway definition with the 128.0.0.0 mask must remain there hidden by a real gateway definition with a 192.0.0.0 mask.

 

See these Microsoft TechNet pages for a larger discussion:

 

http://blogs.technet.com/b/networking/archive/2009/04/25/source-ip-address-selection-on-a-multi-homed-windows-computer.aspx

https://technet.microsoft.com/en-us/magazine/2007.09.cableguy.aspx

 

"If the program specifies a source IP address, that IP address is used as the source IP address for connections sourced from that socket and the adapter associated with that source IP is used as the source interface. The route table is searched but only for routes that can be reached from that source interface."

 

You could leave the firewall out of it. But that would be unwise since Windows will fall-back to default gateway if the VPN fails or the VPN interface IP address changes. And having the firewall block makes the set up easier to troubleshoot.

 

======

 

Or are you using Linux? The following assumes so.

 

Linux uses a different "host model". See:

 

http://en.wikipedia.org/wiki/Host_model

 

If you do not want to change the OpenVPN config, then you still need to restore the default gateway in the default routing table in exactly the same way. And this will allow you to switch back and forth between real interface and VPN interface as default in the same way (removing and inserting the routing table entries with 192.0.0.0 mask).

 

But then on Linux you will need to do "source address routing" to have a program use the VPN interface. Binding the VPN interface address is not enough. Something like what is done here:

 

https://openvz.org/Source_based_routing

 

You won't need a "throw" rule.

 

With the source address routing in place, there is no danger of Linux fall-back to the default gateway for traffic bound to the VPN interface. So firewall config is not needed.


UPDATE 2:

My original example below was very basic. For something fuller see this:

https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Linux-without-VPN-as-Default-Gateway


UPDATE:

 

I thought I should show my configuration (more or less) for doing this.

 

My config files all contain this line at the top:

config common/myroute.ovpni
In the same folder where I have the config files I have a subfolder named "common":
$ ls -l common
total 2
-rwxrwx---+ 1 user None 284 Jul 16 20:51 myroute.ovpni
-rwxrwx---+ 1 user None 176 Jun 30 16:02 up.sh
The file myroute.ovpni contains this:
script-security 2
up ./common/up.sh
route-nopull
redirect-gateway def1
route 0.0.0.0 192.0.0.0 net_gateway
route 64.0.0.0 192.0.0.0 net_gateway
route 128.0.0.0 192.0.0.0 net_gateway
route 192.0.0.0 192.0.0.0 net_gateway
sndbuf 524288
rcvbuf 524288
The file up.sh contains this:
#!/bin/bash
/sbin/ip rule del from $ifconfig_local table 10001
/sbin/ip rule add from $ifconfig_local table 10001
/sbin/ip route add default via $route_vpn_gateway table 10001
Edited ... by NaDre
link to more complete example

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...