vpn inside VM with host using second vpn?

[rocket321 0]

For added security I'm trying to tunnel one vpn (in a VM) through a second vpn (on the HOST), so that I would get double encryption, plus my inner vpn connection would NOT know my real ip address. I'm also trying to not have dns leaking.

 

Here's my setup, do you think this is actually working? And how might I know for certain.

 

 

I've got 2 vpn accounts (air and one other vpn provider). I've created a vmware virtual machine and installed openvpn inside that. I connect to my host as nat (not bridged) so as I understand it, my VM should be using the Host's ip address.

 

I then connect to airvpn on the host computer (win 10) say through Latvia. Then I run my vmware virtual (win xp).  Within this VM, I go to a site that reports my ip. It sees the same one my host machine sees. So, this seems to mean I'm going through the host's connection to the vpn. All good so far.

 

Next, inside the VM, I run openvpn and connect to another vpn (located in say Holland). From the VM, I run a browser over to an ip reporting site and it says that I'm running with an IP that is in Holland. Also good so far.

 

What I want to know is how can I verify that the VM is tunnelling through the host's vpn, to connect to the second vpn. All I can tell is that the VM thinks it's located in Holland. But MIGHT it be connecting directly to that VPN bypassing the Host - meaning this Holland vpn would see my true IP? If I have this right, then the vpn in Holland should see as my ip address, the address in Latvia. Thus if true, then that VPN provider would not be able to see my true ip address and so provide me with extra security. (Yes I realize they know my login name and that is a hole I need to plug, but that's for another day).

 

So, when I do all  this, and go to a dns leak reporting site, it tells me that something is leaking.

 

Thinking about this tends to tie my brain in knots, so hopefully I've explained this correctly.

[zhang888 1065]

When your network adapter in the VM settings is set to NAT, it cannot bypass the VPN connection on the host.

But, if your host disconnects and then VM reconnects, your other VPN provider may see your actual IP - since the NAT of

the host will be your ISP IP.

 

If you run Air on the host, the (easiest) way to prevent the scenario I described is to enable network lock.

This will also solve your leaks on the host - regarding leaks with your other provider you have to search the general steps

of how to prevent leaks here on the forum.

[rocket321 0]

I downloaded the air client. I see the button for network lock, can I use this and still use openvpn? I.e. will it protect me against an openvpn disconnect?

 

If I must use the client to get the lock, then does it have the ability to choose the port and udp vs tcp?

 

I was using latvia with udp port 80 with openvpn.

 

I figured I would use port 80 so the ISP doesn't know its to a vpn. Is this correct?

 

[zhang888 1065]

The client is based on OpenVPN, just with better GUI and Air specific features, like ports and tunneling options.

Network Lock will work without the client running.

 

Most ISPs use DPI these days so just changing the port will not prevent from your ISP to know it's OpenVPN.

If your goal is concealing OpenVPN traffic, check the FAQ for VPN over SSL and VPN over SSH.

[TheDieselBoiler 5]

I think this is a bit overkill, I think you should just run Eddie on your host system with network lock and make sure your adapter in the VM is set to NAT. And as zhang said if you want to conceal OpenVPN traffic then check the FAQ. If you're worried about DNS leaks turn network lock on. Also disable WebRTC, that could also be what is leaking. To do this in firefox type in about:config and set media.peerconnection.enabled to false. To do this in chrome I believe you have to download a plugin. If you dont want your VPN provider seeing you connecting through your home ip then just download their client or openVPN config on your VM and connect through there while running Eddie on your host machine. If you don't want AirVPN seeing your IP address then do the reverse, but I don't see a point in that since AirVPN keeps no logs.

[iwih2gk 92]

I am not sure I agree with the notion of "overkill" but I do understand why some may feel that way.  Please allow me to expand on a means of setting a little "fortress" for you.  Your paradigm (OP) is pretty good but in order to protect yourself in the event even vpn2 disconnected you may try this suggestion:

 

(caveat:  I use 5 hops regularly including vpn's and tor so this is first hand not "theory".)

 

To provide protection from tunnel breaks and even malware consider adding another VM if you have decent RAM and a high enough end computer.  It would look like this.  You connect your host and NAT is fine if you want.   Use Eddie for network lock (although I use my own personal firewall settings) and to initiate tunnel wrappers on vpn1 if desired.  Next VM in "chain" connects to host via "nat" but add another adapter in that VM and name it whatever you want.  This VM connects vpn2 ONLY with no workspace ever used on it.  Now open the next VM, which contains the workspace and is only allowed to connect to that "special" adapter you just created in the vpn2 VM in front of it.  Your workspace VM cannot connect to any adapter except your "special" one, making the possibility of jumping directly to the host vpn or even worse the ISP's IP impossible.  In this model both the host and the vpn2 VM remain CLEAN since no workspace activities happen there.  You can create a snapshot of these VM's and keep them flawlessly clean pretty easily.  Now you could, but most won't, add TBB to the workspace desktop and surprise you are at 5 hops.  Even without TOR this model is 2 vpns that remain clean and the workspace VM can be maintained pretty easily.  We can build on this basic model if desired.  Elements like a bridge vs NAT and using 100% Linux would be good starting points.  I hope this makes sense, but if not ask and someone here will be glad to help out!

 

The connecting VM's above could be pfsense or openBSD or ???? which have some amazing control properties just for what you are wanting to do.  This model can be very easy, or you can take it to any level you want depending upon your threat model.

[TheDieselBoiler 5]

What would be the point of doing all this? Do you really think that's gonna give you any more security than a computer with eddie and network lock?

[iwih2gk 92]

Without question its more security for those that need to protect against elevated threat models, or even if they just want to perform such configurations as a precaution.

 

I am not directly linking threads, but if you have been reading around this forum for awhile you would certainly have read where STAFF consistently mentions employing a partition of trust.  Many experienced members around here employ a partition of trust as recommended by this very VPN provider.  Is such a configuration needed?  Only you can answer that question.  Let me portray a "mental picture" of how I view it.  AirVpn creates a solid tunnel like a copper pipe passing water.  An adversary cannot get inside the pipe because the encryption is too strong.  The next counter-move on the adversary's part is to monitor the water coming out of the pipe and devise methods to trace the water back to its source.  If they can get to the other end of the pipe then they can monitor ALL activity on the source (YOU) whether or not you are on a VPN.  At that point they monitor in this example water in and water out, meaning they don't need to see the tunnel when they can see both ends.  I could write pages on this because its my passion.  The goal of expanded partitions of trust is to make it extremely difficult to have an adversary trace the outflow "water" back to the source.  Educated workspace post-exit node activity is also important but another subject.  There is also the possibility that yes even Air could someday be compromised.  In my model that still leaves the relationship between my "outflow water" and my "source water" obfuscated.  I hope this makes some sense.

 

All the above said; yes most here will simply connect to Air on one server and relax reading google or whatever.  For some though; that model is grossly insufficient.