Jump to content
Not connected, Your IP: 3.149.24.145
Sign in to follow this  
slackerofthemind

redirect-gateway def1 — necessary?

Recommended Posts

hi folks,

Is adding "redirect-gateway def1" to client-side .tblk configurations necessary to ensure all network traffic (Skype, email, etc) goes through the VPN?

Or is this by default pushed on the server?

Just checking, thanks. Had a look around but found some confusing/conflicting info on OpenVPN config.

I looked into this because when I dis/connect AirVPN I see no change in Skype status, unlike using PPTP VPN, so I want to make sure Skype, etc, is being tunnelled.

Share this post


Link to post

I'm not sure about those configurations you're talking about...

But I do know that when I connect to AirVPN, Trillian is still connected outside the tunnels to the ICQ and MSN network. Dropbox also insists on keeping a connection outside the tunnel. I monitored this through COMODO.

A simple solution to this, though, is to restart the programs. Or, as I do, activate the rules I have in COMODO to lock down my network adapter to being able to only access the LAN and block all other access from that interface; that will make Trillian + Dropbox disconnect and reconnect from the TAP interface shortly after.

Maybe it's a case of what you're experiencing?

Share this post


Link to post

I'm not sure about those configurations you're talking about...

Hello!

The Tunnelblick configuration is generated from the Air configuration. Probably that directive is necessary for the way Tunnelblick runs OpenVPN, please ask to Tunneblick support for clarifications. In any case, it does not affect security or harm the anonymity layer in any way.

But I do know that when I connect to AirVPN, Trillian is still connected outside the tunnels to the ICQ and MSN network. Dropbox also insists on keeping a connection outside the tunnel. I monitored this through COMODO.

A simple solution to this, though, is to restart the programs. Or, as I do, activate the rules I have in COMODO to lock down my network adapter to being able to only access the LAN and block all other access from that interface; that will make Trillian + Dropbox disconnect and reconnect from the TAP interface shortly after.

Maybe it's a case of what you're experiencing?

Please BE AWARE that in general ONLY programs launched AFTER you have connected to the VPN will be tunneled. Obviously those who have already established a connection may go on using the same socket(s)!

Kind regards

Share this post


Link to post

[sorry, this didn't reply within the thread for some reason]

Restarting all internet programs is a bit of a pain. I have multiple programs accessing the Net, and I want them *all* to be tunnelled. Moreover, many are background processes, such as virus checkers and app phone-homes. I don't want any leakage.

Indeed I thought this was the point of VPN. It's a pipe, not just encrypted web-browsing. Usually when engaging VPN it disconnects all connections and reconnects. That OpenVPN doesn't do this means that the tunnel is not forcing through all connections (unlike HMA PPTP, btw).

I'd like to hear from AirVPN on this. Can AirVPN confirm that they are forcing all internet connections into the pipe? According to OpenVPN documentation, this is a server-side option with:

push "redirect-gateway def1"

However there have been some issues with the push from server-side, so some documentation recommends adding this to client side configurations, which I have, which you do like this, without push, on the last line:

redirect-gateway def1

Can AirVPN please comment on this?

Share this post


Link to post

Admin, thanks for writing.

The Tunnelblick configuration is generated from the Air configuration. Probably that directive is necessary for the way Tunnelblick runs OpenVPN, please ask to Tunneblick support for clarifications. In any case, it does not affect security or harm the anonymity layer in any way.

I need to know whether this is part of *your* server-side OpenVPN configuration.

Currently "redirect-gateway def1" is not included in Tunneblick configuration files supplied by AirVPN.

Please BE AWARE that in general ONLY programs launched AFTER you have connected to the VPN will be tunneled. Obviously those who have already established a connection may go on using the same socket(s)!

Well, obviously not, as most VPN force connection restarts of all running software, including background processes.

So basically what you're telling me is that AirVPN doesn't force connection restarts, meaning that all background connection processes and open software are outside of the pipe. This means major leakage. I had expected a stricter protocol from an activist-run VPN (!!).

For example, even my university VPN forces connection restarts on all ports...

Share this post


Link to post

[sorry, this didn't reply within the thread for some reason]

Restarting all internet programs is a bit of a pain. I have multiple programs accessing the Net, and I want them *all* to be tunnelled. Moreover, many are background processes, such as virus checkers and app phone-homes. I don't want any leakage.

Can AirVPN please comment on this?

Hello!

We confirm you that our servers push routes in order to tunnel everything. The fact that already-established connections will not necessarily be re-routed is just the way the TCP/IP stack works. You can easily secure your connection anyway, please read here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Kind regards

Share this post


Link to post

Admin, thanks for writing. :)

The Tunnelblick configuration is generated from the Air configuration. Probably that directive is necessary for the way Tunnelblick runs OpenVPN, please ask to Tunneblick support for clarifications. In any case, it does not affect security or harm the anonymity layer in any way.

I need to know whether this is part of *your* server-side OpenVPN configuration.

Hello!

Yes.

Currently "redirect-gateway def1" is not included in Tunneblick configuration files supplied by AirVPN.

Correct, not on the client configuration from the configuration generator.

Well, obviously not, as most VPN force connection restarts of all running software, including background processes.

This is in our opinion an unjustified behavior. Interfering with established connections (as well as interfering with processes) is an intrusive operation. We recommend to properly set firewall rules in order to secure the connection in any case (including accidental disconnection).

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142

Kind regards

Share this post


Link to post

Understood, thanks very much. I've done some more reading on this. Though OpenVPN is more secure than PPTP, PPTP forces a connection reset much easier on all existing connections.

As really, this means that when starting AirVPN, any background connections will not be tunnelled.

I need to tighten this up. If anyone who is reading this has Waterroof and can supply WR-friendly rules, please post.

Share this post


Link to post

Understood, thanks very much. I've done some more reading on this. Though OpenVPN is more secure than PPTP, PPTP forces a connection reset much easier on all existing connections.

As really, this means that when starting AirVPN, any background connections will not be tunnelled.

I need to tighten this up. If anyone who is reading this has Waterroof and can supply WR-friendly rules, please post.

Hello!

There are also very good reasons not to reset connections of already running applications. Browser and applications with a unique fingerprint may allow the services those applications have active sessions with to correlate your VPN activity with your previous activity, with the chance to destroy the anonymity layer on that service(s) if the reconnection is performed in that way and you go on with the active session.

About using Waterroof, please see this thread from here:

https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=1713&Itemid=142#1764

Kind regards

Share this post


Link to post

Thanks Admin.

Yes, though PPTP resets connections it is less secure for the reasons you state. Understood.

I have browsed the thread above, but unfortunately it does not contain clear instructions for Waterroof, ie for ipfw for OS 10.6.8 (and not PF for 10.7.x).

Currently I cannot input IP address ranges into Waterroof without incorrect syntax errors for <.>. So far I have not been able to find documentation.

If anyone out there has the Waterroof ruleset I would be most grateful. Please do share.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...