Block all if VPN drops

[n8chavez 1]

I really need help creating a rule for my firewall, LooknStop, that will prevent traffic flow should the VPN drop. I've tried getting help @ wilders security forum, but haven't been successful. I've read the forum post here regarding Comodo, but I don't use Comodo so the rule didn't work right.

I know that LooknStop the ability for rule-activated rules, so having a rules that blocks everything going to my NIC from a range not in 10.4.0.0 - 10.9.255.255 whenever app X is running should work, I think. The problem is when that rule is active all traffic is blocked, including traffic to the VPN.

If you could help that'd be great. I like AirVPN and I want to use it, but I need to have a functioning block rule. I don't want to change firewalls, because I like rule-based firewalls and don't like HIPS.

Thanks.

[n8chavez 1]

I think I might have figured it out. The top screenshot is the LnS "Allow" rule, which allows communication from my NIC to all servers on port 443 whenever openvpn.exe is active. The bottom screenshot is an LnS "block" rule, which block everything not in the AirVPN range that has a destination of my NIC when utorrent is active.

Is it okay to have the block rule limited to tcp/upd, or do I need to alter it to be more restrictive?

[n8chavez 1]

I spoke to soon. That rule works, but there were DNS leaks. I followed the Comodo-favored thread to prevent then as best I could using a firewall that was different. I still experienced the DNS leaks. So, I went over to DNSleaktest and downloaded their fix, which consists of simple scripts added to the OpenVPN config directory.

That fixed the DNS leak issue. But I had DHCP issues once I was disconnected from the VPN that required me to disconnect and reconnect to my wifi every time. this thread seems to have corrected the DHCP issues Another thing I had to do to prevent my NIC address from changing every time I connected to the VPN, thus running the DNS leak scripts, was to reserve the address I wanted within my router and tie it to my MAC MIC. Fingers crossed that it works

[n8chavez 1]

I wonder if someone might be able me. I opened a support ticket but I was sent to this thread. That, and it's a little boring talking to myself. I know I'm not using comodo firewall, but someone has to have an opinion or advice about any of this. I'm trying to figure this whole 'block when no vpn, dns leak, dhcp issue' thing out and I could use some help. I want to continue using air but I need to get these issues straightened out.

Here's what I got:

A UDP rule that allows port 68 from the source (for DHCP)

A TCP/UDP rule that allows connection from my nic MAC to a destination port 443

a TCP/UDP block fule for everything outside 10.4.0.0 -10.9.255.255 as the source where my nic MAC is the destination when app X is running.

The DNS issue concerns me. I had trouble adapting the rules in the comodo thread to LnS, and can't prevent the leak unless I either use the dnsleaktest.com auto-fix, which causes DHCP issue, or change DNS servers on either my adapter or router, which isn't really a fix at all but is a psuedo-fix.

Any ideas at all on how I can improve/fix things?

Thanks,

n8

[Staff 9768]

I wonder if someone might be able me. I opened a support ticket but I was sent to this thread. That, and it's a little boring talking to myself. I know I'm not using comodo firewall, but someone has to have an opinion or advice about any of this. I'm trying to figure this whole 'block when no vpn, dns leak, dhcp issue' thing out and I could use some help. I want to continue using air but I need to get these issues straightened out.

Here's what I got:

A UDP rule that allows port 68 from the source (for DHCP)

Hello!

Sorry, we're not familiar with your firewall. Anyway, since it's a commercial product, surely their customer support will be able to translate the Comodo rules for you in 1 minute.

You should change that rule allowing connections to destination IP 255.255.255.255. To understand why your rule will not necessarily work all the times in the DHCP "negotiation":

http://support.microsoft.com/kb/169289

A TCP/UDP rule that allows connection from my nic MAC to a destination port 443

a TCP/UDP block fule for everything outside 10.4.0.0 -10.9.255.255 as the source where my nic MAC is the destination when app X is running.

Apparently this is the wrong approach. Allowing indiscriminate communications to port 443 will not prevent all the leaks, for example from your browser to https websites, if your browser is not in the blocked application list. About the block rule, you will have to insert any and each application that you want to secure against leaks, however remember NOT to insert openvpn.exe and airvpn.exe amongst those.

Furthermore, it is unclear how you can prevent DNS leaks with this approach. If you put svchost.exe in the secured application list rule, you won't have connectivity at all at the boot or when disconnected from the VPN (not even a successful DHCP handshake), so you would be forced to switch on and off continuously the rule for svchost.exe in order to prevent DNS leaks.

All in all, probably you can speed up your work and obtain better results just translating Comodo global rules into LooknStop rules.

Kind regards

[n8chavez 1]

Thanks for the reply. Unfortunately, I can't get much help from LnS support because they're MIA. The firewall seems like ity's not supported anymore, which is a shame. But it's the best, and really the only, rule-based firewall out there that doesn't have a HIPS or antivirus scanner, etc., so I'm keeping it.

I've gone through the Comodo thread as best I can and created some rules that will help. From top to bottom:

1. VPN Allow - Allow TCP/UDP in/out from my nic MAC and routed IP to any MAC on TCP/UPD port 443

2. Allow Loopback 1 - Allow IP in/out from TAP MAC IP range 127.0.0.0 - 127.255.255.255 to any MAC any port. The rule is activated when openvpn.exe is active.

3. Allow Loopback 2 - Allow IP in/out to any MAC any port from TAP MAC IP range 127.0.0.0 - 127.255.255.255. The rule is activated when openvpn.exe is active.

4. Home Network - Allow IP in/out from any MAC in IP range 192.168.1.1 - 225.225.0.0 any port to any MAC in IP range 192.168.1.1 - 225.225.0.0 any port.

5. VPN DHCP - Allow all in/out from any IP port 67 to any MAC to IP equal to 255.255.255.255 any port. The rule is activated when openvpn.exe is active.

6. VPN Block - Block TCP/UDP in/out from any MAC IP Range not in 10.4.0.0 - 10.9.255.255 to any MAC different then my adapter MAC, and IP any port. The rule is activated when utorrent.exe is active.

That about sums up the ruleset. I'm not looking at it to block DNS leaks, just to block connections from utorrent.exe should the VPN drop. A quick trip over to http://checkmytorrentip.com/ showed that the IP is revealed once I am connected to Air, but the connection times out and my true IP is not revealed (and there are a whole bunch of 'Block VPN' listings in my log) if I disconnect the connection with utorrent still active.

That leaves the DNS leak issue. One, I changed the DNS sever my router uses to OpenDNS. But, and this is just because I wanted to, I went over to http://www.dnsleaktest.com/ and downloaded their DNS Leak scripts. They appear to work. After I disconnect from the VPN (with utorrent not active) I get multiple hits from rules 'Home Network' and "VPN DHCP'. Then after about 5 seconds my connection is active and I can my true connection un-VPNed.

Did I miss anything? Could anything be better? Perhaps there is something I'm not seeing. It seems to work very well now. I know it's not comodo, but maybe it will help others that resist comodo.

[Staff 9768]

Thanks for the reply. Unfortunately, I can't get much help from LnS support because they're MIA. The firewall seems like ity's not supported anymore, which is a shame. But it's the best, and really the only, rule-based firewall out there that doesn't have a HIPS or antivirus scanner, etc., so I'm keeping it.

Hello!

HIPS and Antivirus are optional in Comodo. Our guide refers to Comodo Firewall, Antivirus and HIPS are not required. However Windows users may greatly benefit from the additional protection provided by Defense+ against very many threats.

In order to disable permanently Comodo HIPS, set Defense+ to "Disabled".

In order to disable permanently Comodo Antivirus, just install Comodo Firewall (i.e. do not install the package Firewall+Antivirus), or set "Antivirus" to "Disabled".

I've gone through the Comodo thread as best I can and created some rules that will help. From top to bottom:

1. VPN Allow - Allow TCP/UDP in/out from my nic MAC and routed IP to any MAC on TCP/UPD port 443

For other readers who like the same approach: change the destination port, or add rules, in case you connect to ports 53 or 80. EDIT: please note that this approach is deprecated by us.

5. VPN DHCP - Allow all in/out from any IP port 67 to any MAC to IP equal to 255.255.255.255 any port.

You might need to add port 68 too.

6. VPN Block - Block TCP/UDP in/out from any MAC IP Range not in 10.4.0.0 - 10.9.255.255 to any MAC different then my adapter MAC, and IP any port. The rule is activated when utorrent.exe is active

That about sums up the ruleset. I'm not looking at it to block DNS leaks, just to block connections from utorrent.exe should the VPN drop.

If it's a global rule, the above rule also prevents DNS leaks (and any other leak, except those toward port 443 from your physical interface) by blocking everything outside the tunnel, including svchost.exe DNS queries leaks. Therefore, after you're connected to the VPN you can activate it even though utorrent is not running.

Please be aware that this rule must be inactive in order to allow DNS resolution when you don't want to be connected to the VPN etc.

EDIT: finally please be aware that this approach will not prevent leaks toward port 443 (or 80 or 53).

Kind regards

[hipold 0]

Hi,

I have a rooted android phone and Im using "openvpn for android". I dont want any data going outside the vpn so i installed avast mobile security and I blocked all applications from wifi, 3g, gprs except for openvpn and sms.

I tried it out with the internet browser and it works. Connects fine when the vpn is connected and gives an error when its not connected. Also DNS test leaks shows no leaks when its connected.

I was wondering if this is ok or if their are any security leaks or problems I should know about? Thanks!

[Staff 9768]

Hi,

I have a rooted android phone and Im using "openvpn for android". I dont want any data going outside the vpn so i installed avast mobile security and I blocked all applications from wifi, 3g, gprs except for openvpn and sms.

I tried it out with the internet browser and it works. Connects fine when the vpn is connected and gives an error when its not connected. Also DNS test leaks shows no leaks when its connected.

I was wondering if this is ok or if their are any security leaks or problems I should know about? Thanks!

Hello!

Given the above conditions, you're secured!

Just for additional security, you might like to perform this test (only if you use a torrent client):

http://checkmytorrentip.com/

Kind regards