Jump to content
Not connected, Your IP: 44.220.131.93
NFO

Split Tunneling (one more!)

Recommended Posts

I need the "split tunneling" function: I am in France and more and more official organizations are blocking connections from abroad (and now my bank is doing it too!), so I have to go to official organization sites with my French IP; but to go to some foreign informations sites censored by the government ( RT news and so on) I need a VPN.

So question: is it planned in the near future that 'eddie' will provide the possibility of directing the streams of an internet browser through the VPN while another browser would go on the internet without going through the VPN? This feature could interest more and more people here because of the censorship of the net which will worsen in France (new laws of repression of opinion crimes).

Share this post


Link to post

I second this as more and more sites started blocking airvpn. For now I use windscribe desktop client (easy split tunnelling for different browsers) combined with airvpn config files (config generation in user settings).

Share this post


Link to post

With my Firefox browser(Linux Mint 64b) I found an extension "Windscribe - Free VPN and Ad Blocker" which has some limitation ("Free plan provides 10 GB of data per month...) and seems to  don't have  any tunneling splitting feature: what "windscribe desktop client " are you relate ? Any link?

Share this post


Link to post

Not sure if I can post a link but if you google "Windscribe for Your Computer" you can find windscribe download page and you just grab the "Ubuntu, Debian, Fedora, CentOS" client. Not sure if that works for Mint though as I have no clue about linux versions. 
If you go that far then you just go to airvpn client area and create the files you need from the config generator. Last step is go to the windscribe client - Locations - configured to add the location of the airvpn configs you created. 

Disclaimer: Never tried the linux version so no clue if it works or how it works but I guess you can give it a try as it's free. 

Share this post


Link to post

Good morning.

I just installed the latest Windscribe application for Linux(64 bytes), I use the ovpn file from AirVPN, and it works.
Problems remain to be seen:
1 - DNS leak, seen with the site ipleak.net
2 - how to route an application (an instance of the internet browser) out of the tunnel leaving the rest in the tunnel?

More generally: what credit can we give to this application (Windscribe) from the point of view of security?


How did you solve the DNS leak problem?

Share this post


Link to post
Posted ... (edited)

1. I use the in browser options in settings to add a dns. If I want to use the airvpn dns in the vpn browser then I have to add 10.4.0.1 .

You can also use the dns setting in windscribe. You can find it in connection - connected dns - custom - 10.4.0.1

I personally use the first method but with a different dns but I have also tried it with airvpn dns.

2. In windscribe settings - split tunnelling - exclusive - apps - add the browser you want to use your local ip.
What I do is have two different browsers. One I use for vpn and one for local ip. Then I use exclusive option in windscribe and add the vpn browser. Everything else connects with airvpn. Don't think you can do an instance of a browser but even if you could it's a bad idea because you get confused once and you expose yourself. With different browsers your brain learns which is which. 

Now about how secure it is I am not an expert but I didn't see an expert complaining about it yet so I guess we are safe. Hopefully one day we can do this with eddie but it doesn't seem to be a priority from the traction such topics get.

Edited ... by NEDepac

Share this post


Link to post

OK. I will try to attack the problem as soon as my office is cleared...Many thanks.

Share this post


Link to post

Hello!

In Eddie Android edition you can split traffic on an application basis. You can define "white" and "black" lists of apps. If a black list is defined, the apps included in the black list will have their traffic routed outside the VPN. Any other app will have its traffic routed into the VPN. If you define a white list, only the apps in the white list will have their traffic routed inside. Any other device traffic will be routed outside the VPN. Traffic splitting will work both on WireGuard and on OpenVPN.

In Eddie Desktop edition for Linux, Mac and Windows you can split traffic on a destination basis (IP addresses, IP addresses range, or host names). You can tell Eddie to send the traffic outside the VPN tunnel only for specific destinations, or you can tell Eddie to send all the traffic outside the tunnel except for specific destinations. Traffic splitting will work both on WireGuard and OpenVPN.

AirVPN Suite for Linux does not offer any traffic splitting ability, but we are considering to implement an app based traffic splitting in the near future.

Kind regards

Share this post


Link to post

Thank you for your reply.

My configuration is Eddie2.21.8 Desktop Edition used on a Linux PC(Mint); the sites for which I do not want to go through the tunnel have multiple IP and sometimes very many, and the IP used can change during the session, so I have to work only with the url of the site(example "mybank.fr ") and let the OpenVPN server handle itself, if that's possible.

I am not an OpenVPN specialist, and I don't see how to do it...I'm wandering between the options --route and others, I didn't find anything in Eddie's help: blocked!
A track to explore, knowing that I am looking on the net but so far I have only found answers where it says that it is not possible, exclude IP from the VPN, yes, but URLs...?

Share this post


Link to post

To NEDepac: Thank you for all the information.

I have not managed to find the place where you can enter a dns server: according to the help found on the Windscribe website it would be in "Connection / Connection mode", where you can choose the protocol and the port, which you should be able to enter the dns server; but on my application (Linux, latest version) there are not the possibilities described in the help, I have not found it elsewhere either...
I "opened a ticket" with Windscribe, hoping that they will inform someone who wants to use their software without a VPN contract.

Thanks again.

Share this post


Link to post
Posted ... (edited)

For me the setting is here (I attached an image).

 Worse case scenario if you can't do that is to use a custom dns because I know firefox has a dns over https setting. If you use airvpn dns because of the new adblocking try nextdns and if you use it just because it's secure just use one of those in firefox settings. 

https://support.mozilla.org/en-US/kb/firefox-dns-over-https
 

Screenshot_20230211_135125.png

Edited ... by NEDepac

Share this post


Link to post
On 2/2/2023 at 6:02 AM, Staff said:

 In Eddie Desktop edition for Linux, Mac and Windows you can split traffic on a destination basis (IP addresses, IP addresses range, or host names). You can tell Eddie to send the traffic outside the VPN tunnel only for specific destinations, or you can tell Eddie to send all the traffic outside the tunnel except for specific destinations. Traffic splitting will work both on WireGuard and OpenVPN. 
 

This is not useful and your customers are turning to other vpn companies applications for setup. -- this seems like a serious issue that may be effecting your bottom line, and I really want Airvpn to succeed. The world desperately needs more of the freedom and attitudes this company's byline stands for.

The Linux community really needs simplified application based splitting in the ui.

I saw a thread using this script that might be a good way to give us this function in the ui, or hopefully at least a nudge in a possibly good direction. 

Another idea is to make good instructions and a basic example we can copy/paste into the custom directives page in eddie-ui, for Linux users to implement something similar to the notes in this thread in a way that works with current openvpn calls set up by eddie-ui  --this user did a good job but it's not currently working in mint21 for me so far.

I love the entire premise, design, structure, operation and byline of this vpn service. Keep up the good work and thank you!

Share this post


Link to post
@Cthulu_007

Hello and thank you for your great feedback and support!

AirVPN Suite version 2.0 for Linux will implement traffic splitting on an application basis. The first alpha preview is due in a matter of weeks (the first addition is however WireGuard support and integration, so in the alpha 1 you might not see a full traffic splitting implementation yet). In the meantime, if you need a simplified approach, you can split traffic on an application basis through any means of virtualization. Please remember, as usual, that any traffic splitting poses risks of de-anonymization in specific circumstances. Splitting traffic, therefore, must be considered a sensitive action which should be performed only by those who perfectly understand what they are doing.

Kind regards
 

Share this post


Link to post

to NEDepac  :

After several exchanges with the staff of "Windscribe" I finally got the following answer, and I remind that I am using the latest version of Windscribe for Linux (Windscribe V 2.5.18), and not a Firefox extension: : "Hi,
These are the only options we have available currently. If you would like any features to be added here, kindly submit them on this portal: https://feedback.windscribe.com/
Let us know if you have any specific questions and we would be glad to help.
Thanks
Winscribe Support...".

Conclusion: no possibilities tu use this winscribe's version for Linux to do what i've mentionned in the beginning of my post, if we want to avoid DNS leaks. Let's still note that the use of AIRVPN is possible (except dns servers) without having the limitation of 2GB of the basic "Windscribe account", indeed the data going to the AIRVPN servers are not taken into account in the Windscribe's data quotas.
That being said, I thank you for your efforts, I have reported here what seems to me to be the conclusion of our exchanges on this point, to help possible other AIRVPN users who would ask the same questions as me.
Thanks again.

Share this post


Link to post

@ Staff

Hello!

You wrote "The AirVPN version 2.0 suite for Linux will implement traffic splitting on a basic application. The first alpha preview is expected in a few weeks": that's good news!

"Do not forget, as usual, that any splitting of traffic presents risks of deanonymization in specific circumstances. Traffic splitting should therefore be considered as a delicate action that should only be performed by those who fully understand what they are doing. " . Could you clarify or illustrate your words, so that I understand correctly...."in specific circumstances."? It is a question of going to most sites through the VPN, and on a few others outside the VPN, by dedicating a specific internet browser (or another instance of the browser if there was only one) to browsing outside the VPN, what risk does this present as long as we do not make the wrong browser (and that there is something to deceive, in particular the fingerprint of the P.C)?

Thank you very much.

Share this post


Link to post

FWIW, after giving it some thought, I abandoned split tunneling, and have been setting up a standalone system for secure comms on the basis of it being difficult to know what you don't know in such situations. For example, we can't foresee what information we might be lacking about interaction locally between browsers through cookies, url parameter tagging or even running web apps within the prospective browsers. I figure if the pros are worried..I should be too(in this case).

Share this post


Link to post

I agree with you about the "local interaction between browsers via cookies, etc", we probably don't know everything, and we still learn from time to time. The classics: cookies, canvas, html5 data etc, I manage them, but I would have a surprise one day or the other by learning that there is such and such unsuspected technique until then.
So I plan to dedicate a system to secure navigation against the unhealthy curiosity of the French state (for example in Syria he fought against the jihadists with one hand while supplying them with weapons with the other, while pretending the fight against the jihadists to spy on citizens): I simply plan to work with various systems (OS and applications) by installing them on different removable disks, and inserting this or that disk in the rack according to the work to be done, with a NAS system (and its backup) to link between the different machines. But until we have time to mount this, and even after for use on medium security machines, a VPN Splitting would help...
If not, maybe another topic than VPN Splitting on Eddie, how do you see my idea of rack-mountable disks, on the same machine, from the security point of view?

Share this post


Link to post
3 hours ago, NFO said:


If not, maybe another topic than VPN Splitting on Eddie, how do you see my idea of rack-mountable disks, on the same machine, from the security point of view?


Vive le France! This is more and more a global problem. 
Linux's grub boot loader will let you choose systems from drive partitions and does play okay with windows(which is not secure) when needed, and you might also check out virtual machines. Virtualbox (and others) will let you run concurrent systems the way you describe and is cross platform. @staff hinted at it above. You will have to sort out the device tunneling but that's a very secure way to do split tunneling as they can never interact in system the way application or IP based tunnels can due to same drive access. Be aware of resource usage though, as each "VM" (virtual system) you have running takes a toll on ram and cpu time. Really only one is needed for most things. You can run the base system direct for commerce and the vm through vpn tunnel for other more anonymous tasks. That way you only need to sdd drives as space is needed to hold VM's 

Wordy, but hopefully helpful. :)

(if I had more time I'd have written a shorter note)

Share this post


Link to post

Hello.

Thank you for replying.
I already use the possibility offered by Grub to boot on a particular partition, and I only use Linux anymore. Even using several removable disks, I was wondering if there would not be a (at least) way to identify the PC from an internet session launched from a partition, and then to find this identification from another session from another partition?

Share this post


Link to post

Partitions offer no security in any context. It sounds like what you want to set up is a VM. Also, free VPNs are a little sketchy, (a browser extension even more so) and kind of eliminate the point of airvpn. Windscribe is not terribly trustworthy--

On July 8, 2021, Windscribe disclosed that two VPN servers hosted in Ukraine were seized by local authorities on June 24, 2021. On the disk of the VPN servers contained an OpenVPN private key, which could have been used to impersonate a Windscribe VPN server and capture traffic running through it. Windscribe had failed to encrypt the servers in question, allowing for the retrieval of the private key. In addition, Windscribe ran servers with an OpenVPN feature that was deprecated since 2018, leaving the servers unencrypted and its users vulnerable

--the only free VPN I'd trust is Proton, as it is a nonprofit with a clear mission.
https://www.virtualbox.org/manual/UserManual.html#virt-why-useful
Virtualbox is a  popular one, and can be installed from the Linux software manager of your choice.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...