VPN Torrent Protection

[dagveep 0]

I am new to the AirVPN service, but I have been trying to read and learn as much as I can about staying protected.

Some Background:

- I am concerned with anonymity and leaks only while using uTorrent, not with browsing or anything else.

- I am using the Comodo firewall.

- I have reviewed the AirVPN FAQs.

- I have reviewed the Windows/Comodo document contained here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

The ONLY things I have done to my system are to add the following lines to Comodo:

A) Allow IP In/Out From 10.4.0.0-10.9.255.255 to ANY Where Protocol Is Any for ALL ports.

Allow IP In/Out From ANY To 10.4.0.0-10.9.255.255 Where Protocol Is Any for uTorrent port only.

C) Block And Log IP In/Out From ANY TO ANY Where Protocol Is Any

and

D) Closed the uTorrent port in my router.

Am I missing anything else? Am I correct in understanding that I do not need to worry about DNS leaks since this is for torrent only? I feel like there are a lot of instructions for securing/hardening the VPN, but are the 4 lines above (A through D) all that is necessary when working with torrents? Is the only security concern that the VPN might go down, or are there other sources of leaks such as with DHT? Is there anything else I can/should do to be as safe as possible?

Thanks!

[Staff 9777]

I am new to the AirVPN service, but I have been trying to read and learn as much as I can about staying protected.

Some Background:

- I am concerned with anonymity and leaks only while using uTorrent, not with browsing or anything else.

- I am using the Comodo firewall.

- I have reviewed the AirVPN FAQs.

- I have reviewed the Windows/Comodo document contained here: https://airvpn.org/index.php?option=com_kunena&func=view&catid=3&id=3405&Itemid=142

The ONLY things I have done to my system are to add the following lines to Comodo:

A) Allow IP In/Out From 10.4.0.0-10.9.255.255 to ANY Where Protocol Is Any for ALL ports.

Allow IP In/Out From ANY To 10.4.0.0-10.9.255.255 Where Protocol Is Any for uTorrent port only.

C) Block And Log IP In/Out From ANY TO ANY Where Protocol Is Any

and

D) Closed the uTorrent port in my router.

Am I missing anything else? Am I correct in understanding that I do not need to worry about DNS leaks since this is for torrent only?

Hello!

The rules you set for uTorrent are correct. Verify that uTorrent can't exchange data when your system is not connected to the VPN.

Also, closing the uTorrent listening port on the router is the right thing to do to prevent correlation attacks from an adversary with the ability to monitor your line.

You're also partially right about DNS leaks: a torrent client does not need DNS resolution, except for trackers names resolution (only if you use trackers, of course). Therefore, blocking DNS leaks alone will not prevent a torrent client to continue working outside the VPN; on the other hand, not blocking DNS leaks will potentially let your ISP know that you are accessing trackers in the unfortunate event that the DNS leak occurs exactly when uTorrent needs to resolve a tracker name (that means nothing, but you might like to prevent it as well for total privacy).

Now, since DNS queries are sent out by another process (svchost.exe), in order to complete your setup and be totally protected when performing p2p, make sure to block DNS leaks.

This can be done in a variety of ways, for example forcing 10.4.0.1 and 10.5.0.1 as primary (preferred) and secondary (alternate) DNS IP addresses of your physical interface. If you choose this solution and you use the Air client to connect, please add the lines:

85.17.207.151 airvpn.org

212.117.180.25 airvpn.org

so that your system will be able to resolve airvpn.org (resolution required by the Air client, which needs to access airvpn.org to show you the servers list and more) even when disconnected from the VPN.

I feel like there are a lot of instructions for securing/hardening the VPN, but are the 4 lines above (A through D) all that is necessary when working with torrents? Is the only security concern that the VPN might go down, or are there other sources of leaks such as with DHT? Is there anything else I can/should do to be as safe as possible?

DHT is not a concern at all. You don't need to do anything else after the above recommendations.

Kind regards

[dagveep 0]

Okay, thank you for your detailed reply, and I understand what you are saying regarding DNS leaks for tracker resolution. However, I need DNS resolution for other programs while not connected to the VPN, so the 10.X.x.x addresses won't work well for me. So a few more questions:

1) If I use the Comodo DNS servers, will I be well-protected? For that matter, can I use any DNS other than the ones that are owned by my ISP since they will not be able to correlate user information with the DNS inquiries? If not, can you recommend the use of DNS servers that I can use that are not internal to your VPN? Besides the DNS knowing that "someone, somewhere" has accessed a torrent tracker, does using a public DNS expose me to a risk that I am not aware of?

2) Just to confirm, when changing the DNS servers, I am assuming you are referring to the Windows Network Connections -> Local Area Connection Properties -> Internet Protocol -> DNS Servers. In other words, just the adapter within windows networking, not the DNS entries specific to any program or the router correct?

[Staff 9777]

Okay, thank you for your detailed reply, and I understand what you are saying regarding DNS leaks for tracker resolution. However, I need DNS resolution for other programs while not connected to the VPN, so the 10.X.x.x addresses won't work well for me. So a few more questions:

1) If I use the Comodo DNS servers, will I be well-protected? For that matter, can I use any DNS other than the ones that are owned by my ISP since they will not be able to correlate user information with the DNS inquiries? If not, can you recommend the use of DNS servers that I can use that are not internal to your VPN? Besides the DNS knowing that "someone, somewhere" has accessed a torrent tracker, does using a public DNS expose me to a risk that I am not aware of?

Hello!

Your ISP can see anyway your unencrypted DNS queries, even if they are not directed to your ISP DNS. Anyway it's very hard to see any problem in resolving a torrent tracker name. The following project is interesting:

http://www.opennicproject.org

2) Just to confirm, when changing the DNS servers, I am assuming you are referring to the Windows Network Connections -> Local Area Connection Properties -> Internet Protocol -> DNS Servers. In other words, just the adapter within windows networking, not the DNS entries specific to any program or the router correct?

Correct, just the DNS IP of your physical network adapter.

Kind regards

[dagveep 0]

I just realized that in my original post, I did not make it clear that I added those rules A-C under the uTorrent Application only, not as global rules. Besides svchost.exe for DNS, am I at risk of any other Windows Services leaking my torrent-related IP information since I have only added the blocks the uTorrent application?

Thanks again for all the help.

[Staff 9777]

I just realized that in my original post, I did not make it clear that I added those rules A-C under the uTorrent Application only, not as global rules. Besides svchost.exe for DNS, am I at risk of any other Windows Services leaking my torrent-related IP information since I have only added the blocks the uTorrent application?

Thanks again for all the help.

Hello!

Yes, that was clear from your message, no problems. You're running NO risk of real IP leak from your torrent client. Unless you have some very specialized malware running, but that's a totally different argument of course.

Kind regards

[Husari77 2]

Hey!

I have a few quick questions about the rules and would be happy if you could answer them:

A) Allow IP In/Out From 10.4.0.0-10.9.255.255 to ANY Where Protocol Is Any for ALL ports. --> can that be changed to Network Zone VPN, with VPN being [10.0.0.0 - 10.255.255.255] ?

 

Allow IP In/Out From ANY To 10.4.0.0-10.9.255.255 Where Protocol Is Any for uTorrent port only.  --> If I change my utorrent port a lot, would ANY port be ok too? and what is the difference between this and the first rule?! 

I mean, logically speaking, isn't  "Allow IP In/Out From XXXX to ANY Where Protocol is Any for ALL ports" =!= Allow IP In/Out From ANY to XXXX Where Protocol Is Any for ALL ports  ??

Rule C is unchangable I daresay?

 

And actually HOW can you possibly pick a port when you specify "Allow IP In/Out.." in the firewall... I can only allow a port IF I pick the UDP/TCP protocol!

And why do we say allow IP... instead of allow UDP/TCP, etc? I mean, what is the difference? ...

the rules are really confusing

 

Thank you <3

[retiredpilot 6]

 

  Staff/Admin wrote:

 

This can be done in a variety of ways, for example forcing 10.4.0.1 and 10.5.0.1 as primary (preferred) and secondary (alternate) DNS IP addresses of your physical interface. If you choose this solution and you use the Air client to connect, please add the lines:
85.17.207.151 airvpn.org
212.117.180.25 airvpn.org

 

 

Staff,

 

I am checking on something regarding resolution IP's for Air.  There are posts around here that display the IP 95.211.138.143 as a resolution address.  I use a resolution network zone and have that IP included.  Therefore I have THREE IP's in that zone.  Those are the two you listed above and 95.211.138.143, which I am now questioning as to whether or not is still valid since you didn't include it in this thread.

 

This nework zone along with all THREE IP's in my hosts file is working very smoothly.

 

Please advise for clarity.

[Staff 9777]

@retiredpilot

 

Hello,

 

the three IP addresses you cite are all valid and point to three different frontend servers. You can access whichever you prefer, they are on sync in real time.

 

Kind regards