Jump to content
Not connected, Your IP: 34.200.219.10
NaDre

blocking non-VPN traffic without firewall using routing, router

Recommended Posts

I posted this information in another post:

 

https://airvpn.org/topic/9787-the-pros-and-the-cons/?p=11501

 

But perhaps I should have added it here.

 

You can stop outgoing traffic going out of the native interface, in case the VPN fails, by removing the original non-VPN gateway entry from the routing table, after the VPN comes up.

 

First you need to determine the IP address of this gateway. You can see what the original non-VPN gateway is using this command:

route print 
You need to do this at a "command prompt", which you can bring up using "Start/All Programs/Accessories/Command Prompt". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Command Prompt". This should produce something like this:
C:\Users\user>route print
...
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.1.254     192.168.1.63     10
...
It is the "Gateway" value for the routing table entry with the "Network Destination" and "Netmask" values "0.0.0.0". In this case the gateway address is 192.168.1.254.

 

Assuming the gateway address is 192.168.1.254, then you run this command as administrator after the VPN comes up:

route delete 0.0.0.0 192.168.1.254
You need to do this at an "administrator command prompt" that has administrator privilege, which you can bring up using "Start/All Programs/Accessories/Command Prompt, right-click, Run as Administrator". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Administrator Command Prompt".

 

After the VPN comes down, and you have stopped whatever it is you do not want going out over the native interface (torrent clients?), you can restore the ability for traffic on the native interface by running this command as administrator:

route add 0.0.0.0 mask 0.0.0.0 192.168.1.254
For convenience, you can put these commands into ".bat" scripts and create short cuts to them with the "Run as administrator" property set. Add a "pause" statement at the end so the window will stay open for you to see the results.

 

Assuming that you are using the GUI wrapper program (OpenVPN-GUI) for OpenVPN that comes with OpenVPN, rather than the AirVPN GUI wrapper program, and that you have generated, downloaded and installed the ".ovpn" configuration files that this needs then if you want to automate this, you can do this in an OpenVPN "up" script. I will assume in what follows that you have set these up as described here:

 

https://airvpn.org/topic/9699-using-browser-with-and-without-vpn/?p=11511

 

or

 

https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?p=11603

 

The "route delete" could be added to the "_up.bat" script I described in the above post. But do not restore the gateway in the "_down.bat" script. Make sure the torrent clients (or whatever) have been stopped first.

 

If you also ensure that no ports are being forwarded by your router and that UPnP is disabled in your router (so that programs cannot tell the router to forward ports), then you have blocked any possibility of non-VPN traffic on the native interface when you do not want it.

 

This is basically the configuration described for use with Windows XP in the section "Advanced Set Up for Windows XP" in the guide "Guide to Setting Up VPN Just for Torrenting on Windows" found here:

 

https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/

 

But you can of course use this "VPN for everything or nothing" approach with Windows Vista/7/8 too, although this was not suggested in that guide. See that guide for more detailed information.

 

UPDATE:

 

As discussed below, when the DHCP "lease" period for your IP address expires, it seems that during the DHCP lease "renewal" process, Windows will restore the original gateway entry in the routing table. You can check when your lease will expire by looking in the output of the command "ipconfig /all". Before the lease expires, you could force a renewal using the command "ipconfig /renew", and then remove the default gateway entry again.

 

Note that Windows will renew the lease "halfway through the lease period":

 

http://technet.microsoft.com/en-us/library/cc958919.aspx

 

UPDATE to UPDATE:

 

Originally I ignored an obvious solution here, and only discussed the option of setting up a static IP address. However I believe most routers will allow you to change the DHCP lease interval they use. I know for sure this is possible for the Actiontec V1000H and the ASUS RT-N56U. I suggest setting this as high as possible, or up to a year.

 

If you decide to use a static IP address on your PC, you should ensure that your router does not feel free to allocate the same IP address to other devices, as this would cause great grief on your LAN (this happened to me once). Your router should allow you to set the range of IP addresses that it will allocate from. It should also allow you to allocate a fixed IP address to a particular MAC address. The Actiontec V1000H calls this "DHCP Reservation". The ASUS RT-N56U calls this "Manually Assigned IP around the DHCP list". You can use the real MAC for your PC as shown by "ipconfig /all":

C:\Users\user>ipconfig /all

Windows IP Configuration

...
Wireless LAN adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ...
Physical Address. . . . . . . . . : 08-ED-B9-13-21-43
...
The MAC address is the "Physical Address", except that your router may want ":" in place of "-".

 

Or just make up one to stop that address from being given out.

 

UPDATE 2:

 

Note that removing the original non-VPN gateway entry from the routing table will also stop the WebRTC leak. See this post:

 

https://airvpn.org/topic/13519-webrtc-vulnerability/?p=24989

Share this post


Link to post

Assuming the gateway address is 192.168.1.254, then you run this command as administrator after the VPN comes up:

route delete 0.0.0.0 192.168.1.254

You need to do this at an "administrator command prompt" that has administrator privilege, which you can bring up using "Start/All Programs/Accessories/Command Prompt, right-click, Run as Administrator". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Administrator Command Prompt".

 

I noticed the route is be added back (Win 7 Ult.) during the VPN session and have no idea how it is happening. Any idea what could cause this?

 

The sequence is like this:

 

Sat Nov 23 16:54:02 2013 MANAGEMENT: >STATE:1385243642,CONNECTED,SUCCESS,10.30.0.106,46.165.208.70

 

_up.bat runs

 

ipconfig /flushdns

netsh interface ip set dns "Wireless Network Connection" static 10.30.0.1

netsh interface ip set dns "Local Area Connection" static 10.30.0.1

route delete 0.0.0.0 192.xxx.xxx.xxx

route delete 0.0.0.0 192.xxx.xxx.xxx

@pause

 

Perhaps I should change my IP address from DHCP to static also?

 

Entry in Security Logs for route delete cmd:

 

11/23/2013 4:54:09 PM Special privileges assigned to new logon.

 

Routing Table:

 

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0        128.0.0.0      10.30.0.105      10.30.0.106     30

        10.30.0.1  255.255.255.255      10.30.0.105      10.30.0.106     30

      10.30.0.104  255.255.255.252         On-link       10.30.0.106    286

      10.30.0.106  255.255.255.255         On-link       10.30.0.106    286

      10.30.0.107  255.255.255.255         On-link       10.30.0.106    286

    46.165.208.70  255.255.255.255  192.xxx.xxx.xxx  192.xxx.xxx.xxx     20

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        128.0.0.0        128.0.0.0      10.30.0.105      10.30.0.106     30

    192.xxx.xxx.0    255.255.255.0         On-link   192.xxx.xxx.xxx    276

  192.xxx.xxx.xxx  255.255.255.255         On-link   192.xxx.xxx.xxx    276

  192.xxx.xxx.255  255.255.255.255         On-link   192.xxx.xxx.xxx    276

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       10.30.0.106    286

        224.0.0.0        240.0.0.0         On-link   192.xxx.xxx.xxx    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       10.30.0.106    286

  255.255.255.255  255.255.255.255         On-link   192.xxx.xxx.xxx    276

===========================================================================

Persistent Routes:

  None

 

>time

The current time is: 17:09:35.40

 

execute Firefox 25.0.1

browse a bit

execute e-mail app (Outlook 2010) 11/23/2013 5:41:18 PM

close e-mail

machine is idle

 

Only activity loggged in OpenVPN:

 

Sat Nov 23 17:53:53 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.org

Sat Nov 23 17:53:53 2013 VERIFY OK: nsCertType=SERVER

Sat Nov 23 17:53:53 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.org

Sat Nov 23 17:53:54 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Sat Nov 23 17:53:54 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat Nov 23 17:53:54 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Sat Nov 23 17:53:54 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Sat Nov 23 17:53:54 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

 

Routing Table with route back:

 

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0  192.xxx.xxx.xxx  192.xxx.xxx.xxx     20

          0.0.0.0        128.0.0.0      10.30.0.105      10.30.0.106     30

        10.30.0.1  255.255.255.255      10.30.0.105      10.30.0.106     30

      10.30.0.104  255.255.255.252         On-link       10.30.0.106    286

      10.30.0.106  255.255.255.255         On-link       10.30.0.106    286

      10.30.0.107  255.255.255.255         On-link       10.30.0.106    286

    46.165.208.70  255.255.255.255  192.xxx.xxx.xxx  192.xxx.xxx.xxx     20

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        128.0.0.0        128.0.0.0      10.30.0.105      10.30.0.106     30

    192.xxx.xxx.0    255.255.255.0         On-link   192.xxx.xxx.xxx    276

  192.xxx.xxx.xxx  255.255.255.255         On-link   192.xxx.xxx.xxx    276

  192.xxx.xxx.255  255.255.255.255         On-link   192.xxx.xxx.xxx    276

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link       10.30.0.106    286

        224.0.0.0        240.0.0.0         On-link   192.xxx.xxx.xxx    276

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link       10.30.0.106    286

  255.255.255.255  255.255.255.255         On-link   192.xxx.xxx.xxx    276

===========================================================================

Persistent Routes:

  None

 

>time

The current time is: 18:31:25.91

 

nothing else in security log until 18:36:44 (route delete from _up.bat)

 

UDP 2018 is the only port that provides tolerable speed. Can use TCP 80 and TCP 2018 and haven't tried these.

 

Share this post


Link to post

..

 

I noticed the route is be added back (Win 7 Ult.) during the VPN session and have no idea how it is happening. Any idea what could cause this?

...

 

No idea. I never saw this while I was testing it.

 

Most of the time I use my "VPN only for torrents" set up though. So I don't remove the default gateway. So I have not left that configuration running for many, many hours.

 

Was this just an isolated case? Or is it happening every time? And after only 15 minutes? Strange that you would not have noticed this before.

 

Do you think this has always been happening? Or is this new? Could some sort of IP reset be happening? Maybe a Windows update has brought in a new stupid Microsoft feature that assumes the user is an idiot, and "corrects" the configuration spontaneously?

Share this post


Link to post

I manually add the route back and noticed it on occasion - "The route addition failed: The object already exists".

 

I've been using this for about 5 or 6 weeks and have noticed it on occasion. I used this with Jeremy's dnsleakbat fix for about 3 or 4 weeks prior to that. I also noticed it on occasion then and thought it was happening when the adapter was reset to DHCP. It doesn't happen all the time. I was connected for 5 hours yesterday and it did not occur.

 

It's not really a high priority for me but I thought I'd throw it out there. I haven't been using torrents much that last few years and when I do, I use a machine in my DMZ. I run it on this machine just to try to figure out what's going on. I do not use my other machines too often and haven't paid attention to it. Perhaps I'll run it on one of them (even though I'm not using the machine) and see what happens. However, I generally have 65 to 85 proceses running on this machine. I suppose it could be anyone of them?

Share this post


Link to post

...

However, I generally have 65 to 85 proceses running on this machine. I suppose it could be anyone of them?

 

If some process is resetting the default gateway, it has to have a way to determine what value to set it to. I think normally your single real connection is the only one that has a "default gateway". So the choice would be obvious.

 

I googled "Windows ignore default gateway from DHCP?" to see what people do in Windows to control the default gateway setting if they have multiple real connections thru different routers.

 

This was on top:

 

http://social.technet.microsoft.com/forums/windows/en-US/f2f46562-e276-4e73-99be-3cc1d742bf2e/windows-7-hardcoding-a-gateway-and-ignoring-dhcp-default-gateway

 

The response said they could control this using the netsh command. Perhaps you can use it to suppress the default gateway value coming via DHCP from being applied to your interface at all? Then you would effectively be unplugged when you start your PC, and would have to add a routing table entry to get thru to the VPN server first.

 

And presumably no process running on your PC would be able to determine what to set a "0.0.0.0"-mask routing table to. And maybe that process would put an error message in the log when it was unable to "repair" your configuration?

 

I have not tried this.

 

UPDATE:

 

I played with this a bit. It may be worth using this command to remove the default gateway (rather than "route delete"):

netsh interface ipv4 set address "Local Area Connection" dhcp gateway=none

This command appears to remove the 0.0.0.0-mask default gateway entry from the routing table and also removes the "default gateway" property from the "Local Area Connection" adapter. However this will not be permanent, (like a DNS server change) as both changes will be reversed by renewing the DHCP lease with:

ipconfig /renew

Also a reboot will undo the changes, since this will renew the DHCP lease.

 

And with these commands there is no need to know any IP addresses! This did not work for XP though when I tried it (even after correcting the syntax to be XP compatible).

 

UPDATE 2:

 

I just noticed that the DHCP lease my router gives me is only for 24 hours:

        Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM
        Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM

I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated? Could this be what is happening?

Share this post


Link to post

I just noticed that the DHCP lease my router gives me is only for 24 hours:

        Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM
        Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM 

I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated (see above)? Could this be what is happening on your system?

Share this post


Link to post

If some process is resetting the default gateway, it has to have a way to determine what value to set it to. I think normally your single real connection is the only one that has a "default gateway". So the choice would be obvious.

 

I googled "Windows ignore default gateway from DHCP?" to see what people do in Windows to control the default gateway setting if they have multiple real connections thru different routers.

 

This was on top:

 

http://social.technet.microsoft.com/forums/windows/en-US/f2f46562-e276-4e73-99be-3cc1d742bf2e/windows-7-hardcoding-a-gateway-and-ignoring-dhcp-default-gateway

 

The response said they could control this using the netsh command. Perhaps you can use it to suppress the default gateway value coming via DHCP from being applied to your interface at all? Then you would effectively be unplugged when you start your PC, and would have to add a routing table entry to get thru to the VPN server first.

 

And presumably no process running on your PC would be able to determine what to set a "0.0.0.0"-mask routing table to. And maybe that process would put an error message in the log when it was unable to "repair" your configuration?

 

I have not tried this.

 

I followed that thread to MS Technet. It appears some of these cmds are for Server. But I didn't look into it enough yet.

 

 

UPDATE:

 

I played with this a bit. It may be worth using this command to remove the default gateway (rather than "route delete"):

netsh interface ipv4 set address "Local Area Connection" dhcp gateway=none

 

Thanks. I'll try this. Today I tried disabling, 'Windows Scaling Heuristics State' in the Local Policy. It appears this deals with throughput but I tried it anyway. The route came back after (between) 5 - 6 hours.

 

UPDATE 2:

 

I just noticed that the DHCP lease my router gives me is only for 24 hours:

        Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM
        Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM

I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated? Could this be what is happening?

 

Funny you should mention that. I checked out the lease last night. I'll try, 'dhcp gateway=none' first.

Perhaps I'll also try using a static IP Address as well. However, a static address wouldn't be a resolution, more of a workaround.

Share this post


Link to post

It is looking like a DHCP issue. I had reduced the lease time time to 12 hours (from the server's default of 24). I noticed the route was added at 13:10 and last checked about 12:30. I checked the lease and it did renew at 12:50:

 

Lease Obtained. . . . . . . . . . : Thursday, November 28, 2013 6:50:57 AM
Lease Expires . . . . . . . . . . : Friday, November 29, 2013 12:50:57 AM

 

If this is the case, the route should return around 18:50:57 when the client begins to attempt to renew the lease, once half the lease interval has expired.

Share this post


Link to post

Confirmed (a little before 18:50):

 

 Lease Obtained. . . . . . . . . . : Thursday, November 28, 2013 6:50:57 AM
 Lease Expires . . . . . . . . . . : Friday, November 29, 2013 6:23:18 AM

 

 

EDIT: Probably didn't notice it on the DMZ machine because it was using a static IP address.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...