NaDre 157 Posted ... I posted this information in another post: https://airvpn.org/topic/9787-the-pros-and-the-cons/?p=11501 But perhaps I should have added it here. You can stop outgoing traffic going out of the native interface, in case the VPN fails, by removing the original non-VPN gateway entry from the routing table, after the VPN comes up. First you need to determine the IP address of this gateway. You can see what the original non-VPN gateway is using this command:route print You need to do this at a "command prompt", which you can bring up using "Start/All Programs/Accessories/Command Prompt". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Command Prompt". This should produce something like this:C:\Users\user>route print ... Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.63 10 ... It is the "Gateway" value for the routing table entry with the "Network Destination" and "Netmask" values "0.0.0.0". In this case the gateway address is 192.168.1.254. Assuming the gateway address is 192.168.1.254, then you run this command as administrator after the VPN comes up:route delete 0.0.0.0 192.168.1.254 You need to do this at an "administrator command prompt" that has administrator privilege, which you can bring up using "Start/All Programs/Accessories/Command Prompt, right-click, Run as Administrator". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Administrator Command Prompt". After the VPN comes down, and you have stopped whatever it is you do not want going out over the native interface (torrent clients?), you can restore the ability for traffic on the native interface by running this command as administrator:route add 0.0.0.0 mask 0.0.0.0 192.168.1.254 For convenience, you can put these commands into ".bat" scripts and create short cuts to them with the "Run as administrator" property set. Add a "pause" statement at the end so the window will stay open for you to see the results. Assuming that you are using the GUI wrapper program (OpenVPN-GUI) for OpenVPN that comes with OpenVPN, rather than the AirVPN GUI wrapper program, and that you have generated, downloaded and installed the ".ovpn" configuration files that this needs then if you want to automate this, you can do this in an OpenVPN "up" script. I will assume in what follows that you have set these up as described here: https://airvpn.org/topic/9699-using-browser-with-and-without-vpn/?p=11511 or https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?p=11603 The "route delete" could be added to the "_up.bat" script I described in the above post. But do not restore the gateway in the "_down.bat" script. Make sure the torrent clients (or whatever) have been stopped first. If you also ensure that no ports are being forwarded by your router and that UPnP is disabled in your router (so that programs cannot tell the router to forward ports), then you have blocked any possibility of non-VPN traffic on the native interface when you do not want it. This is basically the configuration described for use with Windows XP in the section "Advanced Set Up for Windows XP" in the guide "Guide to Setting Up VPN Just for Torrenting on Windows" found here: https://airvpn.org/topic/9549-guide-to-setting-up-vpn-just-for-torrenting-on-windows-thanks-to-nadre/ But you can of course use this "VPN for everything or nothing" approach with Windows Vista/7/8 too, although this was not suggested in that guide. See that guide for more detailed information. UPDATE: As discussed below, when the DHCP "lease" period for your IP address expires, it seems that during the DHCP lease "renewal" process, Windows will restore the original gateway entry in the routing table. You can check when your lease will expire by looking in the output of the command "ipconfig /all". Before the lease expires, you could force a renewal using the command "ipconfig /renew", and then remove the default gateway entry again. Note that Windows will renew the lease "halfway through the lease period": http://technet.microsoft.com/en-us/library/cc958919.aspx UPDATE to UPDATE: Originally I ignored an obvious solution here, and only discussed the option of setting up a static IP address. However I believe most routers will allow you to change the DHCP lease interval they use. I know for sure this is possible for the Actiontec V1000H and the ASUS RT-N56U. I suggest setting this as high as possible, or up to a year. If you decide to use a static IP address on your PC, you should ensure that your router does not feel free to allocate the same IP address to other devices, as this would cause great grief on your LAN (this happened to me once). Your router should allow you to set the range of IP addresses that it will allocate from. It should also allow you to allocate a fixed IP address to a particular MAC address. The Actiontec V1000H calls this "DHCP Reservation". The ASUS RT-N56U calls this "Manually Assigned IP around the DHCP list". You can use the real MAC for your PC as shown by "ipconfig /all":C:\Users\user>ipconfig /all Windows IP Configuration ... Wireless LAN adapter Wireless Network Connection: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : ... Physical Address. . . . . . . . . : 08-ED-B9-13-21-43 ... The MAC address is the "Physical Address", except that your router may want ":" in place of "-". Or just make up one to stop that address from being given out. UPDATE 2: Note that removing the original non-VPN gateway entry from the routing table will also stop the WebRTC leak. See this post: https://airvpn.org/topic/13519-webrtc-vulnerability/?p=24989 1 amnesty reacted to this Quote Share this post Link to post
amnesty 18 Posted ... Assuming the gateway address is 192.168.1.254, then you run this command as administrator after the VPN comes up: route delete 0.0.0.0 192.168.1.254 You need to do this at an "administrator command prompt" that has administrator privilege, which you can bring up using "Start/All Programs/Accessories/Command Prompt, right-click, Run as Administrator". You can set up copy and paste editing in a command prompt by right-clicking on the title bar, where it says "Administrator Command Prompt". I noticed the route is be added back (Win 7 Ult.) during the VPN session and have no idea how it is happening. Any idea what could cause this? The sequence is like this: Sat Nov 23 16:54:02 2013 MANAGEMENT: >STATE:1385243642,CONNECTED,SUCCESS,10.30.0.106,46.165.208.70 _up.bat runs ipconfig /flushdnsnetsh interface ip set dns "Wireless Network Connection" static 10.30.0.1netsh interface ip set dns "Local Area Connection" static 10.30.0.1route delete 0.0.0.0 192.xxx.xxx.xxxroute delete 0.0.0.0 192.xxx.xxx.xxx@pause Perhaps I should change my IP address from DHCP to static also? Entry in Security Logs for route delete cmd: 11/23/2013 4:54:09 PM Special privileges assigned to new logon. Routing Table: IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 128.0.0.0 10.30.0.105 10.30.0.106 30 10.30.0.1 255.255.255.255 10.30.0.105 10.30.0.106 30 10.30.0.104 255.255.255.252 On-link 10.30.0.106 286 10.30.0.106 255.255.255.255 On-link 10.30.0.106 286 10.30.0.107 255.255.255.255 On-link 10.30.0.106 286 46.165.208.70 255.255.255.255 192.xxx.xxx.xxx 192.xxx.xxx.xxx 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.30.0.105 10.30.0.106 30 192.xxx.xxx.0 255.255.255.0 On-link 192.xxx.xxx.xxx 276 192.xxx.xxx.xxx 255.255.255.255 On-link 192.xxx.xxx.xxx 276 192.xxx.xxx.255 255.255.255.255 On-link 192.xxx.xxx.xxx 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.30.0.106 286 224.0.0.0 240.0.0.0 On-link 192.xxx.xxx.xxx 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.30.0.106 286 255.255.255.255 255.255.255.255 On-link 192.xxx.xxx.xxx 276===========================================================================Persistent Routes: None >timeThe current time is: 17:09:35.40 execute Firefox 25.0.1browse a bitexecute e-mail app (Outlook 2010) 11/23/2013 5:41:18 PMclose e-mailmachine is idle Only activity loggged in OpenVPN: Sat Nov 23 17:53:53 2013 VERIFY OK: depth=1, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=airvpn.org CA, emailAddress=info@airvpn.orgSat Nov 23 17:53:53 2013 VERIFY OK: nsCertType=SERVERSat Nov 23 17:53:53 2013 VERIFY OK: depth=0, C=IT, ST=IT, L=Perugia, O=airvpn.org, CN=server, emailAddress=info@airvpn.orgSat Nov 23 17:53:54 2013 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit keySat Nov 23 17:53:54 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSat Nov 23 17:53:54 2013 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit keySat Nov 23 17:53:54 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authenticationSat Nov 23 17:53:54 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Routing Table with route back: IPv4 Route Table===========================================================================Active Routes:Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.xxx.xxx.xxx 192.xxx.xxx.xxx 20 0.0.0.0 128.0.0.0 10.30.0.105 10.30.0.106 30 10.30.0.1 255.255.255.255 10.30.0.105 10.30.0.106 30 10.30.0.104 255.255.255.252 On-link 10.30.0.106 286 10.30.0.106 255.255.255.255 On-link 10.30.0.106 286 10.30.0.107 255.255.255.255 On-link 10.30.0.106 286 46.165.208.70 255.255.255.255 192.xxx.xxx.xxx 192.xxx.xxx.xxx 20 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.30.0.105 10.30.0.106 30 192.xxx.xxx.0 255.255.255.0 On-link 192.xxx.xxx.xxx 276 192.xxx.xxx.xxx 255.255.255.255 On-link 192.xxx.xxx.xxx 276 192.xxx.xxx.255 255.255.255.255 On-link 192.xxx.xxx.xxx 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.30.0.106 286 224.0.0.0 240.0.0.0 On-link 192.xxx.xxx.xxx 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.30.0.106 286 255.255.255.255 255.255.255.255 On-link 192.xxx.xxx.xxx 276===========================================================================Persistent Routes: None >timeThe current time is: 18:31:25.91 nothing else in security log until 18:36:44 (route delete from _up.bat) UDP 2018 is the only port that provides tolerable speed. Can use TCP 80 and TCP 2018 and haven't tried these. Quote Share this post Link to post
NaDre 157 Posted ... .. I noticed the route is be added back (Win 7 Ult.) during the VPN session and have no idea how it is happening. Any idea what could cause this?... No idea. I never saw this while I was testing it. Most of the time I use my "VPN only for torrents" set up though. So I don't remove the default gateway. So I have not left that configuration running for many, many hours. Was this just an isolated case? Or is it happening every time? And after only 15 minutes? Strange that you would not have noticed this before. Do you think this has always been happening? Or is this new? Could some sort of IP reset be happening? Maybe a Windows update has brought in a new stupid Microsoft feature that assumes the user is an idiot, and "corrects" the configuration spontaneously? Quote Share this post Link to post
amnesty 18 Posted ... I manually add the route back and noticed it on occasion - "The route addition failed: The object already exists". I've been using this for about 5 or 6 weeks and have noticed it on occasion. I used this with Jeremy's dnsleakbat fix for about 3 or 4 weeks prior to that. I also noticed it on occasion then and thought it was happening when the adapter was reset to DHCP. It doesn't happen all the time. I was connected for 5 hours yesterday and it did not occur. It's not really a high priority for me but I thought I'd throw it out there. I haven't been using torrents much that last few years and when I do, I use a machine in my DMZ. I run it on this machine just to try to figure out what's going on. I do not use my other machines too often and haven't paid attention to it. Perhaps I'll run it on one of them (even though I'm not using the machine) and see what happens. However, I generally have 65 to 85 proceses running on this machine. I suppose it could be anyone of them? Quote Share this post Link to post
NaDre 157 Posted ... ...However, I generally have 65 to 85 proceses running on this machine. I suppose it could be anyone of them? If some process is resetting the default gateway, it has to have a way to determine what value to set it to. I think normally your single real connection is the only one that has a "default gateway". So the choice would be obvious. I googled "Windows ignore default gateway from DHCP?" to see what people do in Windows to control the default gateway setting if they have multiple real connections thru different routers. This was on top: http://social.technet.microsoft.com/forums/windows/en-US/f2f46562-e276-4e73-99be-3cc1d742bf2e/windows-7-hardcoding-a-gateway-and-ignoring-dhcp-default-gateway The response said they could control this using the netsh command. Perhaps you can use it to suppress the default gateway value coming via DHCP from being applied to your interface at all? Then you would effectively be unplugged when you start your PC, and would have to add a routing table entry to get thru to the VPN server first. And presumably no process running on your PC would be able to determine what to set a "0.0.0.0"-mask routing table to. And maybe that process would put an error message in the log when it was unable to "repair" your configuration? I have not tried this. UPDATE: I played with this a bit. It may be worth using this command to remove the default gateway (rather than "route delete"): netsh interface ipv4 set address "Local Area Connection" dhcp gateway=none This command appears to remove the 0.0.0.0-mask default gateway entry from the routing table and also removes the "default gateway" property from the "Local Area Connection" adapter. However this will not be permanent, (like a DNS server change) as both changes will be reversed by renewing the DHCP lease with: ipconfig /renew Also a reboot will undo the changes, since this will renew the DHCP lease. And with these commands there is no need to know any IP addresses! This did not work for XP though when I tried it (even after correcting the syntax to be XP compatible). UPDATE 2: I just noticed that the DHCP lease my router gives me is only for 24 hours: Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated? Could this be what is happening? Quote Share this post Link to post
NaDre 157 Posted ... I just noticed that the DHCP lease my router gives me is only for 24 hours: Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated (see above)? Could this be what is happening on your system? Quote Share this post Link to post
amnesty 18 Posted ... If some process is resetting the default gateway, it has to have a way to determine what value to set it to. I think normally your single real connection is the only one that has a "default gateway". So the choice would be obvious. I googled "Windows ignore default gateway from DHCP?" to see what people do in Windows to control the default gateway setting if they have multiple real connections thru different routers. This was on top: http://social.technet.microsoft.com/forums/windows/en-US/f2f46562-e276-4e73-99be-3cc1d742bf2e/windows-7-hardcoding-a-gateway-and-ignoring-dhcp-default-gateway The response said they could control this using the netsh command. Perhaps you can use it to suppress the default gateway value coming via DHCP from being applied to your interface at all? Then you would effectively be unplugged when you start your PC, and would have to add a routing table entry to get thru to the VPN server first. And presumably no process running on your PC would be able to determine what to set a "0.0.0.0"-mask routing table to. And maybe that process would put an error message in the log when it was unable to "repair" your configuration? I have not tried this. I followed that thread to MS Technet. It appears some of these cmds are for Server. But I didn't look into it enough yet. UPDATE: I played with this a bit. It may be worth using this command to remove the default gateway (rather than "route delete"): netsh interface ipv4 set address "Local Area Connection" dhcp gateway=none Thanks. I'll try this. Today I tried disabling, 'Windows Scaling Heuristics State' in the Local Policy. It appears this deals with throughput but I tried it anyway. The route came back after (between) 5 - 6 hours. UPDATE 2: I just noticed that the DHCP lease my router gives me is only for 24 hours: Lease Obtained. . . . . . . . . . : Monday, November 25, 2013 10:54:58 AM Lease Expires . . . . . . . . . . : Tuesday, November 26, 2013 10:54:58 AM I wonder what happens when the lease expires? Presumably it gets renewed, causing the default gateway entry to be reinstated? Could this be what is happening? Funny you should mention that. I checked out the lease last night. I'll try, 'dhcp gateway=none' first.Perhaps I'll also try using a static IP Address as well. However, a static address wouldn't be a resolution, more of a workaround. Quote Share this post Link to post
amnesty 18 Posted ... It is looking like a DHCP issue. I had reduced the lease time time to 12 hours (from the server's default of 24). I noticed the route was added at 13:10 and last checked about 12:30. I checked the lease and it did renew at 12:50: Lease Obtained. . . . . . . . . . : Thursday, November 28, 2013 6:50:57 AMLease Expires . . . . . . . . . . : Friday, November 29, 2013 12:50:57 AM If this is the case, the route should return around 18:50:57 when the client begins to attempt to renew the lease, once half the lease interval has expired. Quote Share this post Link to post
amnesty 18 Posted ... Confirmed (a little before 18:50): Lease Obtained. . . . . . . . . . : Thursday, November 28, 2013 6:50:57 AM Lease Expires . . . . . . . . . . : Friday, November 29, 2013 6:23:18 AM EDIT: Probably didn't notice it on the DMZ machine because it was using a static IP address. Quote Share this post Link to post
amnesty 18 Posted ... Placed a note regarding this here: https://airvpn.org/topic/9787-the-pros-and-the-cons/?p=13142 NOTE: 'Check DHCP Lease time. Route(s) added back upon lease renewal. Clients begin to attempt to renew their leases once half the lease interval has expired. Lease time for 1 year = 31536000' Quote Share this post Link to post