NaDre 157 Posted ... For a shorter and more concise guide that also deals with IPv6 see this: https://github.com/tool-maker/VPN_just_for_torrents/wiki/Running-OpenVPN-on-Windows-without-VPN-as-Default-Gateway A change made by AirVPN in June 2018 during their move to "Gen2" servers may make this approach unworkable for people using uTorrent or other clients where you have to provide the IP address to bind to. See this: https://airvpn.org/topic/28494-tunnel-private-subnet-changed/?p=75311 On 7/1/2018 at 8:45 AM, NaDre said: On 7/1/2018 at 4:35 AM, Staff said: ... However, you have several small subnets /24 on each server, one per daemon, and you can't say in advance which subnet your system will enter because of the load balancing system which "welcomes" the clients and "assigns" them to the OpenVPN daemon running in the less loaded core (at the moment of connection). ... So the local IP address you get for your tun device will be different depending upon which daemon the load balancer assigns you to? It used to be that if you connected using the same server and port (i.e. the same config file) you would get the same local IP address. This is no longer true? You may find you have to change the uTorrent configuration every time you connect in order to plug in the local private IP addressed used by the TAP-Windows Adapter. ============================== This guide is a bit dated. But I think it is still useful. Things have not changed all that much. Ignore the stuff about Windows XP. For information about incorporating IPv6 see this post later in this thread: https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?p=66214 ============================== Instead of using the client obtained from OpenVPN directly, as described in Part 1, you can use Eddie to set up the VPN. You cannot use "network lock" though. In fact, the VPN does not even have to be done with OpenVPN. The techniques after setting up the VPN have no dependence on OpenVPN being used. ============================== On a couple of occasions the images in this guide have stopped being displayed. This was due to an issue with the forum software. It is also possible that in the future the images could be dropped from the image hosting service. UPDATE on 2017/04/01: It appears that ImageShack has purged the screen images. So I pointed this post to the ones at GitHub. So, if you have a problem with this, I suggest some alternatives below: There is an alternative version of this guide here: https://github.com/tool-maker/VPN_just_for_torrents/wiki It appears that archive.org backed this up a couple of times: https://web.archive.org/web/... At the time of writing, the April 3, 2015 version seems to work OK. There is an HTML-only (and images) version (a quick hack from a download I took of this as a backup) in a zip file here: Guide_to_Setting_Up_VPN_Just_for_Torrenting_on_Windows.zip I also put the BB ("Bulletin Board") code for this post in it. ============================================================== This guide may still have typos. Parts may not be very clear. More explanation may be needed in some places. If you have feed back, please just post here. ============================================================== Table of Contents Guide to Setting Up VPN Just for Torrenting on Windows - Part 1 Purpose and Goals IP Interfaces and Routing Table Installing OpenVPN IP Interfaces Before Install Routing Table Before Install IP Interfaces with VPN Down Routing Table with VPN Down Configuring OpenVPN to Access Servers IP Interfaces with VPN Up Routing Table with VPN Up Comparison of Routing Table with VPN Up Versus Down Setting Up Port Forwarding A Very Active Copyright Free Torrent to Test With Checking That the VPN Is Working Guide to Setting Up VPN Just for Torrenting on Windows - Part 2 Routing Table Functionality Advanced Set Up for Windows XP Set Up for Windows XP Firewall Routing Table Change to Block Outgoing Native Traffic Advanced Set Up for Windows Vista and Windows 7 Set Up for Windows Firewall with Advanced Security Rules for Incoming Connections Rules for Outgoing Connections Specifying the Properties for a Firewall Rule Set Up for Torrent Clients Setting IP Interface for uTorrent Setting IP Interface for Vuze Routing Table Changes to Restore Native Gateway ============================================================== Guide to Setting Up VPN Just for Torrenting on Windows - Part 1 Purpose and Goals This guide is about setting up a VPN service on Windows using AirVPN. The goal here is to use the VPN only for torrent clients and the normal gateway for all other activities. This way my normal activities are not impacted by: reduced effective bandwidth detectable delays in response while browsing due to increased latency ("latency" is the time it takes for a packet to transit) security panics by sites I use that worry about security when my apparent location in the world changes I am using Windows 7. But this guide also discusses XP and Vista. Details are provided below. Here is a summary of what I do on Windows 7. I use the VPN only for my torrent clients. To achieve this, I override the "0.0.0.0/128.0.0.0" and "128.0.0.0/128.0.0.0" routing table entries set up by the OpenVPN client with "0.0.0.0/192.0.0.0", "64.0.0.0/192.0.0.0", "128.0.0.0/192.0.0.0" and "192.0.0.0/192.0.0.0" entries to use my normal gateway for most activities. I have two .bat files that allow me to quickly insert or delete these in order to use the VPN for web browsing when I want to. I also then need to tell my torrent clients (uTorrent and Vuze are discussed in this guide) to use the VPN interface, since it will now not be used by default. For Vuze one can specify the interface. But for uTorrent one has to specify the IP address. So long as I continue to use the same AirVPN server, since my DHCP license is for a year I do not need to change the uTorrent configurations. If I wish to change the AirVPN server, I have to change IP address uTorrent uses. This is not a lot of work. At the time of writing, AirVPN does not allow one to have a fixed local IP address for the VPN interface, otherwise this could be avoided. I also configure Windows firewall to block all traffic from torrent clients using the default gateway. So if the VPN goes down, even if Windows decides to ignore the request to bind to a specific interface/IP and bind to my default gateway (apparently Windows may do this?), nothing leaks out using my own IP address. Although I am using Windows 7, I have tried setting up a similar scheme to mine using Windows XP and Windows Vista, in the hope of making this guide more useful. I suspect many people are still using XP and Vista. I succeeded in this goal for Vista. However for XP, I was not able to achieve the goal of using the native interface for normal activities while using the VPN for the torrent clients. I describe the results below. For examples, I use the earliest version of Windows possible, since the examples are often simpler that way, and you should be able to adapt the information to a later release easily. I try to make minimal assumptions about the readers background, in the hope that this will be useful to non-technical readers. To this end, I try to explain the role of IP interfaces and the routing table in networking and how to obtain important information about these. All screenshots can be enlarged by clicking on them individually. IP Interfaces and Routing Table In a couple of places in what follows I use two commands at the the Windows "Command Prompt" to reveal some useful things about what setting up a VPN does in terms Windows IP interfaces and the Windows routing table. The commands are "ipconfig/all" and "route print". Installing OpenVPN Get the "community" version of the unaltered OpenVPN client: http://openvpn.net/index.php/open-source/downloads.html If you have a the 64-bit version of Windows then get the 64-bit version of OpenVPN - "openvpn-install-?-x86_64.exe". But if you do not have 64-bit Windows use the 32-bit version - "openvpn-install-?-i686.exe". Before you install it, use the "ipconfig/all" and "route print" commands at a Windows command prompt. You will get something similar to this: IP Interfaces Before Install C:\Documents and Settings\user>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : xp Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-0C-29-A2-B9-61 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.69 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 75.153.176.1 Lease Obtained. . . . . . . . . . : Wednesday, March 06, 2013 2:05:50 PM Lease Expires . . . . . . . . . . : Thursday, March 07, 2013 2:05:50 PM Routing Table Before Install C:\Documents and Settings\user>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0c 29 a2 b9 61 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.69 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.69 192.168.1.69 10 192.168.1.69 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.1.255 255.255.255.255 192.168.1.69 192.168.1.69 10 224.0.0.0 240.0.0.0 192.168.1.69 192.168.1.69 10 255.255.255.255 255.255.255.255 192.168.1.69 192.168.1.69 1 Default Gateway: 192.168.1.254 =========================================================================== Persistent Routes: None Install it. You may get an "unsigned driver" warning message for the TAP driver that OpenVPN uses to create an IP interface in Windows (saying it could destabilize your system). For Windows XP it looks like this: Ignore the warning. It works fine on Windows XP (or Vista, Windows 7 or Windows 8). At this point, again use the "ipconfig/all" and "route print" commands at a Windows command prompt. You will get something similar to this: IP Interfaces with VPN Down C:\Documents and Settings\user>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : xp Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-0C-29-A2-B9-61 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.69 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 75.153.176.1 Lease Obtained. . . . . . . . . . : Wednesday, March 06, 2013 2:05:50 PM Lease Expires . . . . . . . . . . : Thursday, March 07, 2013 2:05:50 PM Ethernet adapter Local Area Connection 4: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-42-5E-D2-9E Routing Table with VPN Down C:\Documents and Settings\user>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0c 29 a2 b9 61 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport 0x3 ...00 ff 42 5e d2 9e ...... TAP-Windows Adapter V9 - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.69 10 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.69 192.168.1.69 10 192.168.1.69 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.1.255 255.255.255.255 192.168.1.69 192.168.1.69 10 224.0.0.0 240.0.0.0 192.168.1.69 192.168.1.69 10 255.255.255.255 255.255.255.255 192.168.1.69 192.168.1.69 1 255.255.255.255 255.255.255.255 192.168.1.69 3 1 Default Gateway: 192.168.1.254 =========================================================================== Persistent Routes: None Compare these results to what we had before the install. In the sample above, a new IP interface called "Local Area Connection 4" has been created by the install. Configuring OpenVPN to Access Servers Then to get the VPN set up initially, at AirVPN go to "Client Area/Config Generator". The page says "OpenVPN Configuration Generator ". Press the "Invert" button to select all of the servers (why not?). Then select "UDP" under "Protocol" and then "443" under "Port". Agree to the terms of service and press the "Generate" button. This will have created a file called "air.zip". Save it somewhere. Unzip this into a folder. Let's say it is called "AirVPN". It will contain files like this: C:\Program Files\OpenVPN\config\AirVPN>dir Volume in drive C is Acer Volume Serial Number is 00B1-714F Directory of C:\Program Files\OpenVPN\config\AirVPN 20/02/2013 02:08 PM <DIR> . 20/02/2013 02:08 PM <DIR> .. 20/02/2013 09:07 PM 8,944 AirVPN CH Virginis - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN DE Aquilae - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN DE Tauri - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN DE Velorum - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN GB Bootis - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN GB Carinae - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN GB Cassiopeia - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN IT Crucis - UDP 443.ovpn 20/02/2013 09:07 PM 8,945 AirVPN LU Herculis - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN NL Castor - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN NL Leonis - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN NL Leporis - UDP 443.ovpn 20/02/2013 09:07 PM 8,945 AirVPN NL Lyncis - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN NL Lyra - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN NL Ophiuchi - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN NL Orionis - UDP 443.ovpn 20/02/2013 09:07 PM 8,946 AirVPN RO Phoenicis - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN SE Cygni - UDP 443.ovpn 20/02/2013 09:07 PM 8,945 AirVPN SE Serpentis - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN SG Columbae - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN SG Puppis - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN SG Sagittarii - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN US Andromedae - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN US Librae - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN US Octantis - UDP 443.ovpn 20/02/2013 09:07 PM 8,945 AirVPN US Pavonis - UDP 443.ovpn 20/02/2013 09:07 PM 8,944 AirVPN US Persei - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN US Sirius - UDP 443.ovpn 20/02/2013 09:07 PM 8,943 AirVPN US Vega - UDP 443.ovpn 29 File(s) 259,370 bytes 2 Dir(s) 244,540,530,688 bytes free Move the "AirVPN" folder to "C:\Program Files\OpenVPN\config". You will be prompted for administrator privilege. The OpenVPN install will have created a desktop icon for the OpenVPN GUI. Stop your torrent clients. Start up the OpenVPN GUI. On Vista or Windows 7 it will require administrator privilege. The following error messages may be symptom if it is not running privileged: Either always right-mouse click and "Run as administrator", or alter the desktop icon for the OpenVPN GUI to always run as administrator: The icon for the OpenVPN GUI will be in the system tray. Right-mouse click on it and select a server. On Windows XP the menu looks like this: There is a page at AirVPN that gives info on how loaded each server is which cane be helpful when selecting a server to use. When the window showing the log closes and the message saying the VPN is up comes up. Now once more use the "ipconfig/all" and "route print" commands at a Windows command prompt. You will get something similar to this: IP Interfaces with VPN Up C:\Documents and Settings\user>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : xp Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-0C-29-A2-B9-61 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.69 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 75.153.176.1 Lease Obtained. . . . . . . . . . : Wednesday, March 06, 2013 2:05:50 PM Lease Expires . . . . . . . . . . : Thursday, March 07, 2013 2:05:50 PM Ethernet adapter Local Area Connection 4: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-42-5E-D2-9E Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.4.50.142 Subnet Mask . . . . . . . . . . . : 255.255.255.252 Default Gateway . . . . . . . . . : 10.4.50.141 DHCP Server . . . . . . . . . . . : 10.4.50.141 DNS Servers . . . . . . . . . . . : 10.4.0.1 Lease Obtained. . . . . . . . . . : Wednesday, March 06, 2013 2:31:50 PM Lease Expires . . . . . . . . . . : Thursday, March 06, 2014 2:31:50 PM Routing Table with VPN Up C:\Documents and Settings\user>route print =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 0c 29 a2 b9 61 ...... AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport 0x3 ...00 ff 42 5e d2 9e ...... TAP-Windows Adapter V9 - Packet Scheduler Miniport =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.69 10 10.4.0.1 255.255.255.255 10.4.50.141 10.4.50.142 1 10.4.50.140 255.255.255.252 10.4.50.142 10.4.50.142 30 10.4.50.142 255.255.255.255 127.0.0.1 127.0.0.1 30 10.255.255.255 255.255.255.255 10.4.50.142 10.4.50.142 30 95.211.169.3 255.255.255.255 192.168.1.254 192.168.1.69 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 128.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1 192.168.1.0 255.255.255.0 192.168.1.69 192.168.1.69 10 192.168.1.69 255.255.255.255 127.0.0.1 127.0.0.1 10 192.168.1.255 255.255.255.255 192.168.1.69 192.168.1.69 10 224.0.0.0 240.0.0.0 10.4.50.142 10.4.50.142 30 224.0.0.0 240.0.0.0 192.168.1.69 192.168.1.69 10 255.255.255.255 255.255.255.255 10.4.50.142 10.4.50.142 1 255.255.255.255 255.255.255.255 192.168.1.69 192.168.1.69 1 Default Gateway: 10.4.50.141 =========================================================================== Persistent Routes: None The "Local Area Connection 4" interface has been configured with an IP address and other configuration information added to it. Also, the routing table has several new entries added to it involving the "Local Area Connection 4" interface. We will examine the details of these differences and comment on the information content of these listings in what follows. You can use a "diff' program such as Winmerge to make the additions and changes to the routing table easier to pick out: Comparison of Routing Table with VPN Up Versus Down Now use your browser to go to: http://whatismyipaddress.com/ Where are you in the world? Until we get port forwarding working, there is no point in running your torrent client with the VPN. Although there would be no harm in trying it for a minute. Stop your torrent clients again before you shut down the VPN. Setting Up Port Forwarding At AirVPN, go to "Client Area/Forwarded ports". The page title is "Your forwarded ports" The ports you already have are shown first with a "Remove" button. At the end there is an extra spot with an "Add" button. Click "Add" and it will generate a random number and forward that port to you. After you click the next page will say "Port ????? added" at the top. Now you need to tell your torrent client to listen on this port. Here you should first understand about UPnP: https://en.wikipedia.org/wiki/Universal_Plug_and_Play And also NAT-PMP: http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol UPnP support in the router allows a program running on your PC to tell your router to set up port forwarding. Most routers now a days support this. NAT-PMP is much less widely implemented. It seems that because of this many people do not realize that incoming connections are being forwarded to their torrent client. When using a VPN, you should turn off UPnP and NAT-PMP in your torrent client. For uTorrent, do "Options/Preferences", then select "Connection" and paste in (or type) the port number AirVPN generated for you. Then click "OK". For Vuze do "Tools/Options", then "Connections" and paste in (or type) the port number AirVPN generated for you. The click "Save". Also for Vuze, to turn off UPnP and NAT-PMP use "Tools/Options/Plugins/UPnP" and "Tools/Options/Plugins/UPnP/NAT-PMP": Now go back to the AirVPN port forwarding page and click the "Check" button for the port. When this competes the "Status" icon should turn green. A Very Active Copyright Free Torrent to Test With If you want a very active torrent to test with that has no copyright issues, use the Ubuntu Desktop torrent: http://www.ubuntu.com/download/desktop/alternative-downloads Checking That the VPN Is Working To see whether you are receiving incoming connections: uTorrent: Use "Options/Show Status Bar" In the Status Bar area (at the bottom) select the "Peers" tab. Hopefully you have the "Flags" column? If not right mouse-click on the column title area and enable it. What you want to see is a few peers with "I" as one of the flags. This means the peer connected to you. The meaning of each flags is available in "Help/uTorrent Help". Vuze: If the icon in front of the torrent is green, then you have received incoming connections. To pursue this further, right mouse-click on a torrent and select "Show Details". Then select the "Peers" tab. Hopefully you have the "T" column? If not right mouse-click on the column title area and enable it. The peers that have "R" in the "T" column came to you as incoming connections. Process Explorer But there is a more general and powerful way to check what is happening with a torrent clients IP connections. There is a useful tool that Microsoft provides - "Process Explorer": http://technet.microsoft.com/en-ca/sysinternals/bb896653.aspx With it you can see all of the network connections a program is making. Once it is installed, start it and in the process tree that gets shown locate "uTorrent.exe" or "Azureus.exe" under "explorer.exe". Right-mouse click on it and select "Properties..."`. Then select the "TCP/IP" tab. In that uncheck the "Resolve addresses" check box. If you see connections on the port that you set up as the incoming port, that is another indication that you are receiving incoming connections. Using Process Explorer you will also be able to see if any connections are being made on the native interface rather than the VPN interface (as they should). This is an example of what you can see with Process Explorer: In the example above, Vuze is listening for connections on port 63676, so the "ESTABLISHED" connections to that port are from incoming connections. It can be helpful to sort the items in this display in various orders by clicking on the column headers. The possible states are described here: http://support.microsoft.com/kb/137984 This is a summary taken from the link above: SYN_SEND - Indicates active open. SYN_RECEIVED - Server just received SYN from the client. ESTABLISHED - Client received server's SYN and session is established. LISTEN - Server is ready to accept connection. FIN_WAIT_1 - Indicates active close. TIMED_WAIT - Client enters this state after active close. CLOSE_WAIT - Indicates passive close. Server just received first FIN from a client. FIN_WAIT_2 - Client just received acknowledgment of its first FIN from the server. LAST_ACK - Server is in this state when it sends its own FIN. CLOSED - Server received ACK from client and connection is closed. Guide to Setting Up VPN Just for Torrenting on Windows - Part 2 Routing Table Functionality In what follows, manipulations of the routing table will be used to achieve certain goals. Some understanding of the routing table will be needed in order for the reader to complete these. You may also want to see the Wikipedia page about the routing table: http://en.wikipedia.org/wiki/Routing_table Please refer to the listings generated by "route print" above. When a program does an IP "bind" function without specifying a particular IP interface or IP address to bind to, the routing table is used to determine what IP interface to send a packet on, based on the destination. The packet destination is compared against the two values "Network Destination" and "Netmask". These two values together define a "subnet" or "subnetwork". For an explanation of a subnetwork and subnet notations see Wikipedia: http://en.wikipedia.org/wiki/Subnetwork The values shown as 4 numbers separated by periods are 32 bit strings, divided up into 4 8 bit chunks, so that each chunk is a value from 0 to 255. But think of these as 32 bit strings. "Netmask" will be all ones on the left and all zeros to the right of that. What matters with it is just how many 1-s are on the left. If the "Netmask" has only 4 1-s on the left, then only the left-most 4 bits of the packet destination and "Network Destination" are compared for a match. A packet destination may have several routing table entries that match by this criteria. The one that will be used is the one for which the "Netmask" had the most 1-s. If that does not resolve it, the lowest "Metric" is then checked. The entry with the "0.0.0.0." Netmask is called the "default" gateway: ... Network Destination Netmask Gateway Interface Metric ... 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.69 10 ... Default Gateway: 192.168.1.254 ... This "0.0.0.0" entry will match anything, since no bits have to be compared. So if no more specific entry is found that is where a packet will go. Now look at the screen shot above labelled "Comparison of Routing Table with VPN Up Versus Down". The extra lines when the VPN is up were added by the OpenVPN client. Note these two extra lines in particular: ... Network Destination Netmask Gateway Interface Metric ... 0.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1 ... 128.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 1 ... Default Gateway: 10.4.50.141 ... These entries with "128.0.0.0" prevent the "0.0.0.0" from ever being used, because one of these will match any address, and they are more specific (one 1 bit on the left of the Netmask rather than no bits at all). This makes the VPN gateway (10.4.50.141) the new "default gateway". The other additional entries serve various purposes which are not relevant to our discussion below. Advanced Set Up for Windows XP As I explained above, I was not able to find a way under XP to use the native interface for normal activities while using the VPN for the torrent clients. I could not get the torrent clients to use the VPN interface unless it was the default gateway in the routing table. It appears that you have to use the VPN for everything or nothing. However it is possible to use a combination of the firewall and the routing table to ensure that no P2P traffic uses the native interface when the VPN is not running. Set Up for Windows XP Firewall First I will discuss the firewall. It does not seem to be possible to fully block all torrent traffic from the native interface using just the limited firewall that came with XP. Although you can block incoming connections to some extent, you cannot block outgoing connections at all. And registering your IP address against torrent hashes on a tracker or by DHT is already bad enough for IP address trolls to see you. And if they register themselves on a tracker as having a torrent you want, you may connect to them (even worse). You could also be given their IP address as a source by peer exchange even if you strip things to DHT only. With some other firewall that works on XP you may still be able to do this. There may be information on the AirVPN forum. If you have a router, you may not have had Windows firewall enabled, relying on your router to provide the firewall. However you should have Windows firewall enabled at least for the VPN interface, with an exception for your torrent client. The following screen shots illustrate how to do this: This will allow incoming connections for torrent clients from the native interface too. But you should be able to configure your router so that no incoming connections are forwarded from the internet to your PC. You will have to poke around in its GUI/HTTP interface. Besides turning off any explicit port forwarding in your router, you need to consider UPnP: https://en.wikipedia.org/wiki/Universal_Plug_and_Play UPnP support in the router allows a program running on your PC to tell your router to set up port forwarding. Most routers now a days support this. It seems that because of this many people do not realize that incoming connections are being forwarded to their torrent client. The thing is, malicious programs can do this too! So you may want to go further and disable UPnP in your router. However you may be using some other program that needs it. With UPnP off (and no explicit port forwarding rules in the router), you can be sure that no incoming connections can come in by the native interface. If you do want to block incoming torrent connections only on the native interface, then do not enable the exceptions for the clients on the "Exceptions" tab as shown above, but instead go to "Advanced Settings" from the "Advanced" tab and provide exception rules only for the VPN interface, as shown below: Using this approach, you have to define the rules based on the ports rather than the programs, and you will need a TCP and a UDP rule for each port. Routing Table Change to Block Outgoing Native Traffic In order to ensure that outgoing traffic will not go out over the native interface, one can make a change to the routing table which will guarantee that no traffic of any sort (except the encrypted VPN traffic itself) will be able to find its way to the native interface. Refer to the section "Routing Table Functionality" above. If the VPN goes down, the "128.0.0.0" entries that override the default gateway will be removed by the OpenVPN client. If the "0.0.0.0" entry is removed, then there will be no default gateway and nothing will be able to find its way out to the internet. A variation of this approach is discussed here: http://cranthetrader.blogspot.ca/2011/10/dont-allow-non-vpn-traffic.html But it seems to me that the procedure described on that page is far more complicated than necessary. Once the VPN is running, you can just remove the "0.0.0.0" entry from the routing table using this command at a command prompt: route delete 0.0.0.0 192.168.1.254 If you want to stop the VPN and use the native interface again, then after shutting down the VPN, restore the default gateway entry for the native interface using this command at a command prompt: route add 0.0.0.0 mask 0.0.0.0 192.168.1.254 Note that "192.168.1.254" above must be replaced with the gateway for your native interface. If you lose track of this, it is part of the information displayed for interfaces by "ipconfig /all" (see the examples above). For convenience, you could create two ".bat" files each with one of these commands. I suggest that you place a "pause" command at the end so that the windows that opens to run the command does not disappear before you can see if it worked. Advanced Set Up for Windows Vista and Windows 7 The set up described below works on either Vista or Windows 7. I use Windows 7, but I have confirmed that it works on Vista using a virtual machine I have with Windows Vista on it. All of the samples below are taken from Windows Vista. There a couple of small differences in the GUI for "Windows Firewall with Advanced Security". I also encountered a problem getting the firewall blocking to work fully for Windows Vista. Getting the firewall to block uTorrent from using the native interface worked, but getting it to block Vuze has not worked! Blocking Vuze works fine on Windows 7. But there is a saving grace. Fortunately Vuze has an option that prevents it using the default interface if it is configured to use a specific interface. I use this on Windows 7 too, even though it does not appear to be necessary. Set Up for Windows Firewall with Advanced Security To set up the blocking of both incoming and outgoing connections in the way we need, you have to use "Windows Firewall with Advanced Security", which is separate from "Windows Firewall" in the Windows Start menu. You have to first get into "Administrative Tools". The following screen shot shows how to get into "Windows Firewall with Advanced Security": Once you are into ""Windows Firewall with Advanced Security"" you can configure rules for both incoming and outgoing connections at a level of detail much greater than you could for Windows XP. In order to do this we will need to determine an appropriate subnet definition for the native interface and the VPN interface. This can be obtained from examining output from the "ipconfig /all" and "route print" commands: C:\Users\user>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : virtual_Vista Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No Ethernet adapter Local Area Connection 3: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TAP-Windows Adapter V9 Physical Address. . . . . . . . . : 00-FF-B8-2E-BD-7C DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5d15:cf7:c242:3e80(Preferred) IPv4 Address. . . . . . . . . . . : 10.4.50.142(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.252 Lease Obtained. . . . . . . . . . : Wednesday, March 13, 2013 11:38:12 AM Lease Expires . . . . . . . . . . : Thursday, March 13, 2014 11:38:12 AM Default Gateway . . . . . . . . . : DHCP Server . . . . . . . . . . . : 10.4.50.141 DHCPv6 IAID . . . . . . . . . . . : 234946488 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-79-1E-1D-00-0C-29-3D-07-02 DNS Servers . . . . . . . . . . . : 10.4.0.1 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 00-0C-29-E3-F7-8B DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::9c19:3be7:696c:e04(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.67(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Wednesday, March 13, 2013 11:32:09 AM Lease Expires . . . . . . . . . . : Thursday, March 14, 2013 11:32:09 AM Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DHCPv6 IAID . . . . . . . . . . . : 251661353 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-79-1E-1D-00-0C-29-3D-07-02 DNS Servers . . . . . . . . . . . : 192.168.1.254 75.153.176.1 NetBIOS over Tcpip. . . . . . . . : Enabled Tunnel adapter Local Area Connection* 6: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.{A8B29C02-92F2-4901-B6DB-0A2CD26E54D2} Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Tunnel adapter Local Area Connection* 7: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface Physical Address. . . . . . . . . : 02-00-54-55-4E-01 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:0:9d38:953c:349c:1efb:f5fb:cd71(Preferred) Link-local IPv6 Address . . . . . : fe80::349c:1efb:f5fb:cd71(Preferred) Default Gateway . . . . . . . . . : :: NetBIOS over Tcpip. . . . . . . . : Disabled Tunnel adapter Local Area Connection* 11: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . : Description . . . . . . . . . . . : isatap.{B82EBD7C-FAAE-42FB-AAA5-4E849D98E35A} Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes C:\Users\user>route print =========================================================================== Interface List 14 ...00 ff b8 2e bd 7c ...... TAP-Windows Adapter V9 10 ...00 0c 29 e3 f7 8b ...... Intel(R) PRO/1000 MT Network Connection 1 ........................... Software Loopback Interface 1 13 ...00 00 00 00 00 00 00 e0 isatap.{A8B29C02-92F2-4901-B6DB-0A2CD26E54D2} 12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface 15 ...00 00 00 00 00 00 00 e0 isatap.{B82EBD7C-FAAE-42FB-AAA5-4E849D98E35A} =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.67 10 0.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 30 10.4.0.1 255.255.255.255 10.4.50.141 10.4.50.142 30 10.4.50.140 255.255.255.252 On-link 10.4.50.142 286 10.4.50.142 255.255.255.255 On-link 10.4.50.142 286 10.4.50.143 255.255.255.255 On-link 10.4.50.142 286 95.211.169.3 255.255.255.255 192.168.1.254 192.168.1.67 10 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 128.0.0.0 128.0.0.0 10.4.50.141 10.4.50.142 30 192.168.1.0 255.255.255.0 On-link 192.168.1.67 266 192.168.1.67 255.255.255.255 On-link 192.168.1.67 266 192.168.1.255 255.255.255.255 On-link 192.168.1.67 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 10.4.50.142 286 224.0.0.0 240.0.0.0 On-link 192.168.1.67 266 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 10.4.50.142 286 255.255.255.255 255.255.255.255 On-link 192.168.1.67 266 =========================================================================== Persistent Routes: None IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 12 18 ::/0 On-link 1 306 ::1/128 On-link 12 18 2001::/32 On-link 12 266 2001:0:9d38:953c:349c:1efb:f5fb:cd71/128 On-link 14 286 fe80::/64 On-link 10 266 fe80::/64 On-link 12 266 fe80::/64 On-link 12 266 fe80::349c:1efb:f5fb:cd71/128 On-link 14 286 fe80::5d15:cf7:c242:3e80/128 On-link 10 266 fe80::9c19:3be7:696c:e04/128 On-link 1 306 ff00::/8 On-link 12 266 ff00::/8 On-link 14 286 ff00::/8 On-link 10 266 ff00::/8 On-link =========================================================================== Persistent Routes: None Examining the "ipconfig /all" output we see that: * the VPN interface ("Local Area Connection 3") has IP address 10.4.50.142 and provides a path to the gateway 10.4.50.141 * the native interface (with IP address 192.168.1.67) provides a path to the gateway 192.168.1.254 Examining the "route print" output we see that: * the VPN interface (with IP address 10.4.50.142) provides a path to the gateway 10.4.50.141 * the native interface ("Local Area Connection") has IP address 192.168.1.67 and provides a path to the gateway 192.168.1.254 (this can also be gleaned from the "ipconfig /all" output) For the firewall rules, we need to use the CIDR subnet ("prefix/length") notation: http://en.wikipedia.org/wiki/CIDR_notation#CIDR_notation We will go with "10.4.0.0/16" as a subnet definition containing the VPN address and with "192.168.0.0/16" as a subnet definition containing our native interface. We need these two subnet definitions to not overlap, and to be big enough that they will not need to change if the address given to us by the VPN DHCP server or our router DHCP server changes. A prefix length of 16 should be plenty for this. I will explain the rationale for the firewall rules I set up after some screen shots that give the jist of how to use the firewall set up GUI. The following screen shots show the summary window: Rules for Incoming Connections Rules for Outgoing Connections The following screen shots illustrate how to set the properties of firewall rules: Specifying the Properties for a Firewall Rule Installing (or perhaps running the first time) uTorrent will have created Inbound rules named "Torrent (TCP-In)" and "Torrent (UDP-In)". Installing (or perhaps running the first time) Vuze will have create a rule named "Azureus / Vuze" for each of TCP and UDP. We want to change these so that they allow incoming connections only from the VPN. In the screen shot above for Incoming connections you will see that the "Local IP address" property has been set to "10.4.0.0/16". Although I do not recall changing anything else, make whatever other changes you need to ensure that the rules you create are as in the example above. You could if you prefer disable the original rules and create new ones. The uTorrent and Vuze installations do not create any Outbound rules. So I have created a rule for uTorrent ("_uTorrent") and for Vuze ("_Vuze"). We want these rules to block outgoing traffic over the native interface from our torrent clients. We need these rules to be "blocking" rules, applying to all profiles and all protocols, and with that the "Local IP address" property has been set to "192.168.0.0/16". Make whatever other changes you need to ensure that the rules you create are as in the example above. Set Up for Torrent Clients Next we set up the torrent clients to use only the VPN interface. This will give additional assurance that torrent traffic does not go out over the native interface, and also allow us to make the changes to the routing table that will cause the VPN interface to be used only for torrent traffic. The following screen shot illustrates setting the IP interface for uTorrent: Setting IP Interface for uTorrent From the menu in uTorrent select "Options/Preferences" and then select "Advanced". You need to set the "net.bind.ip" and "net.outgoing.ip" to the IP address of the VPN interface. Unfortunately for uTorrent one has to specify the IP address, unlike Vuze (see below). So long as I continue to use the same AiirVPN server, since my DHCP license is for a year, I do not need to change the uTorrent configuration. If I wish to change the AirVPN server, I have to change IP address uTorrent uses. At the time of writing, AirVPN does not allow one to have a fixed local IP address for the VPN interface, otherwise this could be avoided. The following screen shot illustrates setting the IP interface for Vuze: Setting IP Interface for Vuze From the menu in Vuze select "Options" and then select "Connection/Advanced Network Settings". First ensure that the check box labelled "Enforce IP bindings even when interfaces are not available, ..." (at the bottom of the page) is enabled. Next fill in the text box labelled "Bind to local IP address or interface". You could fill in the actual IP address of the VPN interface as we did for uTorrent. But it is better to scan the list of interfaces further down the page for the one for the VPN interface. In the sample screen shot you will see that the VPN address "10.4.50.142" goes with the interface "eth5[0]". So I have copied and pasted that into the text box instead. By using the interface name rather than the IP address, I avoid having to change the Vuze set up if the address of my VPN interface changes (when I switch OpenVPN servers for example). Routing Table Changes to Restore Native Gateway The final step in this set up is to add some additional routing table entries to restore the native gateway as the default gateway. Recall (see the discussion above) that the OpenVPN client added two routing table entries with a subnet prefix length of 1 bit (net mask 128.0.0.0) in order to override the original routing table entry that made the native interface the default gateway. That original routing table entry (just 1 entry) had a subnet prefix length of 0 bits (net mask 0.0.0.0). Because the subnet prefix length of the routing table entries the VPN client made is longer, and the two entries together cover the full IP address space, these two new entries had the effect of overriding the original default gateway. One might think then that we just need to delete the two entries with net mask "128.0.0.0". And indeed, if we were not using Windows, this would probably work! But I have found that with these entries removed, Windows does not allow the torrent clients to bind to the VPN interface, which they were configured above to use. But there is another possibility, which I have found does work. We will do what the VPN client did - add more routing table entries. Our entries will have a subnet prefix length of 2 bits (new mask 192.0.0.0). In order cover the full IP address space we need 4 entries (see the pattern?). To this end, create two ".bat" files. Files ending in .bat are expected by Windows to contain "scripts" that run the same commands that you can run at the Windows Command Prompt. Create two files as follows - "VPN_gateway_suspend.bat" containing: @set GATEWAY=192.168.1.254 route add 0.0.0.0 mask 192.0.0.0 %GATEWAY% route add 64.0.0.0 mask 192.0.0.0 %GATEWAY% route add 128.0.0.0 mask 192.0.0.0 %GATEWAY% route add 192.0.0.0 mask 192.0.0.0 %GATEWAY% @pause "VPN_gateway_restore.bat" containing: @set GATEWAY=192.168.1.254 route delete 0.0.0.0 mask 192.0.0.0 %GATEWAY% route delete 64.0.0.0 mask 192.0.0.0 %GATEWAY% route delete 128.0.0.0 mask 192.0.0.0 %GATEWAY% route delete 192.0.0.0 mask 192.0.0.0 %GATEWAY% @pause I put my files into the folder "C:\bat\VPN". The route commands to add and delete entries require administrator privilege. So to run the .bat files directly you have to right mouse-click on them and select "Run as administrator". As a convenience, I create short cuts to these .bat files and set "Run as administrator" in their "Advanced Properties": To be sure these scripts and short cuts are working for you, use the "route print" command in a Windows Command Prompt window. 5 1 Xx-Ness-xX, rei.andrea, skywalker64 and 3 others reacted to this Quote Share this post Link to post
Staff 10013 Posted ... Hello! Impressively detailed guide, rich of information on related topics, thank you! You might also like to include an alternative solution in part 2, much quicker, specific to Vuze (uTorrent lacks the bind to an interface option):insert "route-nopull" directive in the .ovpn configuration file (insert the line anywhere before the certificates and key)bind Vuze to the tun/tap adapter (menu "Tools"->"Options"->"Mode"->"Advanced"->"Connection->"Advanced connection settings" as showed in your screenshot) route-nopull tells the OpenVPN client to reject the routing table pushed by the OpenVPN server, while preserving the DHCP-push for the TUN/TAP adapter, making it ready to be "used" by applications bound to it. This solution has the advantage to take just a few seconds once and for all, it does not require scripts and firewall rules, but it has the disadvantage that it is applicable only with Vuze and that can't currently be achieved with the Air client for Windows. You'll need to use OpenVPN GUI or OpenVPN directly to connect to a VPN server with the "route-nopull" directive. The Configuration Generator has the ability to generate such configuration files. Kind regards 1 woodgie reacted to this Quote Share this post Link to post
NaDre 157 Posted ... bind Vuze to the tun/tap adapter (menu "Tools"->"Options"->"Mode"->"Advanced"->"Connection->"Advanced connection settings" as showed in your screenshot) This is what I do. And I thought I indicated this in the guide. Is it not clear? I will try to emphasize this when I next look at it. insert "route-nopull" directive in the .ovpn configuration file (insert the line anywhere before the certificates and key)route-nopull tells the OpenVPN client to reject the routing table pushed by the OpenVPN server, while preserving the DHCP-push for the TUN/TAP adapter, making it ready to be "used" by applications bound to it. This solution has the advantage to take just a few seconds once and for all, it does not require scripts and firewall rules, but it has the disadvantage that it is applicable only with Vuze and that can't currently be achieved with the Air client for Windows. You'll need to use OpenVPN GUI or OpenVPN directly to connect to a VPN server with the "route-nopull" directive. The Configuration Generator has the ability to generate such configuration files. This is what I do now. The guide is already a bit out of date. I was not sure if adding this might not make it too complicated for newbies (if it is not already). These are the extra lines I add: route-nopull redirect-gateway def1 route 0.0.0.0 192.0.0.0 net_gateway route 64.0.0.0 192.0.0.0 net_gateway route 128.0.0.0 192.0.0.0 net_gateway route 192.0.0.0 192.0.0.0 net_gateway route 10.4.0.1Well actually, I do not add "route 10.4.0.1". This is because that line is for routability to AirVPN' s DNS servers, which I do not use. I have BIND installed on my PC as a recursive DNS server instead. Having DNS queries sent to 10.4.0.1 when I am using my native interface as the default gateway might be a concern? But to get the same effect as you get without "route-nopull", that line would be needed. === UPDATE: If anyone wants to know how I installed BIND on my PC as a "recursive DNS server", see this post: https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=9978 Update to UPDATE: I should have made it clear here that I did this in order to avoid having a "DNS leak". UPDATE 2: I thought I should also pass this on here. I have a second AirVPN account which I use to stream video from one country while at the same time running my torrent clients over the account I use for P2P, via some other country. In order to do this I need to confiure the routing table so as to not conflict with the entries made by the first connection, while making the gateway for the second connection the default gateway. To do this I add these OpenVPN directives to the configuration files for that account: route-nopull redirect-private def1 route 0.0.0.0 224.0.0.0 route 32.0.0.0 224.0.0.0 route 64.0.0.0 224.0.0.0 route 96.0.0.0 224.0.0.0 route 128.0.0.0 224.0.0.0 route 160.0.0.0 224.0.0.0 route 192.0.0.0 224.0.0.0 route 224.0.0.0 224.0.0.0 route 10.4.0.1 I leave the "route 10.4.0.1" line out of the directives for my torrenting account so that it will not conflict with that same line when it is applied for my second/browsing account. For reference, the documentation for OpenVPN configuration directives is here: https://community.op...penvpn23ManPage UPDATE 3: I should also have pointed out that you need a second "TAP-Windows Adapter" interface in order to have a second connection at the same time. You can install an additional adapter by running (as "Administrator" - right mouse-click on the script to see the option to do this) this script: "C:\Program Files\TAP-Windows\bin\addtap.bat" UPDATE to UPDATE 3: In the Windows "Start Menu" the "addtap.bat" can also be found as "TAP-Windows/Utilities/Add a new TAP virtual ethernet adapter". You still need to run it as "Administrator" by right mouse-clicking. Quote Share this post Link to post
Staff 10013 Posted ... bind Vuze to the tun/tap adapter (menu "Tools"->"Options"->"Mode"->"Advanced"->"Connection->"Advanced connection settings" as showed in your screenshot) This is what I do. And I thought I indicated this in the guide. Is it not clear? I will try to emphasize this when I next look at it. Hi, no problems, it's very clear! It was just re-stressed to suggest (not that it must be a good suggestion, it's just brainstorming) that maybe an ultra-quick solution (for Vuze inexperienced users only) that does not imply firewall settings and scripts could be welcome by someone who wishes to split traffic and secure the tunnel exclusively on a "torrent and non-torrent traffic" basis.However, the issue of tracker names resolution via DNS was overlooked, it was silently assumed that Vuze would work with DHT[+PEX], in a "trackerless mode". Well actually, I do not add "route 10.4.0.1". This is because that line is for routability to AirVPN' s DNS servers, which I do not use. I have BIND installed on my PC as a recursive DNS server instead. Having DNS queries sent to 10.4.0.1 when I am using my native interface as the default gateway might be a concern? But to get the same effect as you get without "route-nopull", that line would be needed.At a first glance and according to this writer, it is not a privacy/security concern. It is anyway to be considered, under a general point of view, that not using Air DNS servers will prevent usage of our anti-geo-location block system (for example to access Hulu from non-USA servers), which might be an inconvenience for those who rely on that, so it is good that the issue, for any possible case in which Air DNS servers are not used, is explicitly cited. Kind regards Quote Share this post Link to post
NaDre 157 Posted ... no problems, it's very clear! It was just re-stressed to suggest (not that it must be a good suggestion, it's just brainstorming) that maybe an ultra-quick solution (for Vuze inexperienced users only) that does not imply firewall settings and scripts could be welcome by someone who wishes to split traffic and secure the tunnel exclusively on a "torrent and non-torrent traffic" basis.However, the issue of tracker names resolution via DNS was overlooked, it was silently assumed that Vuze would work with DHT[+PEX], in a "trackerless mode". I had misunderstood your first post. Sorry. One issue I see with just relying on Vuze is that the firewall entry for incoming connections that Windows would make when Vuze first attempted to listen for connections would be done so as to allow connections from any "public" interface, since the VPN interface is considered public. But wireless connections are also considered public by Windows. So this could be a bad thing. And if I recall correctly, if Vuze was previously used with the native (private) IP interface, there may be an incoming rule entry that blocks incoming connections on public interfaces (if the user accepted the defaults). I think you would want to modify the firewall rules for Vuze to restrict to only the AirVPN interface. In general, I wonder if people shouldn't try to understand how their firewall is configured, and check what sorts of firewall rules get added by Windows when programs first try to receive incoming connections. Similarly, I think it may be important that people understand that their router probably supports UPnP and has it enabled by default, and so programs that want to receive incoming connections may create forwarding rules for incoming connections in their router. Quote Share this post Link to post
Staff 10013 Posted ... One issue I see with just relying on Vuze is that the firewall entry for incoming connections that Windows would make when Vuze first attempted to listen for connections would be done so as to allow connections from any "public" interface, since the VPN interface is considered public. But wireless connections are also considered public by Windows. So this could be a bad thing. And if I recall correctly, if Vuze was previously used with the native (private) IP interface, there may be an incoming rule entry that blocks incoming connections on public interfaces (if the user accepted the defaults). I think you would want to modify the firewall rules for Vuze to restrict to only the AirVPN interface.Hello! That's totally correct. Yes, you're right, setting anyway the rules for Vuze is a much better suggestion. Kind regards Quote Share this post Link to post
NaDre 157 Posted ... Since I wrote this, I have found a way to get the effect of a static IP address, so that I do not have to change the configuration of my bittorrent clients when I change servers. See this post: https://airvpn.org/topic/9518-faking-static-local-vpn-addess-using-client-nat-ifconfig/?do=findComment&comment=10449 Quote Share this post Link to post
NaDre 157 Posted ... NaDre, I've read the thread you posted, https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/ I had a few questions. When you set this up, were your intentions to do something like the following... Connect to a server (OpenVPN) > launch torrent client > download whatever > utilize your web browser with a different (your ISP's IP address?) while the torrent client is running, of course. If not, is that a possibility? Thanks,-??????? Correct. Is that not clear from the introduction? Let me try to be more clear. My torrent clients run continually. But I use my normal IP interface for everything else at the same time, except when I briefly make AirVPN my default gateway in order to stream media subject to geo-location restrictions. I find using the VPN continually to be very problematic, and it is really not something I require. I have (after removing your user name) posted this reply in the forum too, where it may benefit others too, or stimulate similar questions. Quote Share this post Link to post
computermantom 0 Posted ... What no love for the Mac? I did not see a similar setup guide for a Mac. If I missed it could someone please link me to it. I am a new member. Thanks Quote Share this post Link to post
NaDre 157 Posted ... What no love for the Mac? I did not see a similar setup guide for a Mac. If I missed it could someone please link me to it. I am a new member. Thanks As I wrote the guide I was actually doing the set up from scratch on Windows virtual machines under VMWare player, so that I could be sure that what I was writing was not just theory, but actually worked. Often Windows does not work as one would expect (or as it probably should). I do not use MAC. So I cannot write such a guide. But I would think that a similar approach could be adapted to a Linux-based or BSD-based (like MAC I believe?) OS, which generally behave much more as they "should". I am very familiar with Linux, and could probably write a Linux version. But I wonder if Linux users may not generally be technical enough to adapt the approach without a detailed guide. I don't want to spend a lot of time if very few people will benefit from it. === EDIT: Perhaps I should hasten to add that I am not staff here, although staff did try out the details in my guide and decided that it did work, and then posted it in their "How-To" area. I cannot speak for the staff here. But I think the main focus of AirVPN is on addressing the needs of folks who have a need for a much more complete anonymity solution, rather than just on those of us who just don't want to get nasty letters from our ISP-s. And I applaud them for that. By comparison, my use of AirVPN could probably be seen as being a bit frivolous. But I suspect a lot of people signing up here want pretty much just what I want. But we may have to band together and help each other to a great extent. EDIT 2: I should have mentioned that the firewall set up would have to be addressed quite differently for Linux since IPTABLES does not allow the program instance making the connection to be specified in a rule (unless some dramatic changes have occured since I last did this sort of thing on Linux). So you would have to block incoming connections to the ports on which your clients are listening instead. To do the blocking for outgoing connections, you would want to figure the clients (possible for Vuze and uTorrent) to use a fixed port for outgoing traffic, and then block outgoing traffic for those ports. EDIT 3: If you are using Linux, see these posts: https://airvpn.org/topic/14634-problems-using-air-vpn-as-non-default-route/ https://airvpn.org/topic/14158-question-run-airvpn-as-non-primary-network-adapter/?p=27398 Quote Share this post Link to post
quim 0 Posted ... I followed these instructions, it worked great for a couple of minutes. Right now no matter what server I connect to, the airvpn website sees my status as "Not Connected", with my IP being unchanged. When I run the two .bat files, I get results like these. C:\bat\VPN>route delete 0.0.0.0 mask 192.0.0.0 192.168.1.254 The route deletion failed: Element not found. C:\bat\VPN>route delete 64.0.0.0 mask 192.0.0.0 192.168.1.254 The route deletion failed: Element not found. C:\bat\VPN>route delete 128.0.0.0 mask 192.0.0.0 192.168.1.254 The route deletion failed: Element not found. C:\bat\VPN>route delete 192.0.0.0 mask 192.0.0.0 192.168.1.254 The route deletion failed: Element not found. Press any key to continue . . . And C:\bat\VPN>route add 0.0.0.0 mask 192.0.0.0 192.168.1.254 The route addition failed: The object already exists. C:\bat\VPN>route add 64.0.0.0 mask 192.0.0.0 192.168.1.254 The route addition failed: The object already exists. C:\bat\VPN>route add 128.0.0.0 mask 192.0.0.0 192.168.1.254 The route addition failed: The object already exists. C:\bat\VPN>route add 192.0.0.0 mask 192.0.0.0 192.168.1.254 The route addition failed: The object already exists. Press any key to continue . . . So in essence, being connected to any vpn server appears to be about the same as not being connected to one at all. Perhaps I have somehow messed up the routing table? What can I do to fix this? Edit: This issue only appears when running the OpenVPN GUI - the AirVPN client still works fine. Edit 4/12/2014: Everything has been fine a while now, move along, nothing to see here Quote Share this post Link to post
NaDre 157 Posted ... I followed these instructions, it worked great for a couple of minutes. Right now no matter what server I connect to, the airvpn website sees my status as "Not Connected", with my IP being unchanged. When I run the two .bat files, I get results like these.... When you have the set up working and connect to the web site, because the web site does not see you as coming from an Air VPN exit IP address, it says "Not Connected" at the bottom of the page. But if you go to the "Client Area" page it will say what server your user ID is connected to. And if you are running torrent clients, you will see that you are using band width via the VPN. As far as the error messages, I do not see how the entries can be "not found" when you delete them, but then already be there when you try to add them. Certainly I have no such problems. Quote Share this post Link to post
haiki 0 Posted ... Hey do we need to disable upnp on the router side, and also I am gettiung DNS leaks on the dns leak test... Please advise Quote Share this post Link to post
NaDre 157 Posted ... Hey do we need to disable upnp on the router side, ... I do. But it would probably be enough to ensure the torrent client is set up not to use it. I believe there may be some programs (Games? I am not a gamer.), that will not work without UPnP support in the router. ... and also I am gettiung DNS leaks on the dns leak test... Please advise I can offer two options: 1) by running a DNS server on your PC This is what I do: https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=9978 I mentioned this in a post above. But that would be easy to miss. As explained in the post, I run a DNS server (BIND) on my PC. The usual method of using the AirVPN DNS server could be problematic when you use the normal non-VPN gateway for browsing. A site might check for DNS leaks and decide that you are not where you really are. Also, I believe that content delivery networks (widely used now) may provide different IP addresses for a DNS query depending on where the query came from, in the interest of optimizing access speed. So you get a sort of geo-location going on by default. Note that if your ISP has direct links into some CDN such as Netflix, then when using that service you may want to turn the DNS server into a "forwarder" to your ISP, as explained in the post above. About Netflix see: https://signup.netflix.com/openconnect UPDATE: I just realized that the post above talks about how to forward to AirVPN, not to your ISP. But the difference is just that you need to provide the IP address of your ISP's DNS server(s), or instead your router's DNS server (routers normally provide a DNS server that forwards to your ISP), which is probably the same as the non-VPN gateway address provided by your router. You can check this though. If you are connected to a router, then your native (i.e. non-VPN/original) IP interface is probably "Local Area Connection". If you are using wifi it may be something like "Wireless Network Connection". You will be able to see what the name of your interface is if you use this command: ipconfig /all Assuming that the interface name is "Local Area Connection", you can see what the original DNS for "Local Area Connection" is set to by using this command: netsh interface ip show dns "Local Area Connection" Or you can just pick out the correct information after you see the DNS for all interfaces using this command: netsh interface ip show dns 2) by switching the DNS server settings for your IP interfaces I explained a bit more about this in another post here: https://airvpn.org/topic/9289-dns-leaks-and-how-to-fix-them/?do=findComment&comment=11603 You could also adapt the technique described in that post to avoid having to run a DNS server on your PC. Please read that post before reading the rest of this post. The problem with this approach is that the changes made with the netsh command are permanent, and so will persist after a reboot. Assuming again that you are using a router and that your native (i.e. non-VPN/original) IP interface is "Local Area Connection", that your router provides a DNS server at the same address as it provides a gateway and that this address is 192.168.1.254, that your VPN IP interface is "Local Area Connection 2", and that the appropriate AirVPN DNS server is 10.4.0.1, then in the same .bat file where you restore the non-VPN gateway as the default (by adding the routing table entries with the 192.0.0.0 mask) you can add these commands: netsh interface ip set dns "Local Area Connection" dhcp netsh interface ip set dns "Local Area Connection 2" static 192.168.1.254 So both the original non-VPN IP interface and the OpenVPN IP interface are set to your router's/ISP's DNS server. If you want to add additional DNS servers for "Local Area Connection 2" in order to recreate the full list that "Local Area Connection" has, you can add additional "add" commands like this: netsh interface ip add dns "Local Area Connection 2" 77.174.234.1The address used there is just some nonsense for illustration. And in the same .bat file where where you remove the non-VPN gateway as the default (by removing the routing table entries with the 192.0.0.0 mask) you can add these commands: netsh interface ip set dns "Local Area Connection" static 10.4.0.1 netsh interface ip set dns "Local Area Connection 2" dhcp So both the original non-VPN IP interface and the OpenVPN IP interface are set to AirVPN's DNS server. Again, the problem with this approach is that the changes made with the netsh command are permanent, and so will persist after a reboot. So you may (depending upon the sequence of events) need to run the script that adds the routing table entries with the 192.0.0.0 mask after a reboot in order to have access to a DNS server. This is why I prefer to run BIND as my DNS server on my PC and set it as a forwarder to either my ISP or AirVPN when I need this. But as long as you are aware that this might happen, I think this approach would work OK. And many people might prefer it over running BIND. === I have not tried here to explain all of this as methodically as in my guide. If anything in this post is not clear, please ask again for guidance here. I have wondered if I should expand the original guide to address DNS issues. But I think a lot of people already find that guide lengthy, and maybe intimidating. Perhaps I will though, once I see how you get on with this. Good luck. Quote Share this post Link to post
panicmode 0 Posted ... NaDre, thanks for this guide, it was most helpful and well written. One nuance that might be of interest to others that I experienced when i first set it up; Upon entering the firewall rule for utorrent, I navigated to the utorrent executable which happens to reside in my appdata folder(weird), and when i selected it and hit ok, windows automatically applied this path: %appdata%/utorrent/utorrent.exe. I found that with this path configured for the firewall rule, the UDP traffic would often 'escape' out the regular NIC(as i discovered to my horror that my torrents were still uploading when the VPN was off). To resolve this I had to put the full path in c:\users\username\appdata\utorrent\utorrent.exe, and that seems to have resolved that particular leak. Quote Share this post Link to post
amnesty 18 Posted ... Hi @panicmode. Welcome. I don't do much torrenting but did you by any chance mean C:\Users\username\AppData\Roaming\uTorrent\uTorrent.exe? I agree running an executable from an end-user's appdata directory is 'weird'. I actually whitelist and do not allow executables to run from these directories (for my login account w/ user priviledges). I don't login as an administrator. Have to add an exception for members of the users group for applications that run out of these directories. Quote Share this post Link to post
panicmode 0 Posted ... @amnesty ,yes you are correct, C:\Users\username\AppData\Roaming\uTorrent\uTorrent.exe is the correct path. That's a good idea, i'll have to consider that. Quote Share this post Link to post
NaDre 157 Posted ... Cross posted from another thread:https://airvpn.org/topic/12562-last-step-w-splitting-my-internet-torrents-w-vpn/Hi,So I just got into AirVPN & into splitting my internet : I want my torrents to deal with the VPN data and I want everything but torrents to deal with my "real" internet. So I followed the tutorial from A to Z but the last step got me in trouble...I'm kinda not good when it comes to computer things and I just can't get the "Routing Table Changes to Restore Native Gateway" part... I created the bat + VPN folders and put my 2 bat files in but... What should I do with those 2 bat files and their short cuts ? Do I have to open them every time VPN's up ? VPN's down... ? Or do I have to let them in the folders and that's it... ? If someone could just explain that part the easiest way haha... It would be really nice! Cuz I don't know what I should do with these 2 bat files... haha!Thanks for your help!I will assume you have used the same names as in the guide.After you start the VPN, you must run the one called "VPN_gateway_suspend.bat" after you start the VPN, in order to get back to using the "real" interface for everything besides torrents.If at some point you want to use the VPN for browsing for a while, then run "VPN_gateway_restore.bat". When you want to go back to using the real interface again run "VPN_gateway_suspend.bat".After you stop the VPN , you can run "VPN_gateway_restore.bat" to remove the double definition of the real gateway from the routing table, to get back to how things were before you started. You could also run "VPN_gateway_restore.bat" just before you stop the VPN instead. Or in fact you could just leave the double definition of the real gateway in the routing table. It should do no harm.Update:If you do not want to have to run the "VPN_gateway_restore.bat" script by hand after you start the VPN, then assuming that the script is in "C:\bat\VPN\VPN_gateway_restore.bat" (as in the guide) then you could add some lines to your OpenVPN config files by ticking "Advanced Mode" and entering the lines under "Custom directives:" on the AirVPN "Configuration Generator" page. The lines to enter are: script-security 2 up 'C:\\bat\\VPN\\VPN_gateway_suspend.bat'This will just leave the double definition of the gateway in place when you stop the VPN, which as I said above should do no harm. If you want the double definition removed then the lines you add should be: script-security 2 up 'C:\\bat\\VPN\\VPN_gateway_suspend.bat' down 'C:\\bat\\VPN\\VPN_gateway_restore.bat'Update 2:It turns out that the AirVPN Configuration Generator does not handle the "\" characters correctly when they are used in "Custom directives:".So instead you will have to add these lines instead: script-security 2 up 'VPN_gateway_suspend.bat' down 'VPN_gateway_restore.bat'And then copy the scripts you created in with the "*.ovpn" files.I had not realized this because I have my own methods for customizing configuration files. Quote Share this post Link to post
Mikester 8 Posted ... Not having too much luck here. My NAS was running WHS v1 for over 4 years and I had it set so that everything went through the VPN, which was overkill. I upgraded it to Windows Server 2012 R2 last weekend, and would like to use the VPN only for torrenting on it (I do my browsing, emailing etc on an iMac). First thing I noticed is that checking the status in the Forwarded ports section here gives me a greyish/black dot saying it's unreachable. Connection timed out. Process Explorer was showing a lot of other addresses, instead of just the VPN one, which is odd. I think I need to start the process from scratch, but I'm kind of at a loss about the forwarded port not working. That was working fine before I upgraded, so it's an OS setup thing and most likely a PEBKAC issue, but if anyone has a suggestion, I'm all ears (or, well, eyes... ) Thanks! Quote Share this post Link to post
panicmode 0 Posted ... So I just started using this setup again and I've run into an issue with Utorrent 3.4.2 (build 37754) and DHT. Basically utorrent won't connect to DHT using the configuration in the guide. If i remove the routing entries(so that all my pc's traffic goes through the vpn) and remove the net_bind_ip and net_outgoing_ip settings DHT starts working. I believe this is because utorrent is ignoring the net_bind_ip settings and attempting to make connections on the native interface. I plan to try a few things including: Capture my network traffic to see if i can spot the dht packets attempting to exit the native port. Trying Vuze instead(or maybe in addition to since I only use DHT for a few things) Posting on the utorrent forums Just thought I would post here in case anyone had experienced this or had any other good ideas. I'll post back when I have had some time to go through these options. Quote Share this post Link to post
kon0 4 Posted ... I followed these instructions, it worked great for a couple of minutes. Right now no matter what server I connect to, the airvpn website sees my status as "Not Connected", with my IP being unchanged. When I run the two .bat files, I get results like these.... When you have the set up working and connect to the web site, because the web site does not see you as coming from an Air VPN exit IP address, it says "Not Connected" at the bottom of the page. But if you go to the "Client Area" page it will say what server your user ID is connected to. And if you are running torrent clients, you will see that you are using band width via the VPN. As far as the error messages, I do not see how the entries can be "not found" when you delete them, but then already be there when you try to add them. Certainly I have no such problems. Hey do we need to disable upnp on the router side, and also I am gettiung DNS leaks on the dns leak test... Please advise Quote Share this post Link to post
NaDre 157 Posted ... ... Hey do we need to disable upnp on the router side, and also I am getting DNS leaks on the dns leak test... Please advise Your post seems to be identical to the one by hakrins earlier in this thread. And I responded to it in an earlier post in this thread: https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=12757 Besides discussing DNS, I made a brief comment about UPnP there too. I disable it. I am not aware of any programs I use that actually tries to use router functionality to discover the real IP address, but apparently this is possible in principle not only by using UPnP but also "SIP ALG": https://airvpn.org/topic/13466-webrtc-used-to-reveal-real-ip-address/?do=findComment&comment=24629 So I have now disabled that in my router too, while it is "top of mind". I am expecting someone to ask here about suppressing the possibility of a WebRTC leak within this scheme. But until then ... UPDATE: If your are concerned about the WebRTC leak, see this post: https://airvpn.org/topic/13519-webrtc-vulnerability/?p=24977 Note that while using the real gateway to browse, WebRTC can discover your VPN address. Sites in your own country could conceivably use this as a reason to block you. Quote Share this post Link to post
kon0 4 Posted ... ...Hey do we need to disable upnp on the router side, and also I am getting DNS leaks on the dns leak test... Please advise Your post seems to be identical to the one by hakrins earlier in this thread. And I responded to it in an earlier post in this thread: https://airvpn.org/topic/9491-guide-to-setting-up-vpn-just-for-torrenting-on-windows/?do=findComment&comment=12757 Besides discussing DNS, I made a brief comment about UPnP there too. I disable it. I am not aware of any programs I use that actually tries to use router functionality to discover the real IP address, but apparently this is possible in principle not only by using UPnP but also "SIP ALG": https://airvpn.org/topic/13466-webrtc-used-to-reveal-real-ip-address/?do=findComment&comment=24629 So I have now disabled that in my router too, while it is "top of mind". I am expecting someone to ask here about suppressing the possibility of a WebRTC leak within this scheme. But until then ... :up: Quote Share this post Link to post
m0rpeth 0 Posted ... So I followed this guide and I don't really understand what is going on. All it has done is make it so my uTorrent only works when connected to a specific AirVPN server. All of my web browsing and such still goes through the VPN though. If I disconnect from AirVPN my torrents stop. I reconnect and they start again, but now Whatsmyip.org shows that I'm connected to the VPN. Quote Share this post Link to post
NaDre 157 Posted ... So I followed this guide and I don't really understand what is going on. All it has done is make it so my uTorrent only works when connected to a specific AirVPN server. All of my web browsing and such still goes through the VPN though. If I disconnect from AirVPN my torrents stop. I reconnect and they start again, but now Whatsmyip.org shows that I'm connected to the VPN. You have to do the final step where you add the routing table entries with a "Netmask" of 192.0.0.0. @set GATEWAY=192.168.1.254 route add 0.0.0.0 mask 192.0.0.0 %GATEWAY% route add 64.0.0.0 mask 192.0.0.0 %GATEWAY% route add 128.0.0.0 mask 192.0.0.0 %GATEWAY% route add 192.0.0.0 mask 192.0.0.0 %GATEWAY% Except instead of 192.168.1.254 it should be whatever your default gateway is. You either missed this step out, or made some error. Do "route print" in a command window. There must be routing table entries with a "Netmask" of "192.0.0.0" that match the original routing table entry with a mask of "0.0.0.0" (i.e. same "Gateway"). 1 skywalker64 reacted to this Quote Share this post Link to post