It doesn’t matter which VPN provider you select – one time or another, you are going to run into technical difficulties. Though this may sound bleak and pessimistic, the honest truth is that there are a multitude of factors that could cause your VPN tunnel to crash. Perhaps your ISP had a network outage, perhaps a VPN server is overloaded, or perhaps your local computer has performance problems on its network interface that interfere with your VPN service.
Whatever the case may be, users need to protect themselves in the event of a VPN outage. This is especially crucial for Bit Torrent users who turn to VPN services to protect their anonymity and the integrity of their downloads, but it is also important for other users as well. When your VPN tunnel goes down, you need to be sure you have safeguards in place to prevent traffic from being sent without VPN protection.
The whole point of using a VPN tunnel is to protect your data with encryption and to obfuscate your IP address to protect your privacy. If you were in the middle of an online activity – especially Bit Torrent downloads – while your VPN tunnel lost its connection, all hell would break use. Not only would your data be easy prey for hackers and governmental institutions like the NSA, but even your ISP would be able to see the data you are transmitting. In the US or UK, this could be inconsequential. It all depends on the data you happen to be transmitting at the time.
But also consider that if you’re outside these countries, downloads or other types of online activity could land you in boatloads of trouble with the local government. In addition, Bit Torrent users would be letting all of the peers in the P2P cloud see their real IP address. To put it bluntly, this is a gaping security hole. For an extra layer of protection, users should take advantage of a VPN kill-switch that automatically stops traffic (including downloads) from continuing in the event of an outage.
And to be fair, there are a reasonable number of providers who understand how important a kill-switch is, and thus include this feature in their software. Unfortunately, a kill-switch isn’t a standard feature on VPN tunnels, and there are many providers that lack this critical feature. If your VPN provider doesn’t have a kill-switch option, then you need to configure one yourself, or suffer the consequences.
In addition, users may want also want to create a rule within their custom VPN kill-switch that helps block DNS leaks. What’s a DNS leak, you ask? Well, a DNS leak is an extremely large problem that allows ISPs, and by extension third parties such as governments, to see what websites you visit.
For the sake of brevity, we will only lightly explain DNS. Basically, DNS is a protocol that translates cryptic IP addresses into human-readable characters that describe a website’s address. For example, DNS makes the IP address of 18.104.22.168 to appear as www.facebook.com in a user’s browser. Without DNS, humans would need to remember IP addresses, which aren’t easily remembered or understood by people.
Every time you visit a website, DNS translates the URL into an IP address. But I have bad news for you. The majority of users unknowingly use their ISP’s DNS servers to translate domain names to IP addresses – every single time they visit a website. And your ISP keeps DNS records that create a ‘paper trail’ of domain name resolutions. That is to say that other people – namely ISPs and governmental agencies – can see what websites you visit when you use their DNS server.
Ideally, when you use a VPN service, your computer uses the VPN service provider’s DNS servers. And because all of the good VPN service providers don’t keep usage logs, the websites you visit remain completely anonymous. Unfortunately, sometimes there is an error in computing code that causes a computer to use the local ISP’s DNS servers instead of the VPN service provider’s DNS servers – even while the VPN tunnel is up and running.
And the result isn’t pretty. When a DNS leak occurs, the anonymity and privacy benefits of a VPN tunnel are negated. Average users can’t typically spot a DNS leak, and even though they think they are browsing the Internet securely because they are connected to a VPN server, the reality is that ISPs, hackers, and governments can see each and every website address they visit.
Wake up folks, this isn’t acceptable! If you really want to get technical and lock down your Internet connection, you can create a DNS rule for your VPN connection in your kill-switch to negate the chance of DNS leaks from occurring in the first place. To be honest, a fair few providers have mechanisms in their VPN software that prevent DNS leaks – but not all providers have this feature. So, we’ll take a closer look at how to configure a firewall rule that prevents DNS leaks if your VPN service lacks this feature. But first, let’s talk about firewall software.
As you might imagine, users who want to create a kill-switch are free to use any software under the sun that they deem fit – as long as it works. Ultimately, users need a versatile software firewall to create a VPN kill-switch. However, I would recommend that Windows users abstain from using Windows Firewall. It just has too many issues. Instead, I would recommend using Comodo Firewall. However, users need to make sure that they completely disable Windows Firewall before using this software, or they could run into configuration anomalies that cause painful headaches.
The first step that needs to be completed is determining the physical (sometimes referred to as a MAC address) address of your VPN adapter. To find this key piece of information, start by connecting to a VPN server. Next, open the Windows Command Prompt by pressing either the start or Windows key, typing in cmd, and then pressing the enter key. A black box with a blinking text cursor should appear.
Now, run the following command by typing ipconfig /all. The output might look a little intimidating, but find the section labeled TAP-Win32. Keep this information handy, as we’ll need it later in the configuration.
Now it’s time to run your firewall software (Comodo in this example). After this software is installed on your computer and Windows Firewall has been disabled, click on the Advanced Settings button located in the top-left and navigate to Firewall, and then Network Zones.
Create a new zone and give it a name (such as “home network,” etc.). Click the OK button, and then click on your newly created network zone. You will see a field that allows you to assign an address to your network zone. Select MAC Address and enter the physical address found from the ipconfig /all output in step 1.
Now we want to configure a ruleset. The ruleset is what determines which services are killed in the event that your VPN tunnel drops. There are a variety of options, protocols, and types of software to configure such as FTP, your web browser, email, etc.
Give your ruleset a name and click the add button. To configure the ruleset, simply select either allow or block, the type of protocol, the direction of the traffic (to or from your computer), and even the source and destination addresses. If you want to create a rule for all IP addresses, you can enter any.
In this demonstration, we are going to create two different rules. Firstly, create a rule with the following parameters:
For the second ruleset, we want to filter incoming traffic. Create a rule like the previous rule, but make the following changes:
The order of these rules are critical, since the order they appear in the list is the order the firewall’s logic runs through when determining filtering decisions. Now we can proceed by applying rules to various services and programs.
Next, browse to Firewall and click on Application Rules. You should already see a prepopulated list of programs and service that you may very well want to send through the VPN tunnel, and halt them if the tunnel drops. If you want to add a program or service that isn’t on the list, simply click the add button and browse to the program on your computer, and finally hit the Use Ruleset button. After this final step, the only thing left to do is test your newly created VPN kill-switch.
But before you do, I wanted to make a note on best practices. If you want to block any type of traffic, it is typically best to mirror the configuration in both directions, meaning you should have identical rules for ‘in’ as well as ‘out.’ Consider what would happen in a P2P Bit Torrent scenario if you only blocked data coming ‘in.’ After the VPN tunnel dropped, your download would halt, but you’d still be uploading information to other Torrent users!
This is one of the most important steps, one the frequently gets overlooked. So, fire up your VPN tunnel and start using some of the services you want to automatically kill if the VPN tunnel goes down. Then, disconnect your VPN tunnel. If you choose to add your web browser to the kill-switch list, you shouldn’t be able to pull up any web pages. If things don’t work immediately, you may have to reboot your computer. In addition, verify that the rules are in the correct order.