How To Make VPNs Even More Secure-TorrentFreak
April 23, 2012
TorrentFreak: April 15, 2012
From being a niche product used by the few, in the past few years VPN services have hit the big time. These days more and more Internet users see running a privacy enhancing service as a requirement rather than just a luxury. Today we take a look at a few tips and tricks that can enhance the security of any VPN.
While simple to set up and use out of the box, it may comes as a surprise that the security of VPN anonymity services can be improved. Of course, when things run absolutely to plan there’s little to worry about, but there are occasions where there may be a hiccup or where an extra level of security is needed.
Securing your privacy when your VPN fails
Ok, so you’ve purchased your VPN subscription, enabled the service, and you’re enjoying your new found levels of privacy. Then – disaster strikes. While you were away from your machine somehow and for some unknown reason your VPN disconnected and now snoopers have a clear view of your IP address.
Fortunately, there are solutions.
“To protect against the event of VPN failure/disconnection, disable any internet access that does not tunnel through your VPN service provider,” Andrew from PrivateInternetAccess told TorrentFreak. “This can be achieved using specific Firewall rules (Ubuntu) or by changing TCP/IP routes.
But of course, not everyone wants to spend time with these manual configurations that could potentially cause problems if they’re not done properly. So, TorrentFreak spoke with the creators of two free pieces of software that do the job more easily.
“VPNetMon continuously watches the IP addresses of your PC. If the IP address of your VPN is not detected anymore, VPNetMon closes specified programs instantly. The program reacts so quickly that a new connection through your real IP will not be established by these applications,” creator Felix told TorrentFreak.
VPNetMon (Windows) can be downloaded here.
“VPNCheck helps you to feel safe if your VPN connection breaks, this is done by shutting down your main network connection or programs of your choice and showing a notification box,” Jonathan from Guavi.com told TorrentFreak. “Basically it constantly looks for a change in your VPN network adapter. You can connect to either PPTP or L2TP with VPNCheck.”
VPNCheck (Windows/Linux) can be downloaded here.
Stop DNS Leaks
When using a VPN service one might expect that all of the user’s traffic will go through the privacy network, but on rare occasions a phenomenon known as “DNS leakage” might occur. This means that rather than using the DNS servers provided by the VPN operator, it’s possible that the user’s default DNS servers will be used instead or otherwise become visible.
“A DNS leak may happen whenever a DNS query ‘bypasses’ the routing table and gateway pushed by the OpenVPN server. The trigger on Windows systems may be as simple as a slight delay in the answer from the VPN DNS, or the VPN DNS unable to resolve some name,” explains Paolo from AirVPN.
A tool for checking for leaks can be found at DNSLeakTest.com and a solution for fixing any problems can be found here. Alternatively, anyone using the pro version of VPNCheck will have this feature built in.
Double up your security for extra sensitive data transfers
What if you don’t have 100% trust in your VPN provider and worry that even they might snoop on your communications? Admittedly it’s a very unusual hypothetical situation, but one with an interesting solution.
“If you don’t trust your VPN provider 100%, use two VPNs,” explains Felix from VPNetMon. “This way you are tunneling your already encrypted connection through another tunnel.”
In Windows this is easily achieved. First, simply set up at least two VPN accounts as normal (if you’d like an extra one for testing purposes you can get a free limited account from VPNReactor). Then connect to one VPN, and when complete connect to another without disconnecting the first. Like magic, a tunnel through a tunnel.
Its also possible to VPN over TOR, but please please don’t use TOR for file-sharing traffic, it’s not designed for it.
“VPN over TOR gives several security advantages, for a performance price, above all partition of trust,” explains Paolo from AirVPN. “In case of betrayal of trust by one party, the anonymity layer is not compromised in any way.
Fix the PPTP / IPv6 security flaw
As revealed here on TorrentFreak in 2010, people using a PPTP VPN and IPv6 are vulnerable to a nasty security flaw which means that Windows and Ubuntu users could leak their real IP addresses. The following fix comes from Jonathan at VPNCheck.
For Windows Vista and above:
Open cmd prompt and type:
netsh interface teredo set state disabled.
For Ubuntu 10+:
Copy and paste all four lines into a terminal:
echo “#disable ipv6″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.all.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.default.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.lo.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf
Pay for your VPN with untrackable currency.
“When anonymity is a factor, pay with an un-trackable currency,” explains Andrew from PrivateInternetAccess.
“For example, signup for an anonymous e-mail account using Tor and use a Bitcoin Mixer to send Bitcoins to a newly generated address in your local wallet. Alternatively, use the Bitcoin-OTC to purchase Bitcoins ‘over the counter’ from a person, rather than an exchange.
“Then, use a patched Bitcoin client, such as coderrr’s anonymity patch to avoid linking the newly generated address to any of your pre-existing Bitcoin addresses.”
Only use VPN providers that take your privacy seriously
We’ve said this before but it’s worth repeating. VPN providers who heavily log are useful if all you’re concerned about is securely communicating with the Internet through an open public WiFi connection, but not beyond that. For a run down of providers who do not log any data which would enable a 3rd party to identify a user, see our previous article here.
Do you have a helpful security tip for VPN users? If so, feel free to add it to the comments below.