Wednesday, 5 October 2011

Keep your IP address hidden if VPN disconnects


Update 12 July 2013:

There's a thread by spaced on the GT forum that gives a free alternative to VPN:

How to run GT via proxy and SSH Tunnel + secure HTTP connection to BF

Original Post:

If you are using a VPN it does a good job of hiding your real IP address and country, but what happens when the VPN disconnects...?

Normally your network traffic will just keep on going and get routed through your ISP and in doing so reveal your ISP IP address and location...

This wouldn't be good if for example you are on holiday in France and using Betfair...

There are programs that will monitor the VPN connection and in the case of a disconnect they can shut down applications to try and prevent this (assuming they can do it fast enough)

But a safer (and easier) solution is to edit your PC's routing table so that it will not send data other than via the VPN.

And Thanks to Pulsar on The Geeks Toy forum for helping me work this out!

First you need to remove the entry for 0.0.0.0 to your Gateway from your routing table as this is the default route for ALL network traffic.

Step 1: Open a command prompt (run as admin if using Vista) and type:

route print

This produces the following output, and in my case you can see that the 0.0.0.0 entry uses Gateway 192.168.1.1



So we need to delete this route from the routing table, but then what happens after the VPN drops and you need to reconnect?

Unless you can access the internet you can't log back into the VPN, so having removed all the routes you need to add a new route table entry just for your VPN server so that it can get to your gateway.

Step 2: Use ping to find out the IP address of your VPN server:



Step 3: Make sure your VPN connection is set up to use the IP address rather than host name (and if the IP address ever changes you'll need to do this again)



Step 4: Delete the default routing

At the command prompt type:

route delete 0.0.0.0 192.168.1.1



Step 5: Then add a route for your VPN server IP address (e.g. 83.170.76.128) to your gateway (e.g. 192.168.1.1)

At the command prompt type:

route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1



And that's it... All network traffic goes via the VPN and if the VPN disconnects nothing gets out until it is reconnected...

Summary

To force all traffic to use VPN:

route delete 0.0.0.0 192.168.1.1

route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1


To unforce (i.e. allow traffic to use your ISP again) put the default routing back:

route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1

You can optionally use the -p (permanent) option to have your VPN IP route stay in the table without having to re-add it every reboot as it will not cause any problem having it there when the default route is enabled.

route add -p 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1

If you do this with .bat files remember to run them as administrator if you are using Vista.

And in case you need more routes...



40 comments:

  1. great! Just a note about metrics. it seems its used to prioritize routes entrys of equal network destination. (for a same network destination, lower metric route is preferred)

    ReplyDelete
    Replies
    1. Will the LAN connection still work!?
      I guess not.

      Delete
  2. did you have to do the above steps every time you reboot the computer (including the -p command)

    ReplyDelete
  3. Each reboot you need to do step 4 and step 5.

    If you use the -p command then you will only need step 4 every reboot.

    ReplyDelete
  4. Great post i am glad to know that if our VPN disconnect then our if can remain hidden, i was not aware about this info earlier. Thanks for this great post.


    Top VPN Providers

    ReplyDelete
  5. hi...the method described above didn't work.

    ReplyDelete
  6. smart frog, which bit didn't work?
    Did you substitute your own gateway and VPN IP values?

    ReplyDelete
  7. I followed all the steps described above and no, it also didn't work for me.

    ReplyDelete
  8. definitely didn't work, this is just bad information.

    ReplyDelete
  9. This has worked perfectly for me and on different computers thank you (I'm the Aug 3 poster). However, with my 2nd computer, when it goes to sleep, it acts like it's been rebooted and therefore I need to perform step 4 again even though I didn't restart/reboot the computer... any ideas on how to maintain the step 4 action? Many thanks.

    ReplyDelete
  10. Thanks, was hoping someone else would confirm it does work, as it worked fine for me when I was in France for 6 months :)

    I have two .bat files (one to force VPN and the other to unforce VPN) so you could put step 4/5 in a .bat file and then just create a desktop shortcut that you can double click to turn the blocking back on after waking up from sleep mode.

    Obviously a solution to the sleep problem itself would be better. Not sure why it would change the routing table after sleeping, if I find anything I'll let you know.

    ReplyDelete
  11. Wow, thanks for getting back to me so quickly (I sometimes get 2 week turnaround times from services I actually pay for!!!). You give me too much credit for knowing a lot about computers but I will look into the .bat file solution and keep you posted. Again, thanks for the quick reply.

    ReplyDelete
  12. forcevpn.bat contains:

    @echo off

    echo Delete default route

    route delete 0.0.0.0 192.168.1.1

    echo Add route to VPN Host(s)

    route add 83.170.113.252 mask 255.255.255.255 192.168.1.1 metric 1

    echo Done...

    :wait

    goto :wait

    ReplyDelete
  13. releasevpn.bat contains:

    @echo off

    echo add the default 0.0.0.0 route back to route table

    route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1

    echo Done...

    :wait

    goto :wait

    ReplyDelete
  14. obviously use your own default gateway and VPN IP addresses...

    ReplyDelete
  15. Nice Article! Thanks for sharing with us.
    IP Routing

    ReplyDelete
  16. Okay got it working on Windows 7, you have to specify the interface on the route.
    to get the id of your net type

    netsh interface ipv4 show interface

    then
    route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 if "interfaceid"

    you may or may not need this command also to change default route

    netsh interface ipv4 set interface [ID] ignoredefaultroutes=enabled

    ReplyDelete
  17. Thanks for the update! :)

    Useful to know that for Win 7 users (and possibly now win 8 users) as I only used with Vista.

    ReplyDelete
  18. does this apply to open vpn?

    ReplyDelete
  19. Also, TorGuard has this posted in their FAQ...

    ReplyDelete
  20. I got this to work yesterday on my windows 7 machine but this morning when Started up my pc again it was back to normal.

    How do I get this to stick even if I restart?

    ReplyDelete
  21. HI TheMan,

    You need to put the commands in a .bat file, then add the .bat file to the startup programs.

    http://answers.oreilly.com/topic/1656-how-to-manage-windows-7-startup-programs/

    ReplyDelete
  22. Is there a similar method for Mac?
    Thanks,
    George

    ReplyDelete
  23. No idea, but I also have a mac so I'll take a look see if I can find out...

    ReplyDelete
  24. Thanks a lot Cran. I am sure other people will benefit too when you find out, since Mac is becoming increasingly popular.
    George

    ReplyDelete
  25. So I can get my bat file on startup but it still does not delete the route. I can right click on my bat file and run as administrator and it works fine but when it runs on startup it does not do anything.

    Is there something special I need to do to get the bat file to run as administrator on startup?

    ReplyDelete
  26. Yes, I forgot about the admin not working on bat files at startup...

    I just used a shortcut on the desktop and ran it myself by 'right clicking - run as admin' after I logged in.

    Googling 'run startup bat as admin' might help...

    ReplyDelete
  27. This is a great tutorial! Thanks!

    But there is still a problem. How can I fix the dns leak in combination with your tutorial to keep my IP address hidden if VPN disconnects?

    ReplyDelete
  28. See steps 1 and 4 above: Removing the default route 0.0.0.0 from the routing table means that if the VPN disconnects then there is no connection so your real IP address won't get used, you'll just have no connection at all until you reconnect the VPN.

    e.g. if your default route uses gateway 192.168.1.1 then you would remove it with:

    route delete 0.0.0.0 192.168.1.1

    ReplyDelete
  29. yes, your tutorial is working great, but there is another issue. If I connect to a vpn, then the dns of my provider leaks.

    If I go to whoer.net/extended then the dns from my browser or flash is the same with and without vpn. May be you find a way to fix it.

    I want to use your tutorial and the tutorial from dnsleaktest.com (solution b), but I think it is in conflict with each other?

    Do you have another solution to fix the dns leak?

    ReplyDelete
  30. Which vpn are you using?

    ReplyDelete
  31. I'm using perfect-privacy.com, PPTP, Win7.

    ReplyDelete
  32. Ok, there's a post about win 7 above in the comments. I haven't tried it but anon says you need to do this:

    you have to specify the interface on the route.
    to get the id of your net type

    netsh interface ipv4 show interface

    then
    route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 if "interfaceid"

    you may or may not need this command also to change default route

    netsh interface ipv4 set interface [ID] ignoredefaultroutes=enabled

    ReplyDelete
  33. As far as DNS Leak....this link worked for me.

    http://www.dnsleaktest.com/how-to-fix-a-dns-leak.php

    ReplyDelete
  34. Not any of the other guys. - - I have a DD-WRT router that uses OpenVPN to connect when it boots. My understanding is then ALL traffic automatically goes here all the time. Should I be concerned about disconnects? Doesn't a disconnect here mean no traffic anyway? BTW I used your info above successfully on Win7 before I flashed my old router with DD-WRT. Now do I need it or not?

    ReplyDelete
  35. Doesn't work for me after multiple attempts, the route add *.*.*.* mask 255.255.255.255 192.168.1.* metric 1 command makes my internet function normally even when not connected to the vpn. I'm using openVPN and running the dnsleak .bat files aswell so maybe that has something to do with it.

    ReplyDelete
  36. How can i use that whem my vpn server requieres a username and pasword???? pleas let me know, cheers!

    ReplyDelete
  37. Password makes no difference, you'll have the password saved in the vpn connection properties or you type it in when you connect.

    For anyone can't get this working with VPN, perhaps just get a VPS instead and run your stuff with remote desktop, they are only about £15-£20 a month.

    ReplyDelete
    Replies
    1. But is a VPS as secure as a VPN?

      Delete