Normally your network traffic will just keep on going and get routed through your ISP and in doing so reveal your ISP IP address and location...
This wouldn't be good if for example you are on holiday in France and using Betfair...
There are programs that will monitor the VPN connection and in the case of a disconnect they can shut down applications to try and prevent this (assuming they can do it fast enough)
But a safer (and easier) solution is to edit your PC's routing table so that it will not send data other than via the VPN.
And Thanks to Pulsar on The Geeks Toy forum for helping me work this out!
First you need to remove the entry for 0.0.0.0 to your Gateway from your routing table as this is the default route for ALL network traffic.
Step 1: Open a command prompt (run as admin if using Vista) and type:
route print
This produces the following output, and in my case you can see that the 0.0.0.0 entry uses Gateway 192.168.1.1
So we need to delete this route from the routing table, but then what happens after the VPN drops and you need to reconnect?
Unless you can access the internet you can't log back into the VPN, so having removed all the routes you need to add a new route table entry just for your VPN server so that it can get to your gateway.
Step 2: Use ping
Step 3: Make sure your VPN connection is set up to use the IP address rather than host name (and if the IP address ever changes you'll need to do this again)
Step 4: Delete the default routing
At the command prompt type:
route delete 0.0.0.0 192.168.1.1
Step 5: Then add a route for your VPN server IP address (e.g. 83.170.76.128) to your gateway (e.g. 192.168.1.1)
At the command prompt type:
route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1
And that's it... All network traffic goes via the VPN and if the VPN disconnects nothing gets out until it is reconnected...
Summary
To force all traffic to use VPN:
route delete 0.0.0.0 192.168.1.1
route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1
To unforce (i.e. allow traffic to use your ISP again) put the default routing back:
route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
You can optionally use the -p (permanent) option to have your VPN IP route stay in the table without having to re-add it every reboot as it will not cause any problem having it there when the default route is enabled.
route add -p 83.170.76.128 mask 255.255.255.255 192.168.1.1 metric 1
If you do this with .bat files remember to run them as administrator if you are using Vista.
And in case you need more routes...
great! Just a note about metrics. it seems its used to prioritize routes entrys of equal network destination. (for a same network destination, lower metric route is preferred)
ReplyDeletedid you have to do the above steps every time you reboot the computer (including the -p command)
ReplyDeleteEach reboot you need to do step 4 and step 5.
ReplyDeleteIf you use the -p command then you will only need step 4 every reboot.
Great post i am glad to know that if our VPN disconnect then our if can remain hidden, i was not aware about this info earlier. Thanks for this great post.
ReplyDeleteTop VPN Providers
hi...the method described above didn't work.
ReplyDeletesmart frog, which bit didn't work?
ReplyDeleteDid you substitute your own gateway and VPN IP values?
I followed all the steps described above and no, it also didn't work for me.
ReplyDeletedefinitely didn't work, this is just bad information.
ReplyDeleteThis has worked perfectly for me and on different computers thank you (I'm the Aug 3 poster). However, with my 2nd computer, when it goes to sleep, it acts like it's been rebooted and therefore I need to perform step 4 again even though I didn't restart/reboot the computer... any ideas on how to maintain the step 4 action? Many thanks.
ReplyDeleteThanks, was hoping someone else would confirm it does work, as it worked fine for me when I was in France for 6 months :)
ReplyDeleteI have two .bat files (one to force VPN and the other to unforce VPN) so you could put step 4/5 in a .bat file and then just create a desktop shortcut that you can double click to turn the blocking back on after waking up from sleep mode.
Obviously a solution to the sleep problem itself would be better. Not sure why it would change the routing table after sleeping, if I find anything I'll let you know.
Wow, thanks for getting back to me so quickly (I sometimes get 2 week turnaround times from services I actually pay for!!!). You give me too much credit for knowing a lot about computers but I will look into the .bat file solution and keep you posted. Again, thanks for the quick reply.
ReplyDeleteforcevpn.bat contains:
ReplyDelete@echo off
echo Delete default route
route delete 0.0.0.0 192.168.1.1
echo Add route to VPN Host(s)
route add 83.170.113.252 mask 255.255.255.255 192.168.1.1 metric 1
echo Done...
:wait
goto :wait
releasevpn.bat contains:
ReplyDelete@echo off
echo add the default 0.0.0.0 route back to route table
route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 metric 1
echo Done...
:wait
goto :wait
obviously use your own default gateway and VPN IP addresses...
ReplyDeleteNice Article! Thanks for sharing with us.
ReplyDeleteIP Routing
Okay got it working on Windows 7, you have to specify the interface on the route.
ReplyDeleteto get the id of your net type
netsh interface ipv4 show interface
then
route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 if "interfaceid"
you may or may not need this command also to change default route
netsh interface ipv4 set interface [ID] ignoredefaultroutes=enabled
Thanks for the update! :)
ReplyDeleteUseful to know that for Win 7 users (and possibly now win 8 users) as I only used with Vista.
I got this to work yesterday on my windows 7 machine but this morning when Started up my pc again it was back to normal.
ReplyDeleteHow do I get this to stick even if I restart?
HI TheMan,
ReplyDeleteYou need to put the commands in a .bat file, then add the .bat file to the startup programs.
http://answers.oreilly.com/topic/1656-how-to-manage-windows-7-startup-programs/
Is there a similar method for Mac?
ReplyDeleteThanks,
George
No idea, but I also have a mac so I'll take a look see if I can find out...
ReplyDeleteSo I can get my bat file on startup but it still does not delete the route. I can right click on my bat file and run as administrator and it works fine but when it runs on startup it does not do anything.
ReplyDeleteIs there something special I need to do to get the bat file to run as administrator on startup?
Yes, I forgot about the admin not working on bat files at startup...
ReplyDeleteI just used a shortcut on the desktop and ran it myself by 'right clicking - run as admin' after I logged in.
Googling 'run startup bat as admin' might help...
This is a great tutorial! Thanks!
ReplyDeleteBut there is still a problem. How can I fix the dns leak in combination with your tutorial to keep my IP address hidden if VPN disconnects?
See steps 1 and 4 above: Removing the default route 0.0.0.0 from the routing table means that if the VPN disconnects then there is no connection so your real IP address won't get used, you'll just have no connection at all until you reconnect the VPN.
ReplyDeletee.g. if your default route uses gateway 192.168.1.1 then you would remove it with:
route delete 0.0.0.0 192.168.1.1
yes, your tutorial is working great, but there is another issue. If I connect to a vpn, then the dns of my provider leaks.
ReplyDeleteIf I go to whoer.net/extended then the dns from my browser or flash is the same with and without vpn. May be you find a way to fix it.
I want to use your tutorial and the tutorial from dnsleaktest.com (solution b), but I think it is in conflict with each other?
Do you have another solution to fix the dns leak?
Which vpn are you using?
ReplyDeleteI'm using perfect-privacy.com, PPTP, Win7.
ReplyDeleteOk, there's a post about win 7 above in the comments. I haven't tried it but anon says you need to do this:
ReplyDeleteyou have to specify the interface on the route.
to get the id of your net type
netsh interface ipv4 show interface
then
route add 83.170.76.128 mask 255.255.255.255 192.168.1.1 if "interfaceid"
you may or may not need this command also to change default route
netsh interface ipv4 set interface [ID] ignoredefaultroutes=enabled
As far as DNS Leak....this link worked for me.
ReplyDeletehttp://www.dnsleaktest.com/how-to-fix-a-dns-leak.php
Not any of the other guys. - - I have a DD-WRT router that uses OpenVPN to connect when it boots. My understanding is then ALL traffic automatically goes here all the time. Should I be concerned about disconnects? Doesn't a disconnect here mean no traffic anyway? BTW I used your info above successfully on Win7 before I flashed my old router with DD-WRT. Now do I need it or not?
ReplyDeleteGreat !
ReplyDeleteDoesn't work for me after multiple attempts, the route add *.*.*.* mask 255.255.255.255 192.168.1.* metric 1 command makes my internet function normally even when not connected to the vpn. I'm using openVPN and running the dnsleak .bat files aswell so maybe that has something to do with it.
ReplyDelete