Tuesday 14 July 2015

Hardening your VPN

Hardening your VPN

When it comes to network security, using a VPNs service is a very good start. But it’s not perfect.

VPNs by default provide excellent security and anonymity, but that doesn’t mean they’re uncrackable. If you want to be truly secure, there’s more you can do.


CHANGING THE VPN PROTOCOL


There isn’t just one type of VPN. There are actually a variety of different VPN protocols in common use, and many VPN providers actually give you a choice. Sometimes that choice is available in the connection app; sometimes it’s simply a configuration option for third-party VPN tools.

Most commonly, your options are PPTP (point to point tunnelling protocol), L2TP/IPSec (layer 2 tunnelling protocol) and OpenVPN.

Especially if you’re setting it up yourself on a mobile device or ashed VPN router, PPTP and L2TP can seem like the better option, since they’re much easier to con figure. In many cases, you only really need a server name, username and password.

It’s absolutely worth using OpenVPN, however. PPTP has essentially been cracked — it uses weak 128-bit encryption and the initial connection and authentication process can be intercepted and cracked. On the upside, it’s actually the fastest of the protocols because it has lowest encryption overhead.

L2TP is more secure. But it also adds a lot of overhead, and is the slowest of the protocols.

OpenVPN is the best of both worlds: it’s fast, recovers quickly from lost connections and is completely secure as far as we know. If you have the option, it’s the way to go.

THE KILL SWITCH


One of the issues with a VPN connection is that if the VPN connection fails — if the VPN server goes down or the connection is lost — your computer will immediately drop back to your regular internet address, potentially making you vulnerable. You probably won’t even know it has happened.

That’s where the kill switch comes in. It ensures that if you lose the VPN then either your internet connection is shut down or the apps that use it are. Essentially, if you’re not connecting over the VPN, you’re not connecting at all. Some VPN connection apps actually have it built in. If you want to use it, you just switch it on.

An alternative is VPNetMon (vpnetmon.webs.com), a great little app for Windows that can be configured to instantly close selected apps if the VPN dies and restart them if it goes up again.

To set it up, follow these steps:

01 Connect to your VPN.

02 Start the app and click on Opt.

03 On the left , it should show two IP addresses: your local IP address (on top), and your VPN IP address (second). In the fleld where it says VPN IP Start, enter the first number of your VPN IP address; for example, if it’s 10.1.1.68, then type in 10. This is how it detects if you’re connected.

04 Next to A1, click Browse and find an app you’d like it to control, eg. utorrent.exe. If you check the Control box it will automatically shut it down if your VPN goes offline. If you check Auto, it will restart it when the VPN comes back on.

DNS LEAKS


DNS, if you remember, is that service that your computer uses to translate URLs like techradar.com into IP addresses.

When you’re connected to a VPN, you should automatically be using the secure DNS server provided by the VPN service. Except sometimes you don’t; sometimes your computer might use its regular DNS connection, bypassing the VPN. That’s called a DNS leak, and it could be monitored by outside forces.

Some VPN clients have DNS leak protection built in, but if it doesn’t you can run a test at www.dnsleaktest.com. The location it tells you should be your ‘apparent’ VPN location, not your actual one. If it fails, then there’s a quick app you can download from the site that provides a fix.

IPV6 LEAKS


For most internet activity, we use the good old version 4 of the internet protocol; you know, the one with the four-number IP addresses. The thing is, there’s actually a version 6 of the protocol as well, which is designed to provide a lot more internet addresses than IPv4. Now, nobody actually uses IPv6 outside of academia, but your PC still supports it.

IPv6 operates outside of the VPN, and an attacker might use it to figure out who you are. It’s not something that’s done o en, but it is possible, and the only real fix is to disable IPv6. Some VPN clients have the ability built in, but if you want to do it manually, there’s a quick guide at tweaks.com/windows/40099/how-to-properly-disable-ipv6/. There’s also an official Microso ft guide (with apps) at support.microsoft.com/en-us/kb/929852.

If you just want to check if your system is leaking, you can also head to ipv6leak.com and run a test while you’re connect to the VPN.