Hacker News new | ask | show | jobs
by tacon 3150 days ago
My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.
1 comments
mirimir 3150 days ago
It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.
link
j_s 3149 days ago
Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

link
mirimir 3149 days ago
No, sorry. I used to know a URL, but ... And most of your search hits will feature application-level blocking, which seems silly to me. Also, I don't use Windows much anymore. And I've forgotten the specifics.

But. It's basically what I described. For public VPN network, just use the default (all output, only established input). For private LAN, deny all output and input, and allow output to selected IP addresses (VPN and DNS servers).

link
j_s 3149 days ago
Thanks for taking the time to reply. It seems like this would be worth a write-up!

Perhaps something like this can be scripted; if it becomes polished enough it could be recommended as a part of every VPN setup.

link
tacon 3149 days ago
Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.
link
mirimir 3149 days ago
Well, the AirVPN client in Windows has its own firewall, which I didn't manage to make leak.
link