Kill switch at boot

edited December 2016 in Windows VPN Setup Posts: 11
The kill switch used to work at boot, as if firewalled shut while waiting for login. PIA will autostart in the Admin Account but my ISP is open while waiting for PIA to start. So there is always a period of time without vpn in Admin Account and with the Regular Account, maybe a long time if forgetting to start PIA.

Once started, the kill switch works until reboot.

v65, win 10.

Anyone get this to work like it used to with Internet disabled until PIA start?
Post edited by fireblues on

Comments

  • Posts: 1
    Hey Fireblues

    had the same problem. Even though support tried to help me we ended up agreeing that it is the OS causing the problem.
    So I went on and created a workaround which seems to work for now.

    1. create two .bat files (by creating a standard .txt file, copy-pasting the below lines and then re-naming it to .bat. Place them somewhere you can find them again)
    a) enable network.bat
    timeout 30
    netsh interface set interface "Local Area Connection" ENABLED
    netsh interface set interface "Ethernet" DISABLED
    netsh interface set interface "Ethernet" ENABLED
    b) disable network.bat
    netsh interface set interface "Local Area Connection" DISABLED

    Replace the "Local Area Connection" with your standard network adapter name. The "Ethernet" has to be replaced with the name of the TAP adapter created by PIA.
    The "timeout 30" defines how many seconds the system waits until the network adapter is enabled. Therefore the PIA tray agent has to have finished starting BEFORE the timeout runs out. This might vary depending on your system. To find out, just logon to your user profile and count down the seconds until you get the notification that PIA is connecting and enter that value instead of the "30".

    2. Search for Edit Group Policy (using windows search) --> user configuration --> windows settings --> scripts (logon/logoff)
    --> logon --> add: enable network.bat
    --> logoff --> add: disable network.bat

    That's it, you should now have a complete kill switch in place.

    cheers
    Rakor

    ps. I know this is not the best solution, but hey, it seems to work and stops any data leaking before the PIA kill switch has started up.
  • fireblues said:
    The kill switch used to work at boot, as if firewalled shut while waiting for login. PIA will autostart in the Admin Account but my ISP is open while waiting for PIA to start. So there is always a period of time without vpn in Admin Account and with the Regular Account, maybe a long time if forgetting to start PIA.

    Once started, the kill switch works until reboot.

    v65, win 10.

    Anyone get this to work like it used to with Internet disabled until PIA start?
    I have this question  too. I'm running it on Windows 10. I did an uninstall / reinstall but that did not fix it. 
  • Posts: 475
    The stark reality of it is, you cannot start the PIA process of connecting to a tunnel until you have negotiated a link with your ISP. So during that transition time, you ISP can do whatever they want. Yes, the process is fast, but it only take milli-seconds if not micro-seconds of connection time for the ISP to do its thing.

    Is this kill process at startup really worth it. It might be for you but really, is it doing what you think it is doing. The same process works if you turn off your modem while staying connected to your router. You can start the PIA process but nothing will happen until you have a path to PIA. That path will only start when the modem is turn on and the modem and ISP have negotiated the link.

    I am not saying this to upset you. Just trying to get a logical process understood that it does not take long for a few bytes of data to transfer even before the PIA process starts.
  • edited December 3 Posts: 4
    I figured it out. I really only had to make one change. Here is my setup
    • Configure Windows to automatically login with non-admin account on bootup.
    • Set a static IP and static DNS for the physical adapter. Leave the default gateway value empty. 
    • Set PIA to start on login 
    • Set PIA to automatically connect on startup
    • Enable PIA kill switch
    Works perfectly. 
    • When windows boots up, it automatically logs in. I also have any apps that I want to run in the Windows 10 startup folder. 
    • The network adapter has local network access ( same subnet ) on boot up, but it doesn't have a way to route traffic to the Internet since the gateway it blank. 
    • You can access computers on your local network , but there is no Internet access
    • PIA Starts
    • PIA reconfigures the physical network adapter to access the Internet on its own.
    • PIA connects to the VPN gateway
    • The system now has local and Internet access. 
    • PIA Kill switch blocks Internet access when VPN disconnects. 

    I rebooted the test system 5 times , verifying that there was no internet access before PIA started, and none after the VPN connection is terminated. Also made sure that no settings were lost during reboots.    

    Testing was done with
    • Windows 10 Professional install on a VMWare Guest on ESXI 6.5  host.
    • PIA for Windows. I don't see a version number anywhere in the app, but I installed it in the last month, so probably 7.5.  
    I want to note that in this test configuration , your local DNS still works if you have one. In that case a DNS leak is possible. For example I have Pi-hole and Unbound DNS running on my local network . So I can still resolve Internet sites like  "www.amd.com" to IP address even though I cannot connect to them directly.

    What you can do is not use your ISP's DNS servers, use public DNS ( Google 8.8.4.4. 8.8.8.8 ) instead.You ISP would have to be sniffing your network packets for DNS requests to spy on what sites you are interested in.   

    I could not test for DNS leaks since the test system did not access to Internet leak tests sites and the LOE to do it otherwise was out of scope ( ie I'm too lazy to do it :) ). 

    I hope that this helps someone. Feel free to do further testing and add your experience / insights to this thread. 
    Post edited by PrivateKomrad on
  • My problem is that not only does the kill switch not work before the PIA client has started, but if the PIA crashes or is closed manually, the kill switch stops working and I'm connected directly through my ISP. So if I have, say, a torrent client seeding and PIA crashes, my IP is exposed until I discover it has crashed and restart it.

    This didn't seem to be a problem with older versions. So what changed? And can these new versions be changed back? This problem makes this service practically unusable for me now.
  • use clients that allow "kill switch" in themselves. Like qbitorrent or Vuze. YOu can setup there the only network interface through it should work
Sign In or Register to comment.