Making the PIA Kill Switch more Secure (cf "PIA Kill Switch not working!", this forum, Feb 15, 2018)
Could someone give advice on kill switches and PIA. I'm reacting, in part to a lot of general reading on kill switches and their problems and a post that appeared on this forum back in February (referenced below)
I plan to use PIA as the VPN and Deluge as the downloader with a PIA Socks5 proxy. My settings are unexceptional and have worked on test torrents, so I won’t list them, unless someone asks for them.
I
understand I should use a kill switch and that PIA has such a switch. However,
I gather that kill switches are not foolproof, including the PIA one e.g. PIA Kill Switch
not working! PIA Client Disconnected, BUT FOUND WINDOWS BEING ONLINE (https://www.privateinternetaccess.com/forum/discussion/30340/pia-kill-switch-not-working-pia-client-disconnected-but-found-windows-being-online)
What
I took away from this post was that I should run Comodo Firewall (with global
rules governing PIA connection status) in place of Bitdefender (my current and
paid-for security package) if I want to kill/suspend Deluge downloads whenever
PIA disconnects. My thoughts on this are:
1.
Has
anyone tried adding global rules to Bitdefender to govern internet traffic
contingent upon PIA connection status?
2. A better idea (for me?) for firewall kill switches would be to use Bitdefender firewall (or whatever you use) normally – I always use PIA for privacy and just accept that sometimes it will disconnect for a moment – but use Comodo firewall when you need a failsafe kill switch. This means you will never need to re-edit your preferred security suite (seems to me Bitdefender is the best security suite). I would assume that I could still use Bitdefender Anti-Virus to check what Deluge is downloading (surely always a concern for torrents?)?
Regarding
firewall rules I found an interesting (a network ignoramus like me)
instructional for Torguard, uTorrent, a VPN and the Windows 7 Firewall. You can
read it here: https://web.archive.org/web/20140702110739/http://torguard.net/blog/download-torrents-anonymously-let-us-show-you-how/ I have also
appended it to this post. Unfortunately, I don’t have the expertise to adapt
this to my particular circumstances (Windows 10, Bitdefender, PIA and Deluge).
Anyone game for generalizing this instructional?
Options
not discussed in the PIA Kill Switch not working! post include both paid and free third-party software
and do-it-yourself techniques for kills switches that are independent of a VPN
(see:
http://https//www.raymond.cc/blog/automatic-vpn-kill-switch/ and https://www.techradar.com/news/6-of-the-best-vpn-kill-switches-2017). The best
third-part software option appears, to me, to be VPN Check Pro for $20 (https://sites.fastspring.com/guavi/instant/vpncheck_pro?referrer=). Of course, you
have to hope that whatever external software you use is reliable, will not
conflict with whatever else you have loaded on your computer etc. This strikes
me as being rather unrealistic. Let me know what you think.
Here
are the two do-it-yourself suggestions. Firstly:
" . . . remove the network adapter’s default gateway IP address after connecting to the VPN. Do take note that it is not possible to do it the other way round which is removing the default gateway IP first because that will prevent you from even connecting to the VPN server." (for more details see 4. Simple VPN Kill Switch Batch Script. at: https://www.raymond.cc/blog/automatic-vpn-kill-switch/) You can download a batch file that will do this here: https://www.raymond.cc/blog/download/did/3746/
Secondly,
I’d
be grateful for whatever suggestions anyone has about the efficacy, reliability
of the above to do-it-yourself approaches compared to just using the PIA kill
switch. Questions that occur to me are:
1.
Can
you use one of the above in conjunction with the PIA kill switch as a failsafe
switch?
2. Could you test them by disconnecting PIA and seeing if you lose your Internet connection? Would this be a conclusive test?
3. Are these preferable to the PIA kill switch
4. Are they just as good or are they riskier because you never know if there are circumstances in which they might fail?
5. They look like they would close the download and require a manual restart. If you suffer from momentary, but frequent disconnections, these methods seem impractical.
Attachment
Download Torrents Anonymously – Let Us Show You How - See more at: https://web.archive.org/web/20140702110739/http://torguard.net/blog/download-torrents-anonymously-let-us-show-you-how/#sthash.0R2vY286.dpuf
FOR SUPER ADVANCED TORRENT USERS
Also, advanced users can force in their firewall for uTorrent to use only local
IP that is given to you by connecting to VPN in the first place.
This is 10.8.*.* or maybe 10.9.*.* IP address.
When you connect to our Virtual Private Network, you get an local IP address
inside our VPN, for example = 10.8.12.33.
You can now instruct your firewall to allow communication for uTorrent.exe only on this IP address, and create another instruction to block each and every other address.
Basically, uTorrent is now allowed only to communicate towards
and from 10.8.12.33 . Everything else is dropped.
We’ll tell you in a minute how to do that exactly in Windows 7.
Even if you don’t use proxy service, if something happens, and your VPN
disconnects, uTorrent won’t publicize your real IP address, as it Windows 7′s
firewall will continue to force connection for uTorrent towards 10.8.12.33 .
Everything else is blocked.
WINDOWS 7 FIREWALL CONFIGURATION FOR SUPER
ADVANCED USERS
In 2 enteries that
uTorrents puts in Inbound rules, enter the 10.8.12.33 as allowed addresses
under scope. Do this for both enteries.
Enter uTorrent’s path
under Programs and services, whete uTorrent.exe is located.
Select PUBLIC NETWORK,
under Advanced tab, for both of these enteries.
After that,
Create 2 rules for utorrent.exe, 1 inside
inbound and 1 inside outbound rules, where you’ll block EVERYTHING, on
both Local and Domain, under Advanced tab.
Leave Public Network
unchecked, under Advanced tab.
Scope is left default (any
ip).
Do this for both inbound
and outbound (1 rule for inbound, 1 rule for outbound).
Enter path where
utorrent.exe is located, under Programs and services.
Also, you can now create another inbound and another outbound
rule, where you will block EVERY IP except the one mentioned above.
You create entry under
scope to block everything from
0.0.0.0-10.8.12.32
10.8.12.34-255.255.255.255
As you see, we intentionally left a hole unprotected, where only our IP address
( 10.8.12.33 ) can pass through.
Also, you need to
select under Advanced tab “PUBLIC NETWORK”.
Only public network needs
to be checked.
You create a rule like
this both inside inbound rules and inside outbound rules.
Enter path where
utorrent.exe is located, under Programs and services.
(Your VPN network upon
connecting should be labeled Public network by default)
/// allowing rule for inbound uTorrent TCP and UDP enteries only on PUBLIC network
—————————————-
First, you’ve added our IP to
scope for allowed addresses, under two inbound entries for uTorrent, that were
created by installation.
And you’ve allowed only
connection towards Public Networks.
—————————-
/// blocking rule, both inside inbound and outbound rules, that
blocks everything both on local and on domain
————-
After that, you’ve told firewall to block utorrent.exe on everything both the
local and domain, both for inbound and outbound.
————–
/// blocking rule, both inside inbound rules and outbound rules,
selected only public network, and under scope, whole range of IP’s covered,
except our local VPN IP that we inherited from TorGuard
———-
After that, you’ve told firewall to block everything for both inbound and
outbound for PUBLIC NETWORK for utorrent.exe, except the small gap where only
our IP can pass through.
This way, you are now blocking everything except the mentioned local VPN IP (
10.8.12.33) address that you received from our server ( on the public
netowrk).
———-
Let’s recap what you should have in your Windows 7 firewall:
INBOUND RULES
µTorrent (TCP-In) Allow rule –
(under programs point to utorrent.exe, ADVANCED Tab – only public selected,
SCOPE Tab: 10.8.12.33)
µTorrent (UDP-In) Allow rule -
( under programs point to utorrent.exe, ADVANCED Tab – only public selected,
SCOPE Tab: 10.8.12.33)
uTorrent incoming – VPN
Force BLOCK RULE – (
under programs point to utorrent.exe, ADVANCED Tab – Domain and Private selected,
SCOPE Tab: any IP address)
uTorrent incoming TorGuard
IP Range BLOCK RULE (
under programs point to utorrent.exe, ADVANCED Tab – Public selected,
under SCOPE Tab you should have:
0.0.0.0-10.8.12.32
10.8.12.34-255.255.255.255
OUTBOUND RULES
uTorrent outgoing – VPN
Force BLOCK RULE –
under programs point to utorrent.exe, under ADVANCED Tab select Domain and Private;
SCOPE Tab: Any IP
uTorrent outgoingTorGuard IP Range BLOCK
RULE – under programs point to utorrent.exe, ADVANCED
Tab: Public selected; SCOPE TAB:
0.0.0.0-10.8.12.32
10.8.12.34-255.255.255.255
Now you have created a fail safe mechanisms, in case that you do
now want to trust uTorrent with proxy settings, where you are ensuring yourself
on another level, inside a firewall, that all your traffic must go inside of an
encrypted tunnel, and that not even one packet can be leaked under no
circumstances.
This is one of the most secure setups available.
Whatever method you select, you are safe, and you can rest assured knowingly
that your torrent usage is anonymous and that you can stop Googling phrases
like “torrent VPN”, as now you are a user of premium VPN service, that doesn’t
log!
We are here for you to help you setup things, if you ran into trouble.
So, now you know how to force utorrent to use VPN in Windows 7.
Register for TorGuard VPN account today, and enjoy anonymous torrent usage and torrent VPN!
/the above setup has been tested and CHECKED with packet
sniffer, while disconnecting VPN, during torrent download in uTorrent!
No packets were leaked! Make
sure you use this setup in order to force VPN connection in uTorrent using
Windows 7 Firewall