Kudzu World

"Programming is an art form that fights back"

Kudzu World  »  Blogspace  »  Kudzu's Tech Blog
English - Română - Русский - عربي

RSS Feed

If you want to more easily stay informed of updates etc you can subscribe to the RSS feed. Just point your RSS reader at this page, auto discovery is enabled.




Technical

Tech Blog
.NET, software, and computer related items.

The Powerful Portable
See my personal customer computer - a portable powerhouse.

Woo Hoo!!!
By day I am a professional speaker on development and IT topics. See my topics, schedule, and more.

Non Technical

The Journeys
of Kudzu
Join in the fun in and see the odd signs and other things I see in my travels.

Travel Tips
Travel Tips of a Professional Perpetual Traveler.

The Amazing
Kudzu Plant
Learn about a plant like no other.

Favorite Quotes
Collection of my favorite quotes.

Links

Atozed Software
Producers of IntraWeb, IntraWeb Studio, and sponsors of the Indy Project.

Indy Project
Open source Internet components for C++, Delphi, and .NET.

COSMOS
C# Open Source Managed Operating System

Solving the Leaky VPN Problem

6/28/2009

Most VPN users use VPN's to access internal resources. However many users use VPN's to secure both internal and Internet traffic. Because Windows (and most other OS's) implement VPN's using routing costs, when the VPN disconnects abnormally, traffic falls back on the primary internet connection. This is often undesirable and often called the "leaky VPN problem". Solving it is generally not easily accomplished, but I have found an easy solution.

Existing Solutions

The common advice is to install an advanced firewall on each client. However it cannot be a simple one such as Windows Firewall and the like as it must support filtering by interface and not just at the TCP level. A few like Kerio support this, but maintaining such on each client is a complicated process.

IPTables and routing can also be modified, but this again suffers from maintenance issues, as well as causing many undesired side effects.

Simple Solution: DNS

Using DNS you can solve the leaky VPN problem. Follow these simple steps:

  1. Configure your VPN connection to connect by using an IP address, or make a HOSTS entry for your VPN server.
  2. Edit the adapters used for your internet connection. For IP4, disable DNS by DHCP and specify a DNS server of 1.1.1.1. If you leave it blank in Windows, Windows (at least Vista does, I do not remember XP doing this) reset back to DHCP for DNS, so we give it an invalid IP for DNS instead.
  3. In Services, stop and disable DNS Client service. The name is actually misleading, it actually is a DNS caching service and disabling it will not actually disable DNS resolution. This is important else cached entries could still use the main connection when the VPN is not connected.
  4. Connect your VPN, and make sure your VPN adapter has DNS servers specified.

This setup will allow DNS resolution to occur only when the VPN is connected. This effectively solves the leaky VPN problem.

Caveats

This method is not perfect, here are a few issues you should be aware of.

HOSTS

Entries in the HOSTS file will still resolve. This is both a problem and a feature, since it allows you to specify certain addresses that should work even when the VPN is disconnected.

IP Based Connections

Connections that use IP address directly will still function even when the VPN is disconnected. Most connections however rely on DNS resolution, so the solution is generally effective in most situations.

Skype

After additional testing, it appears Skype does not require DNS to connect. Using this method, Skype will still connect even if the VPN is down.

<< Previous Entry    Next Entry >>

Comments:

-- No Comments --

Post a comment

Use my contact form to contact me directly.

© 1997-2010 Chad Z. Hower aka Kudzu

For the legal types: The views and opinions expressed on this site are my personal opinions and not those of my employer, whomever that might be when you read this.

For everyone else: Duh!