Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Split Tunneling

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)

Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Split Tunneling

Postby keoma » Wed Aug 06, 2014 11:49 am

While I am familiar with the concept of encryption and having spent a lot of time securing my electronic communications, some technicalities still escape me so forgive me for posting a seemingly ridiculous question.

Is there any way to have to split my data into two streams, one encrypted and one un-encrypted? I am running some applications on my computer that generate quite a bit of traffic but as the data is not sensitive, I wouldn't mind to keep it unencrypted while I would want everything else, e. g. browser traffic, to be encrypted. That way, I could reduce the load on the CS server a fair bit.

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Split Tunneling

Postby parityboy » Wed Aug 06, 2014 2:33 pm

@OP

Typically in a corporate "road warrior" situation, the default route is the local Internet router and the corporate network has explicit route(s) set to go over the VPN. In the case of a VPN provider like CS, the default route goes over the VPN. If you know the destination IPs or IP ranges for your non-sensitive applications you could set them up as explicit routes to go over your normal network interface. What are these applications, just out of interest?


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Wed Aug 06, 2014 4:52 pm

Thanks a bunch! I trade currencies for a living and the broker software, charting applications and news feeds do generate traffic that doesn’t need to be encrypted. I do have the IP addresses of the non-sensitive applications so how do I set them up as explicit routes to go over my normal network interface? I’m presume this has been done before so where would I start looking for instructions?

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Wed Aug 06, 2014 6:25 pm

Hi there. So this is actually a very good topic, since I've being searching for this "Split tunneling" thing for some time now.
Let me tell you what I've did.

I have a WDR3600 with "OpenWrt Attitude Adjustment 12.09" and since this router does 2 different wifi networks and frequencies I touth I make wlan1 for example go to the VPN and wlan0 go directly to my cable provider. With this if I wanted to connect to the VPN I've just change wifi network, it's that easy, at least in theory LOL

I did accomplish to get the openvpn client to connect to CS and after some iptables configuration everything connected fine and all computers connected to the router were also connected to CS.
The next logical step was to make the split tunneling, like this:

- all eth0 to eth5 ports are to connect directly to wan0
- wlan0 is to connect directly to wan0
- wlan1 to to connect directly to tun0 to access CS
- all communication coming from tun0 are to go to wlan1
- tun0 is connected to wan0

After consulting several sites all over the "dark net" and some tor files about networking, I've found that it all depends with the configuration of iptables, and that was when the "shit hit the vents", I couldn't get it working and I actually had to reset my router several times :wtf:

So with all of this, does anyone has several pointers on getting this to work?
Or better, is there a IPtables guru here in the forum? ;)


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: Split Tunneling

Postby tlsbreak » Wed Aug 06, 2014 11:01 pm

Let's say you wanted to set up your dd-wrt to connect to only 1 ip address/subnet or CIDR or whatever. What would that iptable rule look like?

It seems to me you need a rule like that for each non-vpn connection.


User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Thu Aug 07, 2014 2:13 am

tlsbreak wrote:....
It seems to me you need a rule like that for each non-vpn connection.


Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.

He no longer works there and I've lost all contact with him, I have to say that he though me a lot of what I know now.

parityboy wrote:@keoma

Which platform is this for: Linux, OS X or Windows?


Yeah, he actually didn't say, nevertheless the easiest way to go is with dd-wrt or openwrt since they are linux based with several interfaces attached and already programmed, I believed that with any Linux distro with IPtables we can create several Virtual Lan's and them put my theory working.

So IPTABLES GURU anyone?


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Thu Aug 07, 2014 6:27 am

parityboy wrote:@keoma

Which platform is this for: Linux, OS X or Windows?


Right, I should have mentioned it: Am running on WIN 8 64 bit


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: Split Tunneling

Postby tlsbreak » Thu Aug 07, 2014 7:38 am

Tealc wrote:
tlsbreak wrote:....
It seems to me you need a rule like that for each non-vpn connection.


Actually that's not true, since you can make the iptables rule for the specific interface (wan, wlan, eth, br-lan, tun, tap) and them assign the non vpn connection to one of them, in theory I know that works, since a former college of mine did that exact same thing for our VPN work office in is home.


So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do :mrgreen: ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode. :crazy:

keoma wrote: Am running on WIN 8 64 bit


I didn't think this was possible on Windows?

I'll stop cluttering the thread now, sorry. I'm not really helping. :mrgreen:


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Thu Aug 07, 2014 9:58 am

tlsbreak wrote:
Tealc wrote:
tlsbreak wrote:....

keoma wrote: Am running on WIN 8 64 bit


I didn't think this was possible on Windows?


I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature. Our split-tunneling feature easily allows you to ‘Split’ your data traffic and choose which traffic stream to ‘Tunnel’ while not tunneling the other. This way, you can conduct important activities with VPN protection while simultaneously enjoy unsecured but fast internet speed for unimportant tasks, like streaming. The best of both worlds, right?"

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Thu Aug 07, 2014 3:18 pm

tlsbreak wrote:So you connect to dd-wrt and your iptables tell it to send this packet to wan, this one to tun? I'm trying to visualize how the iptable rules would look. I use pfSense and have similar needs as the OP. I set up a rule to pass traffic going to a non-vpn ip address through the gateway I want. I have to create a rule for each address though (at least I think I do :mrgreen: ).

I've been told that dd-wrt is more secure than pfSense, so I'd kind of like to switch, but this iptable stuff makes my head explode. :crazy:


So I must of not explained to you very well, I'm running OpenWrt router that as a linux based system with a lot a normal linux apps and everything, and that includes iptables.
So in OpenWrt, Iptables comes installed from the start and normally if you don't want to do a lot a changes in a normal user connectivity it's a lot automatic configuration and you don't have to touch a thing. But since I'm running in a very special building network I actually need a lot a tweaking to getting this to work.

You do have to create a specific rule for a specific address if your running several in the same hardware port of your router, for example imagine that I have a network switch connected to port 1 of my router (eth0) and with that switch I connect 2 devices (dev1, dev2) both devices have, as normally should, different IP's address but the router port is the same, in that way you have to create a specific rule for each of the ipaddress and not a normal rule to forward something from eth0 to wan0 for example.

Look here:
HTTP Server - IPv4-TCP - From any host in wan - Via any router IP at port 80 - IP 192.168.1.3, port 80 in lan

This mean that any ip that comes out of wan at port 80 is to be directed to the lan network ip 192.168.1.3 port 80, this is a specific rule to a specific port and ipaddress destination inside the lan, but imagine that you have only ONE IP running in eth0, that way you could direct any ip that comes out of port 80 from wan to eth0

When I'm not in the mood to do the iptables manually I just go on one of this sites:
http://easyfwgen.morizot.net/gen/index.php
http://www.perturb.org/content/iptables-rules.html

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Thu Aug 07, 2014 3:58 pm

SUCCESS!!

So.... this all thing got me searching and searching and I've found it....

https://blog.ipredator.se/howto/openwrt/configuring-openvpn-on-openwrt.html

This blog from another VPN provider did the trick... I had to change of lot of the parameters but everything worked out ok.

I'm now running all my hardwired computers (eth0, eth1, eth2, eth3, eth4) in Germany with CS. With this initial configuration from the other VPN provider with makes all devices connected with wlan0 and wlan1 to access the internet directly with my ISP's and all the hardwired with CS.

Here is the "Split Tunneling" that we wanted so much!!!

Next step:

1) Remove eth0/eth4 form the CS connection
2) Remove wlan1 from directly connecting to my ISP's
3) Adding only wlan0 to connected to CS
4) Check the dns leak test, since with the wired computers are given my ISP's DNS, but it shouldn't since my main wan device as 5 CS dns servers included and not the ISP's ones
5) Check this load average problem: Load Average 2.06, 1.10, 2.13 (normally in heavy duty connections like 20 torrents downloading and 10 uploading it doesn't go more them: Load Average 0.35, 0.20, 0.65)
6) Check: When connecting drops I can't access internet (and that's actually what we want) but the connecting doesn't go back online)
7) No internet connection when using wlan1, no changes made so for with the initial configuration
8) Make a tutorial of all the necessary changes and put it here for all the community
9) In a near future make a image with the necessary changes for the WDR3600 with OpenWrt

I really have to thank you guys that keept this topic alive, with that I got to do something that I've been wanting for some time now


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Fri Aug 08, 2014 1:31 pm

@tealc

Thanks Mate. Sounds very technical indeed and since I am not that technically inclined, it will take me quite a while to figure out what exactly you are doing. Nevertheless, I may give it a try.


tlsbreak
Posts: 17
Joined: Mon Jul 21, 2014 6:45 am

Re: Split Tunneling

Postby tlsbreak » Fri Aug 08, 2014 10:06 pm

Tealc wrote:
tlsbreak wrote:So I must of not explained to you very well, I'm running OpenWrt router that as a linux based system with a lot a normal linux apps and everything, and that includes iptables.
..........
http://easyfwgen.morizot.net/gen/index.php
http://www.perturb.org/content/iptables-rules.html


I knew you were using openwrt but had dd-wrt in my mind. :lol: Thanks for the explanation and links they look great. :thumbup:

keoma wrote:
I presume it is. PureVPN offers this as a feature, although I am unable to tell whether and how much this compromises security or whether this features works as advertised. They say this on their website:

"When it comes to offering rare and valuable features, nobody comes even close to PureVPN. Case in point: The Split-Tunneling feature. Every PureVPN account comes loaded with all possible options and features, including split-tunneling. Just open the VPN dialer on your device (and there are customized dialers for all devices) and access the built-in split-tunneling feature


If it can be done in the dialer then you should be able to do it in the Openvpn config.
I stumbled across this.
https://forums.openvpn.net/topic8229.html

I haven't tried it myself and not sure how it works in Win8 (Win8, ewwww :sick: :lol: ). Maybe it will give some ideas.


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Sun Aug 10, 2014 8:49 am

Is there any chance that split tunnelling could be incorporated in the widget v. 1.10 with a simple option to specify 3 or 5 IP addresses that will bypass the VPN while all other traffic goes through the VPN? Judging by the above replies, it is technically possible and it would surely benefit everyone - users see a great improvement in performance while the CS servers will have a greatly reduced server load.

User avatar

cryptostorm_support
ForumHelper
Posts: 296
Joined: Sat Jan 26, 2013 4:31 am
Contact:

Re: Split Tunneling

Postby cryptostorm_support » Mon Aug 11, 2014 11:02 am

I'll talk to our devs about that, but I would have to wager that's a fairly non-trivial feature to implement to ensure security doesn't needlessly get compromised. I would expect that would be something for a major release, but I will defer to their boundless wisdom
cryptostorm_support shared support team forum account
PLEASE DON'T SEND PRIVATE MESSAGES with support questions!
--> feel free to use any of our other contact channels, or post in the support forum
cryptostorm: structurally anonymous, token-based, unlimited ☂ bandwidth, opensource, darknet data security for everyone!
keybase.io validatorsonename.io validatorsPGP key @ MITnetwork statuscryptostorm github
support team bitmessage address: BM-2cTMH8K5JnjbfSALjZtSkRWCLfc3Tr8GBV
support team email: support@cryptostorm.is
live chat support: #cryptostorm

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Split Tunneling

Postby parityboy » Mon Aug 11, 2014 11:24 pm

@thread

Split tunnelling in the widget will likely involve talking to the Windows firewall API (assuming such a thing exists) to set the relevant policies, while not meddling with any which are already set.

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Split Tunneling

Postby marzametal » Tue Aug 12, 2014 7:14 am

I don't see why it would benefit everyone, I have no use or purpose or inclination to allow an IP to bypass CS. I use Windows 7 Firewall with Advanced Security to block svchost.exe (provides inactive internet till widget kicks in)... hence I would suggest a spinoff widget to handle this split tunnelling stuff. I think this is a "security vs convenience" issue. I consider this a flaw, not a feature (just my opinion).

"Heyyy... install this widget so you can access the internet anonymously, don't know who you are, kickass encryption etc... But we got this cool feature implemented that allows the world to see what you are up to".

Just because some things you do on the internet are not sensitive, doesn't mean that the product supplied by the VPN provider should allow for it... If this is catered to, then you mightaswell cater for torrent ports as well, or anything else that the honeypot companies provide... I think it goes against the mission statement if it is implemented in the widget (again, just my opinion).

If the user wants it, then the user should set it up on his/her own, keep it away from product injection/feature-warez...

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Tue Aug 12, 2014 11:17 pm

I have to agree with @marzametal and @parityboy this is a potential security risk.

Nevertheless I do assume that this split tunneling thing for me is top notch, I have a seedbox running that I don't want to go into CS (I'm in the very limited country's that allow P2P), also everything Facebook, Twitter, local country TV, Internet Radio I really want to go with my normal provider, but with my OpenNIC's DNS servers (besides it's a little complicated to tell my wife that she isn't in Iceland or Germany when she post's to Facebook, and that did happen :-D ).

Them there's all the "other things" that, are restricted to my activity both personal and professional, I do want to be "invisible" and don't want some "sniffer" robot in my IP :-D
I don't have Facebook, I don't use GAPP's, I do own a Android Phone but no Play Store (FDroid is a must!), just recently did I opened a Twitter account (for the sole propose of talking to CS LOL), I do not use Windows or iOS devices (Ubuntu all the way).

So it's a little complicated to explain but I do like this Split Tunneling thing but maybe in this kind of way like I did, with a dual band router and them 1 one wifi goes to home and the other goes to the world (we should use the AP Isolate mode, this way there is no communicating between wifi's or devices in the same wifi), this way you always know what to use and where you want to use it. Yeah I can easily install OpenVPN in all my devices and just run CS from there :-D but i'm a practical guy that sometimes forgets simple things

Hope this makes some sense, LOL

I'm not in the mood for writing today, it was a bad day at work.


Topic Author
keoma
Posts: 7
Joined: Wed Aug 06, 2014 9:14 am

Re: Split Tunneling

Postby keoma » Wed Aug 13, 2014 11:20 am

@marzametal

I don’t get your point – if you don’t trust a particular IP address or website, then you could just not bypass CS, or not? You may agree that it is every user’s own choice and responsibility how much “security over convenience” he wants. I am not surfing porn sites or am connecting to torrent networks but am generating a lot of traffic with servers that are surely not set up as honeypots.

Anyway, I didn’t intend to make this a major issue and I’ll surely find a work-around on my own so I rest my case.

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Split Tunneling

Postby parityboy » Wed Aug 13, 2014 4:28 pm

@thread

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.

User avatar

Tealc
ForumHelper
Posts: 283
Joined: Tue Jan 28, 2014 12:38 am

Re: Split Tunneling

Postby Tealc » Thu Aug 14, 2014 12:43 am

parityboy wrote:@thread

Split tunnelling is indeed useful. I use it in my VM: torrents and other communications go over the VPN, my NZB client uses SSL over the clearnet. My Usenet setup currently means there's no advantage to using it through a VPN (this will change soon though), therefore the additional CPU load from the dual encryption isn't worth it.

However, setting up routes and firewalls on Linux is easy. Windows I'm not so sure about.


May I assume that you really know how to make good IPtables rules? If so, can I give you my network architecture and ask a little help setting some things up?


User avatar

df
Site Admin
Posts: 283
Joined: Thu Jan 01, 1970 5:00 am

Re: Split Tunneling

Postby df » Wed Oct 11, 2017 12:34 am

Old thread, but I didn't see any actual commands here, so I thought I'd add some :-)

In this network setup, 192.168.1.1 is the gateway IP for your LAN.
As an IP to exclude from the VPN, I'll use http://ifconfig.co/'s IP, which is currently 188.113.88.193.
On Windows, after connecting to the VPN, visit http://ifconfig.co/ in your browser to verify that the VPN is on.
Then, start a command prompt as Administrator and run:

Code: Select all

route add 188.113.88.193 mask 255.255.255.255 192.168.1.1


That will tell windows to use the gateway 192.168.1.1 for the IP 188.113.88.193, instead of the default gateway which is currently the one set by OpenVPN.
If needed, you can also use subnet masks such as 188.113.88.0/24 to instead exclude an entire C class of IPs.

To verify that it's working, go to http://ifconfig.co/ again and you should see your real IP.
To verify that it's only excluding that website, you can use http://checkip.dyndns.org/ or https://cryptostorm.is/ip and you should get the VPN's IP.

Once the exclusion is no longer needed, you can remove that route with:

Code: Select all

route delete 188.113.88.193


On Linux, the command to add the route would be:

Code: Select all

route add -host 188.113.88.193 gw 192.168.1.1


and to delete:

Code: Select all

route del -host 188.113.88.193


Obviously, doing this presents a risk to your anonymity since the IP you're excluding will see your real IP.
If you're connecting to that IP using any plaintext protocol, it could be monitored or hijacked.

I have no plan to add this type of split tunneling feature to the widget, since most people don't need it.
The few that do can use the above commands.

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Split Tunneling

Postby marzametal » Thu Oct 19, 2017 3:28 pm

Still, a good bit of info... thanks!

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Split Tunneling

Postby parityboy » Fri Oct 20, 2017 4:44 pm

@marzametal

Haven't seen you around in a little while, how's things? :D

User avatar

marzametal
Posts: 504
Joined: Mon Aug 05, 2013 11:39 am

Re: Split Tunneling

Postby marzametal » Tue Oct 24, 2017 12:44 pm

parityboy wrote:@marzametal

Haven't seen you around in a little while, how's things? :D

Yeah, I've got a bit going on behind the scenes, which is keeping me away from the PC. Overall, still alive (I think)! How's your side treating you?

Hoping the CS Router will be out soon. Bit apprehensive about this :)

User avatar

parityboy
Site Admin
Posts: 1096
Joined: Wed Feb 05, 2014 3:47 am

Re: Split Tunneling

Postby parityboy » Tue Oct 24, 2017 5:42 pm

marzametal wrote:
parityboy wrote:@marzametal

Haven't seen you around in a little while, how's things? :D

Yeah, I've got a bit going on behind the scenes, which is keeping me away from the PC. Overall, still alive (I think)! How's your side treating you?

Hoping the CS Router will be out soon. Bit apprehensive about this :)


Yeah, all's good here, still keeping my life glued together lol. :D Cheers for the link. :)


Return to “general chat, suggestions, industry news”

Who is online

Users browsing this forum: Bing [Bot] and 16 guests

cron

Login