[liberationtech] Forcing VPN on Mac OS X

[elijah]

On 09/02/2013 09:54 PM, Mitar wrote:

> Is there some software which would prevent any outgoing networking on
> Mac OS X until a VPN to a trusted server is established? So on the
> system level? I am wary that between me connecting to an untrusted
> WiFi and establishing a VPN tunnel, there is some window where
> probably all possible services try to ping home, auto-update and so
> on.

You should be wary. Since Appelbaum has not mentioned it yet, I will
mention his paper for him:

"Virtual Pwned networks"
https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks

There are any number of common leaks, including DNS leakage, IPv6
leakage, failing open, and, as you mention, the time lag between when
the network comes up and when the default route is changed. You could
also add poor cipher negotiation, and badly set up VPN gateways that use
the same IP for both ingress and egress. At LEAP, we are trying to
prevent all these problems with our free software server platform and
autoconfiguring OpenVPN client application, but it is not easy or ready
for production use yet (https://leap.se).

This can be handy for testing DNS leaks (which are really easy to
accidentally cause on Mac): https://www.dnsleaktest.com/

-elijah