[liberationtech] Forcing VPN on Mac OS X
Ali-Reza Anghaie
ali at packetknife.com
Tue Sep 3 00:01:45 PDT 2013
Ah yes - thanks for reminding me.
DNSCrypt has worked well for our end-users and when configured not to
fail over - does the necessary trick on OS X:
http://opendns.github.io/dnscrypt-osx-client/ ..
And something that didn't work well at all (in the context of my last
message) was Radio Silence (http://radiosilenceapp.com/).
Again, this is the "regular end-user" response given the initial query.
If you really want to mitigate against OS wonkiness then your own
router / hw isolation via a Grugq Portal
(https://github.com/grugq/portal) or using pfSense
(http://www.pfsense.org/) or DD-WRT
(http://www.dd-wrt.com/site/index).
Honestly if you're not trying to support it for someone else, then go
straight to the last option moving forward. -Ali
On Tue, Sep 3, 2013 at 2:44 AM, elijah <elijah at riseup.net> wrote:
> On 09/02/2013 09:54 PM, Mitar wrote:
>
>> Is there some software which would prevent any outgoing networking on
>> Mac OS X until a VPN to a trusted server is established? So on the
>> system level? I am wary that between me connecting to an untrusted
>> WiFi and establishing a VPN tunnel, there is some window where
>> probably all possible services try to ping home, auto-update and so
>> on.
>
> You should be wary. Since Appelbaum has not mentioned it yet, I will
> mention his paper for him:
>
> "Virtual Pwned networks"
> https://www.usenix.org/conference/foci12/vpwns-virtual-pwned-networks
>
> There are any number of common leaks, including DNS leakage, IPv6
> leakage, failing open, and, as you mention, the time lag between when
> the network comes up and when the default route is changed. You could
> also add poor cipher negotiation, and badly set up VPN gateways that use
> the same IP for both ingress and egress. At LEAP, we are trying to
> prevent all these problems with our free software server platform and
> autoconfiguring OpenVPN client application, but it is not easy or ready
> for production use yet (https://leap.se).
>
> This can be handy for testing DNS leaks (which are really easy to
> accidentally cause on Mac): https://www.dnsleaktest.com/
>
> -elijah
> --
> Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
More information about the liberationtech
mailing list