How to prevent IP and DNS leaks using Windows Firewall?

[tomor]

Since Hideaway causes terrible DNS leaks and doesn't have a kill switch to block all internet connection while not connecting to it,
I've decided to use Windows Defender Firewall to block all Internet traffic not through HideAway.

So, I blocked all outbound connections to the "Domain". "Private" and "Public" networks, disabled all the outbound settings including the default ones, and only allowed hideaway.exe and update.exe.

The rules seems to work fine, once HideAway is connected, but it gets stuck on checking the update and license before it is connected.

The connection log says it has something to do with "DNS".

So, I enabled the default setting named "core Networking - DNS (UDP-Out)". which allows the remote port 53 (I am no network expert at all.).
The "DNS" rule passes Hideaway's update and license checks, but, this time, Nideaway causes DNS leaks once it is disconnected and reconnected.

I restricted the "DNS" rule to with the "System" process or svchost.exe, but it didn't work.

So, what to do to prevent these DNS leaks?

Also, is it OK if it allows outbound "Public" connections if I set my default network connections to "Private"?
It seems fine so far...

[nick.bolton]

Hi

To prevent DNS leaks, you need to have 'All Computer' redirected to a location, otherwise you will get DNS leaks as things like SVChost.exer leak your DNS. It doesn't work with things like just your web browser redirected.

[tomor]

Nick,

Thanks for the reply.

It doesn't work with things like just your web browser redirected.

I have set Hideaway to "RE:My Computer".

I'm sorry but I don't think you got my question.

What I was trying to say was simply allowing hideaway.exe could not unblock Internet access.

So I configured the firewall to allow connections for port 53.
Then, when I disconnected Hideaway, all Internet access was blocked,
but then when I reconnected it, IPLEAK.net started to detect my real DNS numbers.

I think you can also see such DNS leaks if you allow connections for port 53.
Just remember you need leave IPLEAK.net open while checking it, as it keeps testing a DNS leak throughout that time.

So, I want to know how to block all connections outside Hideawy(hideaway.exe) without losing Internet access, by not simply allowing connections for port 53.

Or, I want to know how to redirect svchost.exe to a Hideaway server, as you mention in FAQ something like this:
"If you didn't want to redirect port 53, then you could make a filter for the process 'svchost.exe' and redirect this to your chosen location."

Plus, I say this because you also mention in FAQ that Hideaway uses a protocol similar to "Wireguard" but,
I want to know how to route all Hideaway traffic through the "Public" network if possible.

This will make it much easier for the firewall to block all non-Hideaway connections, as, like I said last, I have set my default network connection to "Private" .
Since Wireguard cannot delete the default gateway, I suppose most connection leakage protections, like "Kill Switch", for Wireguard use this method.

Anyway, sorry for the confusion!

[nick.bolton]

Hi, thanks for this. You shouldn't be getting DNS leaks in the first place. Can I please ask you to take a video of your hideaway config and showing the DNS leak? Then we can come back to your other config.

1. connect hideaway with my computer
2. show DNS leak is protected
3. go to networking and disable your ethernet/wifi
4. re-enable your ethernet/wifi
5. refresh DNS leak to show it still protects

As long as hideaway is in connected mode, its kill-switch is active if you lose internet connection.

Latency becomines "-1ms" to show your internet is off. We're doing a re-design to show this more clearly

Otherwise something must be interfering with your network.

also, svchost.exe is not really reliable in your test, because chrome can make its own DNS requests via Port 53.

Here's mine https://25fc482ddf92aa413bac-f38e90dc86 ... _video.mp4

[tomor]

Nick,

Thank you very much for the reply.

also, svchost.exe is not really reliable in your test, because chrome can make its own DNS requests via Port 53.

I am sorry but I don't think you get it.

I am not a native English speaker, nor am I a networking expert at all, so apparently I often have trouble describing things well.

I don't want to allow port 53 and srvhost.exe to be accessed/connected online, if possible, as they seem to be a culprit for the DNS leaks, which I am not saying Hideaway causes.

I think ipleak.net can somehow detect my DNS even if I disconnect Hideaway and my PC gets offline (., and then ipleak.net can show the DNS numbers, when I reconnect Hideaway and my PC gets online,) because I simply allow port 53 to connect to the Internet.

I want to configure my firewall to block all connectivity outside of Hideaway to ensure there is "ZERO" chance of any kind of leak, including IP leaks, DNS leaks, IPv6 leaks, WebRTC leaks, etc.

I want Internet access on my PC to be active only when Hideaway is connected.

Hideaway's built-in "Kill Switch" is not enough for me because I often go online without realizing I have forgotten to connect to Hideaway.

Can I please ask you to take a video of your hideaway config and showing the DNS leak?

Sure, but I'm not familiar with recording/screening a video on PC.
Can you recommend me any good free screen software for beginners?
I want to make a video like yours.

Also, I am not comfortable with posting a video on my PC on the Internet.
Can you tell me how to send the video via e-mail or DM?

[nick.bolton]

Ok, got it. So if HideAway is not working, then you want your internet connection to be dead. We're making quite a few changes to the app at the moment, so we'll look at this. It could be a bit risky though, lets say someone has a problem with HideAway for some reason (eg software conflict) and can't get it to work and your PC then requires HideAway to be working for the internet to work, then that could be a problem.
I'm not sure how you would do this with Windows Firewall though, well it looks like you were halfway there.
svchost.exe is a process that DLL's etc use to access the internet, so if you block it, then some of your other apps won't work.

If you check the box 'Start HideAway when Windows starts', then it will start on startup.

I used Bandicam, and their free version has 10 minutes of free recording https://www.bandicam.com/faqs/free-full-version/

You can send to me at [email protected]

[tomor]

Nick,

Thanks again for the reply.

It could be a bit risky though, lets say someone has a problem with HideAway for some reason (eg software conflict) and can't get it to work and your PC then requires HideAway to be working for the internet to work, then that could be a problem.

Then I'll turn the firewall off to fix it. Easy.

I'm not sure how you would do this with Windows Firewall though.

I've described it in my first comment.
Anyway, I'll show you how in the video.

well it looks like you were halfway there.

Yes, I am.
That's What I'm Saying.

As far as I am aware, I have blocked every leak except this.
That's Why I'm Asking.

svchost.exe is a process that DLL's etc use to access the internet, so if you block it, then some of your other apps won't work.

I'm NOT SAYING THIS.

I'm saying I want svchost.exe to access the Internet VIA HIDEAWAY ONLY!

I used Bandicam, and their free version has 10 minutes of free recording https://www.bandicam.com/faqs/free-full-version/

You can send to me at [email protected].

Thanks for this info.

Since I'm busy right now, I'll send it to you next months. Give me some time.

But, i'm sorry if it sounds rude but, are you really interested in helping me with this?
If not, I don't want to waste my time anymore.

[nick.bolton]

Yes of course we want to help, when you get time send me the video as it should be working.

[tomor]

... send me the video as it should be working.

I'm not saying my Hideaway is not working properly.

I want my internet connection to be dead while not connecting to Hideaway.

I want something like "(Inter)Net Lock" , which AirVPN, the owner of ipleak.net, calls.

I think I've read them explaining it somewhere on their website, but I can't find it right now.

Anyway, if you are not willing to help me on this, I don't really want to make the video as it seems to take me quite some time.

[nick.bolton]

Hi,
I understand what you're trying to do. I looked up AirVPN's kill switch and it does the same thing as HideAway - if the VPN connection fails then your internet is not leaked.

But if you're wanting your internet for your entire computer to only run if HideAway is connected then I've done a bit of research but I haven't get it working quite yet. It uses the Windows Firewall as you've done, but essentially creating a rule to block all internet unless it's via HideAway. Will ask a programmer...

[tomor]

I want to make a quick comment.

Instead of enabling "Core Networking - DNS (UDP-Out)," which opens port 53 for all programs, I created a new rule that opens port 53 only for hideaway.exe, but the same leaks still occur.

Incidentally, with both Wireguard and OpenVPN clients, I can connect to the Internet without enabling "Core Networking DNS (UDP-Out)" and my "Internet Lock" rule works perfectly and the leaks don't occur.

[tomor]

I don't have time to make the video right now, but I post the following blog post, which inspired me to configure the "Internet Lock" rules more than 10 years ago, hoping you will get an idea what I'm talking about, FYI: https://practicalrambler.blogspot.com/2 ... s-use.html

As for my "Internet Lock" rule, I've blocked all connections including ones for the "Public Profile".
https://practicalrambler.blogspot.com/2 ... affic.html

In the blog's rule (step 7), he made all VPN connections "Public" and all the other connections "Private", and then block all "Private" connections.
However, since I don't see any network interface (like TAP or TUN adapters) to connect to HideAway, so I don't think it is necessary, right?

I've also disabled all the "Allow" rules including the Windows Defender Firewall's default ones.

Then I've created and enabled two "Allow" rules to allow connections for hideaway.exe in app-x.xx.x (, not one in HideAway,) and update.exe in HideAway folders.

Since I cannot connect to HideAway, I "HAD TO" enable WDFW's default rule "Core Networking - DNS (UDP-Out),", which opens port 53 to all programs
but now I've created the new "Allow" rule that opens port 53 to hideaway.exe only instead and "STILL HAVE TO" have it enabled, as I mentioned in my last comment.　<-- Does it make sense? What I wanted to say is that I DON'T LIKE HAVING TO ENABLE THESE RULES because it is obvious that THEY are causing the leaks in question and neither OpenVPN nor WireGuard official client requires these rules for them to connect to the internet.

Now, please activate your WDFW with my "Internet Lock" rules, establish a connection to HideAway, and then go to ipleak.net.

With ipleak.net open, disconnect to Hideaway and go to a site like google.com and make sure your internet connection is dead.

Then, leaving ipleak.net STILL as it is, please connect to Hideaway again, and ipleak.net should show your DNSes as well as HideAway's DNSes.

Does this make sense? Do I still need to make the video?

BTW, I think you will see this DNS leaks without my "Internet Lock", too.

############################################ Additions #############################################

Nick,
I'm sorry to respond to your post below here, as I don't like the number there.

----------------------------------------------------------------------------------------------------

Nick,
Thanks for the update.

I think the MSDN post is a bit little too old,
because the blog post I showed above says "Unfortunately, this will not work with the built-in firewall in Windows XP or Vista".

Anyway, I don't use any "Block" rule.

I've blocked all connections "that do not match a rule"!
Please go to "Windows Defender Firewall with Advanced Security" and read what it has to say.

BTW. have you tried ipleak.net the way I mentioned above?
I don't think you have.

Please don't take this issue lightly, as it is not only my problem.
It can happen to anybody including those who don't need my configuration.
I told you that the leaks would occur in any configuration other than mine, didn't I?

I saw the leak happens when I switched to a different HideAway's server, too!

So, say, in the middle of listening to a streaming service or downloading something,
you find your HideAway's connection slow and so switch to a different HideAway's server.
Then, the company behind the service could get your real IP or DNS information if they are performing the same kind of detection as ipleak.net is doing, right?

----------------------------------------------------------------------------------------------------

Also, can you tell me why my new rule doesn't work?
Since I've allowed port 53 to be open to hideaway.exe only, all connections on my PC still go through HideAway only , right?
Can you get hideaway.exe to block port 53 while disconnected or not working?

----------------------------------------------------------------------------------------------------

Anyway, I don't want port 53 to be open on my PC.
I have seen many programs, including OpenVPN and the official WireGuard client, connect to the internet despite the WDFW blocking port 53.
Why can't Hideway do that?

----------------------------------------------------------------------------------------------------

It's odd though that just a normall install for you is showing leaks. No one else is seeing this.

Again? .. sigh .
Don't trivialize the issue.

Do me a favor and just try what I said!

Please connect to and disconnect from Hideaway one or several times(,I mean, connect, disconnect and "RE-CONNECT"), making sure to keep ipleak.net open the entire time.
(Do not refresh it as you did in your video.)

You will see what I am talking about even without my setup.

----------------------------------------------------------------------------------------------------

I know it's a potential issue if HideAway will not start, then traffic blocking will still happen. The only solution I can think of is another application we would make which would monitor if HideAway is running. If HideAway is not running, then that application would block all traffic, until HideAway runs again.

That is why we need the "Internet Lock", which is the solution for this issue.
Don't you think so?



it's been a week since I sent you the video. Any update on this?

Anyway, I was wrong about this.

Incidentally, with both Wireguard and OpenVPN clients, I can connect to the Internet without enabling "Core Networking DNS (UDP-Out)" and my "Internet Lock" rule works perfectly ...

As for Wireguard and OpenVPN clients, I allowed connections via the "public" interface, so DNS connections through it weren't blocked.

So I tried it blocking DNS connections via the "public" interface.

Then, I was able to establish a connection with both Wireguard and OpenVPN clients, but I couldn't get them to connect to the web.

Looks like this SERIOUS problem would be difficult to solve with HideAway. .

The only solution I can think of is another application we would make which would monitor if HideAway is running. If HideAway is not running, then that application would block all traffic, until HideAway runs again.

What a !

This is what Windscribe calls "snake oil"!

https://windscribe.com/knowledge-base/a ... illswitch/

Also, check out this (https://windscribe.com/blog/how-to-actu ... 811b7088d/, in particular, "Firewall" section), which he wrote about 10 years ago!

At that time, not many providers seemed to realize it, but I believe most of them offer this feature these days as they support Wireguard, whose default gateway cannot be deleted as OpenVPN does.

----------------------------------------------------------------------------------------------------

Anyway, are you reall working on this.

If so, I've been reading this thread(https://www.wilderssecurity.com/threads ... op.309955/) and think it might be helpful.

I also used to use Comodo FW with AirVPN's rules and it worked great!

I don't think the rules are specific to them.
In fact, I've never used AirVPN.

IMO, my rules are better because AirVPN's rules are very complicated.
However, I believe the complicity works great here.

Additionally,, I remember seeing a post on AirVPN's forum about a script that can be used to set up your firewall to block non-VPN traffic.

I hope this will help.

[nick.bolton]

I've done a bit more deep diving in to this and tried your idea.

I tried to block all traffic and only allow hideaway.exe but that didn't work because block rules in WF take precedence over allow rules (https://learn.microsoft.com/en-us/previ ... dfrom=MSDN) . Unfortunately there's no way to give precendence over another rule. Maybe a different Firewall will allow this.

That's true we don't have TUN or TAP adaptor.

It's odd though that just a normall install for you is showing leaks. No one else is seeing this.

I know it's a potential issue if HideAway will not start, then traffic blocking will still happen. The only solution I can think of is another application we would make which would monitor if HideAway is running. If HideAway is not running, then that application would block all traffic, until HideAway runs again.