How to avoid an insecure initial connection on public Wi-Fi networks before the VPN is enabled?

It’s a best practice to use VPN when you connect to public Wi-Fi networks. However, in the scenarios I am aware of, you first connect to the network and only then—after connected—switch to VPN. In that case there is time-window when your traffic goes on an insecure connection and you are vulnerable.

My concern is many programs/services/processes running on a PC execute a housekeeping/update check/status check as soon as a network connection is available. And all those activities would be performed via an insecure connection if they are triggered before the switch to the VPN connection.

Is it possible to avoid this?

peterfoldi

Posted 2015-04-04T14:38:22.397

Reputation: 106

This is a non-issue because VPN connection will be encrypted from your client connection to the VPN anyway. Simply connecting to a public Wi-Fi network in and of itself won’t expose anything. – JakeGould – 2015-04-04T15:02:42.183

1Yes it does: many programs/services/processes running on your pc execute housekeeping/update check/status check as soon as a network connection is available. And all those activities will be performed on insecure connection until you switch to VPN. – peterfoldi – 2015-04-04T15:14:17.477

Very fair reason and concern. I just edited your question to add that info since it clarifies the whole concern in my mind. – JakeGould – 2015-04-04T15:19:54.363

@peterfoldi: You beat me by 75 seconds! – G-Man Says 'Reinstate Monica' – 2015-08-16T16:47:46.910

Use http://superuser.com/questions/262799/how-to-launch-a-command-on-network-connection-disconnection to remove default route (route delete on 0.0.0.0), add route (route add) to VPN network going through default gateway so you allow VPN to establish. Let VPN connection give you default route to 0.0.0.0

– ssnobody – 2015-08-18T00:36:28.847

@ssnobody this sounds like a possible solution on Windows. And I guess something similar is possible on the other systems. The question is if this event is triggered soon enough after connection status change. I have a mac atm. I will try to "port" this to mac after the weekend. Do you want to make it an "answer" instead of a comment? – peterfoldi – 2015-08-25T08:32:17.840

I think my comment would have to be fleshed out to be an answer. OS X version of Windows part over at http://superuser.com/questions/391799/how-can-you-automatically-run-a-script-after-connecting-to-a-vpn-on-os-x though if you'd like to undertake the task.

– ssnobody – 2015-08-25T14:54:31.300

Answers

How you do this specifically depends on what OS you use and what firewall you use. The general rule is to set your firewall to block connections by default so nothing can access the internet at all, then manually add the required rules for the VPN to work.

In Windows for example, the built-in firewall rules can be changed to default block on outbound on a per profile basis. If you do this on the Public profile, then nothing can access the internet. Then, create an allow rule for your VPN client software, so nothing can access the internet other than the VPn client. Finally, either assign the VPN to a private profile or add additional rules to allow outbound access through the VPN interface alone.

On Linux for example, it is very similar, setting the default outbound rule to 'DROP' in iptables, add a specific allow rule to your VPN server, and then adding a specific allow rule for all outbound traffic via the VPN adapter.

qasdfdsaq

Posted 2015-04-04T14:38:22.397

Reputation: 5 762

It would take some time and effort on your part to do the set up, but if you are concerned enough about the security risk arising from automatic updates, then you can use your Firewall to block application access.

This post gives you the details on how to do this for Windows 7, but most firewalls have a similar concept where you can control the inflow and outflow to your computer.

AMR

Posted 2015-04-04T14:38:22.397

Reputation: 490