Search Mailing List Archives
[liberationtech] Forcing VPN on Mac OS X
ali at packetknife.com
Tue Sep 3 00:01:45 PDT 2013
Ah yes - thanks for reminding me.
DNSCrypt has worked well for our end-users and when configured not to
fail over - does the necessary trick on OS X:
And something that didn't work well at all (in the context of my last
message) was Radio Silence (http://radiosilenceapp.com/).
Again, this is the "regular end-user" response given the initial query.
If you really want to mitigate against OS wonkiness then your own
router / hw isolation via a Grugq Portal
(https://github.com/grugq/portal) or using pfSense
(http://www.pfsense.org/) or DD-WRT
Honestly if you're not trying to support it for someone else, then go
straight to the last option moving forward. -Ali
On Tue, Sep 3, 2013 at 2:44 AM, elijah <elijah at riseup.net> wrote:
> On 09/02/2013 09:54 PM, Mitar wrote:
>> Is there some software which would prevent any outgoing networking on
>> Mac OS X until a VPN to a trusted server is established? So on the
>> system level? I am wary that between me connecting to an untrusted
>> WiFi and establishing a VPN tunnel, there is some window where
>> probably all possible services try to ping home, auto-update and so
> You should be wary. Since Appelbaum has not mentioned it yet, I will
> mention his paper for him:
> "Virtual Pwned networks"
> There are any number of common leaks, including DNS leakage, IPv6
> leakage, failing open, and, as you mention, the time lag between when
> the network comes up and when the default route is changed. You could
> also add poor cipher negotiation, and badly set up VPN gateways that use
> the same IP for both ingress and egress. At LEAP, we are trying to
> prevent all these problems with our free software server platform and
> autoconfiguring OpenVPN client application, but it is not easy or ready
> for production use yet (https://leap.se).
> This can be handy for testing DNS leaks (which are really easy to
> accidentally cause on Mac): https://www.dnsleaktest.com/
> Liberationtech is a public list whose archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
More information about the liberationtech