For the past couple of days I have been working on a simple but complicated project. Here is the back story…
I connect to a public VPN to keep my torrent traffic hidden and private. One day when I came home I found that the VPN tunnel was reset, probably a server reboot on the other end, and my torrent client defaulted to the direct internet connection on my PC. Well that scared me and I thought how often would that happen and if there was a way to force traffic though a certain path, simple right?
I created a Virtual Server that has Two NICS. One is on a private network, 192.168.0.1/24 and the other is on my normal network with direct internet access. This Virtual Server will connect to the VPN from now on.
On my desktop I have two NICS, one on the 192.168.0.1/24 network and the other on my normal network. I can ping the Virtual Server on both IPs.
The reason I used 192.168.0.1/24 is because I am going to use a cheap trick with ICS. I was trying to route like a real man by using a virtual router, pfsense, on a 10.0.20.0/16 network but if you go that route you will find that network traffic can leak over since your one of the hosts will have a default gateway that will reach the internet.
Incase you want to go this route here is a VBS script that will sever any ‘default’ connection if the VPN fails. It uses ping to access the status of the VPN. If you want to be a more than crappy script then use if states and write the damn thing in python, I for one just wrote something that ‘works’. Basically the script pings a server to see if its up. If the server address fails then an event is executed. You can set this up to send emails or even modify the PSU voltage so that your server will literally catch fire.
‘Monitor a Network Host, if down kill if
‘Tom Schaefer V1.0
Rem Runs Ping command, outputs results to text file.
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objShell = WScript.CreateObject("Wscript.Shell")
strComputer = "."
strCommand = "ping -n 1 -w 999 192.168.1.96"
while not InStr(1,StrResults,"Request timed out.")>0
‘while not InStr(1,StrResults,"Reply from 192.168.1.1: Destination host unreachable.")>0
wscript.sleep 30000 ‘ 30000=30seonds – when the script is first run, no ping for first thirty seconds
Set objExecObject = objShell.Exec(strCommand)
Do While Not objExecObject.StdOut.AtEndOfStream
strResults = objExecObject.StdOut.ReadAll()
strText = strText & strResults
Rem Event is called
Set objFile = objFSO.CreateTextFile("C:\Documents and Settings\Administrator\Desktop\PingFailed.txt")
Rem Shutdown the system or Send an Email!
Rem For Running executables – SrA Schaefer
Set WshShell = wscript.createobject("wscript.shell")
‘Set oExec = WshShell.Exec("calc.exe") ‘<- for teting
Set oExec = WshShell.Exec("netsh.exe interface set interface ""Local Area Connection"" DISABLED")
Rem Renames text file with time and date
Simple Script right.
So since that method wasn’t working is the most secure way I wanted, I decided to force traffic though the VPN.
On your remote VPN client, which is my Virtual Server, setup your VPN and go to properties. Under ICS enable ICS and choose the NIC that you assigned 192.168.0.1 to.
Now on a NIC on the end user client like your desktop assign it the address of 192.168.0.2/24. You may now connect to the VPN and 100% of traffic will be forced though that VPN, as long as you kill any other NICS on your clients. This is perfect because you can setup a DHCP server and hand out these addresses. This would be easily doable for a domain environment but I would not use this method for more than 50 clients.
For 50 or more clients you should route with a virtual router, like pfsense, and setup static routes to the VPN default gateway. Be careful the VPN default gateway can change.
For the readers wanting to do this Torrent traffic its really easy to do this with VUZE since you can bind to a specific if. No longer will I have to worry about the VPN failing because if it does then all torrent traffic, and all traffic on that network, dies.