VPN and DNS Nonsense

Forum rules
Share your brain ;)
User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

/dev/null

Unread post by GekkoP » Sat Jun 25, 2022 12:12 pm

gutterslob wrote:
Sat Jun 25, 2022 9:27 am
You'd have to be a big-ass profile target if someone really gave a fuck about that though. Even most criminal cases don't involve that. Anyhooz, if you multi-hop, say with the first hop being Mullvad's owned server in Sweden or Norway, then the Italy datacenter only sees encrypted traffic coming from those datcenter IPs.
Understood. I don't see myself doing anything that requires super-serious protection. However, Italian politics have been getting worse year after year since I was born and judging by how messy they are right now, it's better to expect even something worse around the corner.
gutterslob wrote:
Sat Jun 25, 2022 9:27 am
Sometimes ISP peering with other ISPs is poor (they have more customers than their infrastructure is meant for), or compromised for whatever reason (undersea cable faults, conflict zones, etc) so multi-hopping can, on those occasions, mitigate issues like high packet loss or high latency/jitter.
I've recently changed ISP provider to something finally offering decent fiber optic infrastructure, but since this is pretty much new things it's hard to trust them. Sure, my connection has never been so good, but they had breakage in Northern Italy twice in a week last month, and by now I've learnt pretty well how Italians care about their work. Not entirely their fault, I know, but still, having a backup for packet loss and latency cannot be bad.

Thank you as usual for the tips.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Sat Jun 25, 2022 6:19 pm

GekkoP wrote:
Sat Jun 25, 2022 12:12 pm
Understood. I don't see myself doing anything that requires super-serious protection. However, Italian politics have been getting worse year after year since I was born and judging by how messy they are right now, it's better to expect even something worse around the corner.
Same goes for almost anywhere else in the world, I reckon. What we do online that's legal today might be a crime tomorrow, so your mindset is a good one. I read somewhere that Italy recently banned the use of Google Analytics, though I don't know if that's only for official/government use or a blanket ban. So at least you guys have made a small step in the right direction (although I think Google Play Services is a bigger threat). That and you still have great food.

GekkoP wrote:
Sat Jun 25, 2022 12:12 pm
I've recently changed ISP provider to something finally offering decent fiber optic infrastructure, but since this is pretty much new things it's hard to trust them. Sure, my connection has never been so good, but they had breakage in Northern Italy twice in a week last month, and by now I've learnt pretty well how Italians care about their work. Not entirely their fault, I know, but still, having a backup for packet loss and latency cannot be bad.
Traceroutes help. Can't remember if MTR is installed by default on Ubuntu. I'll use that as an example...

To check for egress peering issues between you and your desired Mullvad server (using it7 as an example), while disconnected from VPN do;

Code: Select all

mtr --aslookup it7-wireguard.mullvad.net
or
mtr -wz it7-wireguard.mullvad.net
To check for ingress peering issues do the same while connected to that specific Mullvad server, just using your home IP (meaning the address that appears on the second hop in the previous output, assuming the first value is the typical 192.168.x.x router IP) instead.

From those outputs, you can determine if there's any packet loss or high ping, and can cross reference the guilty ASN number on a site like www.peeringdb.com to determine what peering provider or internet exchange/escrow your ISP has a deal with and whether they're cheaping out (based or how much bandwidth the related port allows).

You can also test data flow between two Mullvad servers you intend to use multi-hop with. Eg; single-hop connect to an Italian server and do a traceroute to a Swedish server, then single-hop connect to that Swedish server and do a traceroute to the Italian server. Not really necessary though since most datacenter-to-datacenter paths are well optimized.

Mullvad's server page on their website can be made to show just their owned servers, so if you ever find the need to multi-hop, best to use one of those as the first hop.

EdiT:
Holy crap that came out longer than I realized.
Meh, just think of it as me leaving a long note-to-self, because I'll certainly forget all this one day in the near future, just like how I've completely forgotten pacman or dnf syntax, or even what I had for lunch yesterday. Guess I'll blame Long Covid like everyone else.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: /dev/null

Unread post by GekkoP » Sat Jun 25, 2022 9:56 pm

gutterslob wrote:
Sat Jun 25, 2022 6:19 pm
Same goes for almost anywhere else in the world, I reckon. What we do online that's legal today might be a crime tomorrow, so your mindset is a good one. I read somewhere that Italy recently banned the use of Google Analytics, though I don't know if that's only for official/government use or a blanket ban. So at least you guys have made a small step in the right direction (although I think Google Play Services is a bigger threat). That and you still have great food.
Yes, it's the right step to take, but as you said it's also a small one. So many things are being ignored on purpose I don't even know where to start. But you nailed it: it's basically the same everywhere in the world.
gutterslob wrote:
Sat Jun 25, 2022 6:19 pm
Traceroutes help. Can't remember if MTR is installed by default on Ubuntu. I'll use that as an example...
Great stuff. I checked following your instructions and I seemed to have set it up just fine because I don't see any packet loss. I'll inspect further tomorrow, though. (It's getting late.)
gutterslob wrote:
Sat Jun 25, 2022 6:19 pm
Holy crap that came out longer than I realized.
Nah, don't you ever worry about it. ;)

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: /dev/null

Unread post by gutterslob » Tue Jun 28, 2022 4:18 pm

GekkoP wrote:
Sat Jun 25, 2022 9:56 pm
Great stuff. I checked following your instructions and I seemed to have set it up just fine because I don't see any packet loss. I'll inspect further tomorrow, though. (It's getting late.)
It's mostly useful for those days your ISP is giving you problems (latency, download speeds, resolving problems, etc), or if you're trying to determine the most performant multi-hop route.

Then again, unlike me, you're based in Europe and are spoilt for choice with regards to servers/locations, so if you don't want the added latency of a multi-hop connection but still wish for added datacenter integrity, you can perform traceroutes to the closest "Owned by Mullvad" servers to see which one gives comparable single-hop performance to your local Milan node. I know your boot-shaped country is big, but wager your best bet would be Zurich (ch5 - ch9) based on distance.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Tue Jun 28, 2022 6:50 pm

Indeed Zurich is the first choice. :)

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Wed Jun 29, 2022 9:31 am

gutterslob wrote:
Tue Jun 28, 2022 3:59 pm
bind your torrent client to your VPN network interface.
Can we continue this here? :)

My setup for torrenting is fairly basic:

- my home server runs headless transmission
- the server is behind Mullvad (wireguard) + NextDNS on the router
- I set up ufw to restrict network activity, but transmission of course is allowed

Am I missing something?

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Wed Jun 29, 2022 2:17 pm

^ If you're running a WireGuard interface on the router then I assume it's running some open source WRT firmware or pfSense? I must admit that I'm not that well versed in router setup in a general sense, because routers all run different firmware and interfaces. If you've successfully activated a kill-switch for the tunnel, then you should have nothing to worry about. No need to worry about binding your client to any interface as long as the kill-switch or ufw rule on router is set to block all traffic when the VPN is down.

EdiT;
Do these help? Assuming you can SSH into your router for a CLI interface (as opposed to a Web-GUI)
https://mullvad.net/en/help/wireguard-and-mullvad-vpn/
https://www.ivpn.net/knowledgebase/linu ... ll-switch/


If it's a Web-GUI then the settings for the kill-switch can be anywhere. It's simple on something like DD-WRT where you just go to Settings/Setup and search for the Tunnels tab where the option should reside.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Wed Jun 29, 2022 3:07 pm

No, I explained myself in the wrong way, sorry.

The router just has NextDNS set up on it (it's a FritzBox, stock firmware), while Mullvad is on the server (the CLI app). I set up Mullvad to always require VPN, though (the "always-require-vpn" option, I mean).

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Wed Jun 29, 2022 3:14 pm

^ Ah, okay. Means your client is on the server itself. You mentioned the "always-require-VPN" thing, meaning you're running the GUI version on that server? But you say it's headless. I'm a bit confused here.

Anyway, if the always require toggle is enabled (assumingit's in the Mullvad GUI app) then start a torrent (like a well seeded Ubuntu ISO) and try disconnecting (or killing the app) midway to see if the torrent stalls. If it does, you're good.

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Wed Jun 29, 2022 3:44 pm

^ This is what I did on my server, no GUI:

Code: Select all

$ mullvad always-require-vpn set on
You're right: I tried a torrent; after a while I did "mullvad disconnect" and it stalled. Even a basic "sudo apt update" does not work with the VPN disconnected. Once again, thanks for the tips.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Wed Jun 29, 2022 4:27 pm

^ Ah, my bad. I was conflating your server setup with a manual WireGuard configuration. Somehow overlooked that you can have just Mullvad-CLI installed on a headless machine. You even mentioned Mullvad-CLI specifically before when you first signed up. Sorry, brain-fart on my part.

As for the whole "binding torrent client to openvpn/wireguard network interface" thing, it's mainly useful for Windows users, since you can have multiple 'tun' interfaces pointing to the same tunnel (eg: after updating the Mullvad app a couple of times) on that stupid operating system.

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Wed Jun 29, 2022 4:41 pm

Oh, if you want some extra assurance, take note of your ISP-issued IP address (ipv4 format) and the time you download a certain torrent filename when on VPN, and check on https://iknowwhatyoudownload.com/ a couple hours later. If that same filename appears at the same time against your ISP-issued address, then there's some leakage somewhere.

That site's also useful to know what others sharing your VPN-issued IP have been up to. If you see a ton of sketchy stuff (like child porn) being downloaded on that IP, might be a good idea to change servers just to be safe (the "guilty by association" thing and all). Note that the site only tracks public torrents. Private trackers aren't represented.

User avatar
ivanovnegro
Minister of Truth
Posts: 5448
Joined: Wed Oct 17, 2012 11:12 pm

Re: VPN and DNS Nonsense

Unread post by ivanovnegro » Wed Jun 29, 2022 8:00 pm

^ Wow. That site is, fuck...

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Wed Jun 29, 2022 8:05 pm

^^ Super, thanks!

User avatar
vic
Godot
Posts: 2109
Joined: Wed Oct 17, 2012 10:11 am
Location: /bin

Re: VPN and DNS Nonsense

Unread post by vic » Thu Jun 30, 2022 4:12 am

^^^ :O thanks!
Sorry guys, no signature for a while, too busy with life. :|

User avatar
wuxmedia
Grasshopper
Posts: 6445
Joined: Wed Oct 17, 2012 11:32 am
Location: Back in Blighty
Contact:

Re: VPN and DNS Nonsense

Unread post by wuxmedia » Mon Jul 04, 2022 11:36 am

I happen to have a VPS - so I use that with rtorrent - never had any DCMAs.
I d/l at ethernet speeds... then download back down from there to the home server to view on the TV. It does need a lot of maintenance though.
So yeah it's not perfect as anything would lead right back to me.
"Seek, and Ye shall find"
"Github | Chooons | Site"

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Mon Jul 04, 2022 7:09 pm

^ There are dedicated 'SaaS' services (offcloud, bitport, seedr) that offer similar. They'll do the torrenting for you and then you download/stream using https. Whether that's cheaper or more expensive would depend on what kind of VPS instance you have running on your setup, although most accept some form of crypto payment these days, so you can have certain level or privacy provided you're smart with mixing/tumbling, Then there are dedicated seedbox providers. I don't use any of these (hardly torrent), so can't really offer any opinion. You'd probably still want a VPN as a go-between, just to remove your ISP from the equation, so total cost goes up again.

I did roll a WireGuard tunnel on a VPS (either DigitalOcean or OVHcloud) for a while. Performance-wise they're unbeatable but the bandwidth caps can be an inconvenience, and there's a paper-trail as you stated. Still hoping to find time to learn how to deploy a v2ray+shadowsocks or TrojanGFW tunnel, just for the education. Never know when they'll come in handy, though I suspect my lazy-arse unmotivated self will just use Xeovo or similar service instead.

User avatar
wuxmedia
Grasshopper
Posts: 6445
Joined: Wed Oct 17, 2012 11:32 am
Location: Back in Blighty
Contact:

Re: VPN and DNS Nonsense

Unread post by wuxmedia » Wed Jul 06, 2022 11:40 am

Yeah I only d/l kids films anyway - then close the torrent once it's done. Hardly amazing security but not been hit in the 6 years or how long i've used it
"Seek, and Ye shall find"
"Github | Chooons | Site"

User avatar
GekkoP
Emacs Sancho Panza
Posts: 5877
Joined: Tue Sep 03, 2013 7:05 am

Re: VPN and DNS Nonsense

Unread post by GekkoP » Mon Jul 11, 2022 9:52 am

This might be only me being a newbie at DNS and VPN settings, but the only way to make Mullvad work with NextDNS as its custom DNS is tweaking the Mullvad App under Settings > Advanced with the following:

- Enable IPv6
- Tunnel protocol > Set Wireguard
- Use custom DNS server > Use NextDNS IPv6 endpoints

Turn on the VPN and browse at https://test.nextdns.io

User avatar
gutterslob
Resident Tranny
Posts: 1124
Joined: Thu Aug 08, 2013 7:13 pm

Re: VPN and DNS Nonsense

Unread post by gutterslob » Wed Jul 13, 2022 7:56 am

^ Ironically, it's more likely that non-newbies would overlook this, as they tend to skip reading documentation and will not realize that the two IPv6 addresses provided in the 'Endpoints' section in NextDNS's Setup tab contain the account ID at the end which is linked to their configuration. Also, with regards to Mullvad's app, many users (myself included) initially assumed that the Custom DNS field only supported IPv4 addresses back when Mullvad introduced the feature. I only found out after emailing them to request support for url strings in order to employ DNS-over-HTTPS/TLS servers, to which their support replied asking if the DNS provider had an IPv6 address, at which point I facepalmed to self for being such an ignorant buffoon. Still wish that they supported DoH/DoT though (they claimed they were considering it back in that email exchange) as it would allow for more DNS providers.

Post Reply