Does DHT Break VPN Security and Expose Your IP?

[stevefoobar]

I'm relatively new to P2P (I use uTorrent) and extremely new to VPN use.

I've been reading some old posts (maybe 2009) that seem to imply that DHT, which was relatively new for P2P sites back then, was leaking real IP addresses because it somehow doesn't use or bypasses VPNs.

This can't be true can it? Has this been corrected? Obviously there is no point in using a VPN if DHT's leak real IP addresses anyway. Also, DHT and PEX links are THE NEW STANDARD for P2P sites and all major sites have implemented them and are moving completely away from traditional torrents, so it isn't really an option to disable DHT and PEX in your client, although uTorrent does give you that option.

I would appreciate input from someone that is more knowledgeable and current on this topic. Please no responses if you aren't absolutely sure of what you are claiming as obviously this is a serious issue and would make VPN subscriptions pointless if true.

Thanks!

[DreadWingKnight]

I've been reading some old posts (maybe 2009) that seem to imply that DHT, which was relatively new for P2P sites back then, was leaking real IP addresses because it somehow doesn't use or bypasses VPNs.

The way that VPNs work, this is false.

[stevefoobar]

It's possible the posts I've been reading are just wrong or they are misinformed. It's also possible they are referring to using proxy servers but I'm not sure. I certainly would like to get more details on this to feel more secure.

It's amazing to me how little information is available on the net regarding proper use of VPN services when using P2P clients and what the potential risks are if any of using a VPN and I've done A LOT of searching and reading!

[DreadWingKnight]

Proxies CAN leak.

VPNs, because of their encapsulation of the ENTIRE connection, don't.

[stevefoobar]

That does make me feel more secure then since I'm using a P2P VPN service, not a proxy. I also manually change my DNS addresses to either the VPN's, Google's, or OpenDNS's just as an added level of security in case my VPN leaks my DNS address inadvertently.

[stevefoobar]

I wish we could hear from one of the developers that uTorrent will not leak IPs when using DHT and PEX and if it matters if one is using a VNP or Proxy for this protection.

[guywire]

Firon wrote on another thread that disabling DHT was not necessary for anonymity.

[stevefoobar]

Protect Your IP From Being Disclosed if Your VPN Connection Fails

The following steps will help assure that you do not accidentally expose your real IP address if your VPN connection drops. Normally if this were to happen, your real IP address would be exposed since your normal networking connection is still in place if the VPN connection is lost. There is no firewall or P2P monitor application needed. You only need to make relatively simple changes to your Windows routing table using simple commands. Although this looks like a lot of information, it’s really quite simple. I’m just being very thorough and very detailed. After doing it a few times, it will become second-nature!

Steps

Because I disabled my Wi-Fi adapter, I plugged in a network cable from my laptop to my router. Since I have my laptop set to use DHCP, a local IP and DNS addresses got assigned to the Ethernet adapter in my laptop. In my case, that was 192.168.1.107 because I choose to start my IP addresses at 100, which is just a personal preference. I have my Linksys router’s IP set to 192.168.1.1 which is pretty common. Just substitute your router’s IP address for mine (192.168.1.1) and your computer’s assigned IP address for mine (192.168.1.107) in the examples below.

I then opened a Windows command shell (Start, Run, cmd) and from within it typed route print to view the routing table. The first entry is what is called a “default route” to which all traffic that does not otherwise have a specific destination routes to. You can see my laptop’s IP address (Interface) and my router’s IP address (Gateway) in the entry which looks like this:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 20

You don’t need to understand what the Netmask is or how to use network masks in general or what the Metric is, although you can certainly research these if you like.

Now start up your VPN client application. If it works like mine http://PrivateInternetAccess.com located in Michigan, USA) it will create another entry in the routing table based on the IP address it is using for the server you happen to connect to. Now type route print again to view the new routing table. The first two lines should look something like this:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 128.0.0.0 10.140.1.17 10.140.1.18 1

0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.107 20

You will notice there are now two default routes—the original one for your network adapter and router as well as the new VPN route, which has its own Gateway and Interface IP addresses based on the server you connect to. Of course, your VPN service will have different IP addresses for these and may use a different Netmask as well. Since VPN is a protocol that rides on top of the normal networking protocol these table entries make sense. Once the VPN connection is established though and the correct routing table entry is made, the normal default route is not needed (second line). As a matter of fact, therein lies the problem. If the VPN connection drops (first line gets automatically deleted) the default route to your router (second line) remains and any connections in place via your P2P client or other connections will continue uninterrupted, which is what you don’t want when using a P2P client because that would expose your real IP address and DNS servers (more on DNS at the end of this tutorial).

To remedy this, you simply need to delete the default route to your router while the VPN connection is active. To do this, within the command shell window, simply type route delete 0.0.0.0 192.168.1.1 and then type route print again to verify that the “normal” default route has been deleted and only the VPN route remains (along with several other routes below the VPN route that should not affect what we are doing).

The final “feel good” test would be to now open up your P2P client and start downloading something legal and large enough to take a few minutes to test just in case your did something wrong and your real IP gets exposed briefly. I would not recommend downloading the latest Blu-Ray release of a big box office movie!

Once you start seeing the file downloading and possibly uploading, go to your VPN client application (usually in the system tray area) and disconnect from the VPN server. You should notice that all your down and up loads stop. If you use http://uTorrent.com, don’t be confused if the timers in the Peers column are still counting down or if the DHT and PEX entries still say “working”. I presume this is either a bug or just the way they designed uTorrent, since even if you physically unplug your network cable or turn off your Wi-Fi adapter, you will notice the counters still count down and the DHT and PEX entries still say “working”!

To get your VPN connection working again, you can’t just simply reconnect to your VPN because remember you deleted the default route to your router that the VPN needs initially to connect to its server. You will need to add the default route back to the routing table BUT FIRST SHUT DOWN YOUR P2P APPLICATION COMPLETELY! There are several easy ways to add the default route back:

* Disconnect and reconnect your network cable if you are connected that way or disable, then re-enable your Wi-Fi adapter if you are connected that way. Either should automatically recreate the default route to your router.</li>

* Within a command window, type ipconfig /release then ipconfig /renew. This sometimes works and sometimes doesn’t in my experience.</li>

* Within a command window, manually recreate the entry by typing route add 0.0.0.0 mask 0.0.0.0 192.168.1.1 [metric 1 if 2]. The parts in brackets are optional and shouldn’t be needed unless you want to change the metric (number of hops) for some reason or want to use a specific device (the number after the “if”) other than your normal network adapter. Windows will pick the best metric (usually 1) and the best network adapter automatically. If you want to see how your network adapters are numbered (in hex) then just look at the first few lines in the route print output which will look something like this:

Interface List

0x1 . . . . . . . . . . . . . . . . . . . . . . . . MS TCP Loopback interface

0x2 . . . 00 C3 D5 35 7B 24 . . . . . Sis 900-Based PCI Fast Ethernet Adapter – Packet Scheduler Miniport

0x3 . . . 00 78 FC A9 FE 38 . . . . . .TAP-Win32 Adapter V9 – Packet Scheduler Miniport

In the above, my normal network device is device #2 (0x2). My VPN client application “device” is #3 (0x3).

Once you add the default route back, try reconnecting to your VPN server. If it doesn’t reconnect you may need to terminate then restart the VPN client application. Once you confirm it’s reconnected, go back and repeat the above steps starting with the step to delete the default route to your router.

Again, once you have a stable VPN connection working, you don’t want the default route still in the routing table. After you verify there is just the VPN route in the table (route print), it’s safe to restart your P2P application.

Final Notes

Creating Simple Batch Scripts

If you like, you can easily create tiny batch files so you don’t have to type these commands over and over. I created three batch scripts named rprint.bat, rdelete.bat, and radd.bat. To create each one, use the built-in shell editor (edit rprint.bat for example). The first script contains the line “route print”. The second script contains the lines “route delete 0.0.0.0 192.168.1.1” and “route print”. The third contains the lines “route add 0.0.0.0 mask 0.0.0.0 192.168.1.1” and “route print”. To run these batch script files from a command prompt window, type either rprint, rdelete, or radd. Note that if you are using a different command prompt window (like the PowerShell below for example) you may have to add a “.\” in front of each command when you want to run them (.\rprint for example).

Windows Command Shell

The built-in Windows XP (which is what I’m using) command shell window is very basic and sometimes difficult to read because of word wrapping. A much nicer Windows shell can be downloaded for free from Microsoft. I don’t know if this applies to Windows 7 and 8 or not. This search on the Microsoft Download Center page will produce versions you can look through http://search.microsoft.com/en-us/results.aspx?q=windows+powershell&x=14&y=6

DNS Leaks

In addition to the possibility of exposing one’s real IP address (i.e. the IP address your ISP assigns to you on a frequent basis) you need to be concerned with a phenomenon of VPN usage called DNS Leaking. There are some VPN services that claim they take steps to assure this doesn’t happen. Depending on how safe you want to feel, there are things you can do manually to make sure that even if your DNS servers get leaked, they won’t point back to you or even the area you are in.

The two steps I did was to first find the DNS server addresses that my VPN provider uses or prefers. Once I knew this, I manually typed them into the DNS fields of the TCP/IP VPN connection created in my Network Connections area by the VPN client application. I won’t go into the details of how to do that here but it’s very easy. In my case, http://PrivateInternetAccess.com uses 4.2.2.1 and 4.2.2.2 as their DNS servers. Next to be absolutely sure my DNS wouldn’t get leaked by accident, I changed my preferred ISP DNS servers to generic ones within my router (which then of course, gets used by all computers on my network that have DHCP turned on), since I don’t want anyone to know what ISP I’m using. There are lots of choices for other DNS servers and two very popular ones are Google (8.8.8.8, 8.8.4.4) and OpenDNS (208.67.222.222, 208.67.220.220, 208.67.222.220, 208.67.220.222).

IMPORTANT: If your router has more than two entries for DNS servers make sure to fill them all up even if you have to duplicate the server numbers. If you leave any blank, your router may pick up your ISP DNS numbers for those blank entries and assign them as DNS3, DNS4, etc.

Final Caution

Obviously, this technique involves multiple steps every time you want to use your VPN service and as such is prone to “pilot error”. The most important thing you can do is always double check to make sure the normal route to your router has been deleted before you start up your P2P client and always make sure your shutdown your P2P client after a VPN disconnection before starting everything back up again. Furthermore, keep in mind that Windows will recreate the default route automatically if you reboot the machine, unplug then re-plug your network connection, or disable then re-enable your Wi-Fi or other networking connection.

Disclaimer

Of course, I’m not encouraging illegal activity and I can’t guarantee that any of this information will work 100% of the time to keep you from being exposed.

Happy secure downloading!