Saturday, 6 August 2011

MacOS: Force torrents to use only your VPN connection

Using a VPN connection is a popular way to hide your IP address when downloading torrents. Unfortunately, you run the risk of exposing your real IP if your VPN connection drops since your torrent client will immediately reconnect using your default, insecure network connection. This seems to be the standard behaviour in Windows, MacOS, and Ubuntu, and is, in my opinion, a massive security flaw: Once a VPN connection has been enabled, the OS should NOT switch back to an insecure connection until the user has been notified. To my amazement, few people seem to share my opinion, and so I have to find ad-hoc solutions every now and again to make sure that my network activity remains secure when using a VPN.

Windows has a very powerful application-level firewall, which can be used to block any application from using an insecure connection. The process is described in this post. I've also solved the problem in Ubuntu, although I'd have to do some digging to find out how (leave a comment if you want to know).

The last couple of days I have tried to find a way to block torrent downloading over insecure connections for MacOS, and encountered a couple of challenges:
  • The application level firewall of MacOS is a complete joke. (Found under System Preferences / Security & Firewall)
  • ipfw, the ip-based firewall that comes with a mac can only be used to block ALL non-VPN traffic.
  • There seem to be no free application level firewalls for MacOS, although if you have the money to spare Little Snitch seems to be a decent piece of software. (edit: I'm not sure if Little Snitch is powerful enough)
  • My torrent clients of choice, µTorrent and Transmission are not very configurable.
After a lot of searching I finally found a solution using the highly configurable torrent client Vuze (formerly called Azureus).

Step-by-step guide to forcing your torrent downloads to only use VPN on MacOS:
  1. Download and install Vuze. Make sure you do not install the additional software they push on you during the installation process. 
  2. Connect to your VPN service
  3. Open Vuze
  4. Go to Vuze / Preferences / Mode and activate advanced mode. (See picture below.)
  5. In the preferences, go to Connection / Advanced Network Settings. Find the name of your VPN network interface in the text box (e.g., "ppp0"). Enter the name of the interface into the text box "Bind to local ip address or interface". (See picture below,)
  6. Tick the option "Enforce IP bindings ..."
  7. Click save and exit the configuration screen
  8. Try out whether it works: Start downloading some torrent for testing purposes in Vuze, e.g., a Ubuntu installer disk image. The download should only work if your VPN is enabled. If you disconnect the VPN, the connections should fail, and the download should cease.
  9. Success. You have now configured your torrent client to securely download over VPN.




The above procedure is not ideal since it forces you to use Vuze, which is a big fat piece of bloatware, but it will at least make sure that you do not inadvertently expose your IP address when loading a torrent. If you know of a way to force µTorrent and Transmission to only use a VPN in MacOS, let me know.

As an aside, if you use a pptp based VPN you should also consider disabling ip6 to ensure security.

28 comments:

  1. Thanks for this guidance. One question based on one of the alternatives you suggest: If I were to use Little Snitch to try to limit traffic to my VPN in Mac OS, what type of rule or rules would I put in place? Little Snitch regulates outgoing traffic by destination, but my VPN is not the final destination for torrent traffic. Any help would be much appreciated -- the Little Snitch support page doesn't seem to have much to offer.

    ReplyDelete
  2. Sorry, but I didn't actually try out little snitch. I just assumed it would offer this functionality... I'll edit the post to reflect this

    ReplyDelete
  3. Hi– Which version of Vuze did you use for your demonstration? In the latest version on the Vuze website they appear to have removed the "Enforce IP bindings" option. It's simply missing, while everything else looks identical. Any idea why that would be? Or whether they simply reconfigured this option somehow?

    ReplyDelete
  4. Apologies, I was mistaken – ignore the last comment.

    ReplyDelete
  5. I use an apple script placed in preferences/accounts/login items on the mac to run Viscosity to log in to my VPN service and monitor for disconnection when starting up my Mac.
    The script will also turn Mac Airport off which I use for internet access and if Utorrent is running close it or within 1/2 second.

    Viscosity allows for apple scripts to be incorporated from in but it can take up to 7 seconds to achieve the above.

    The only disadvantage I can see with this script is in case of a disconnection of the VPN service to turn the Airport back on again requires a Manual Force Quit of the Script then once VPN is restored the script to be run in this case from the Mac dashboard again .

    Being very new to apple scripting I am sure others more enlightened would be able to modify the script accordingly to rectify the above paragraph .I have tested this quite rigorously and It works very well.

    Script as follows:
    ...............................................................
    tell application "Viscosity" to run
    tell application "Viscosity"
    if the state of the first connection is "connected" then
    end if
    end tell
    repeat
    tell application "Viscosity"
    if the state of the first connection is "Disconnected" then
    do shell script "networksetup -setairportpower en1 off"
    tell application "uTorrent" to quit
    end if
    end tell
    end repeat
    ........................................

    ReplyDelete
  6. Thanks this was very helpful.

    ReplyDelete
  7. Thanks for the guide. I'd be interested in seeing the instructions to do the same thing in Ubuntu. Thanks.

    ReplyDelete
  8. Great, very useful, thank you.

    ReplyDelete
  9. I'd be very interested in finding out how you did this for ubuntu...

    ReplyDelete
  10. Great post!
    Thanks a lot!

    ReplyDelete
  11. try waselpro vpn service for your mac and you will feel the big different , its fast , secured , cheap and very easy to use
    http://www.bestcheapvpnservice.com/download-mac-vpn/

    ReplyDelete
  12. Find here best torrent VPN for ultimate level downloading.

    ReplyDelete
  13. Thanks.Interesting post.Check this link.
    top10-bestvpn.com

    ReplyDelete
  14. Thank you.Awesome posr about VPN connection for Mac.
    It works cool.Great work.
    10webhostingservice

    ReplyDelete
  15. I didn't see the "ppp0" interface however I saw a comment on another forum that said they had to use the "tun0" interface. I didn't see that either but I did see a "utun0" interface. Not sure if it is safe to use that but when I do turn my vpn off my torrent stops downloading, and turning it on starts downloading again. So I'm assuming it is.

    ReplyDelete
  16. First of all, it is a service completely free! Yes, as you hear: you don't have to pay any fees in order to use the search engine and then later on the sites where you find the most interesting torrents. VPN for p2p downloading

    ReplyDelete
  17. Here you can find the best vpn for mac for torrenting on mac os.

    ReplyDelete
  18. I genuinely believed you would probably have something useful to say. All I hear is a bunch of whining about something that you can fix if you were not too busy looking for attention. After all, I know it was my choice to read.. uk best vpn

    ReplyDelete
  19. I am unquestionably making the most of your site. You unquestionably have some extraordinary knowledge and incredible stories. debestevpn

    ReplyDelete
  20. Awesome read, I would love to get your opinion on Ivacy VPN I use it for mostly to unblock streaming channels. Do you think its safe to use ?

    ReplyDelete
  21. You can use kill switch vpn feature, that would auto disconnect the torrent client once the vpn got disconnected, see which best vpn for torrenting app supports kill switch.

    ReplyDelete
  22. I am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy. nord vpn free trial

    ReplyDelete
  23. Hey! Folks always be alert when you're using public wifi, as its harm for our data, security & privacy and the best solution is try to use Fastest VPN to stay away from hackers

    ReplyDelete
  24. Thank you for such a wonderful post.
    also check: vpn & antivirus

    ReplyDelete
  25. Pretty great post. I simply stumbled upon your blog and wanted to mention that I have really loved surfing around your blog posts. Great set of tips from the master himself. Excellent ideas. Thanks for Awesome tips Keep it
    little-snitch-crack-activation-key
    betternet-vpn-premium-with-crack
    removewat-activator
    edraw-max-crack-keygen-download
    vuescan-pro
    iobit-uninstaller-pro-key-crack
    folder-lock

    ReplyDelete