Saturday, 6 August 2011

MacOS: Force torrents to use only your VPN connection

Using a VPN connection is a popular way to hide your IP address when downloading torrents. Unfortunately, you run the risk of exposing your real IP if your VPN connection drops since your torrent client will immediately reconnect using your default, insecure network connection. This seems to be the standard behaviour in Windows, MacOS, and Ubuntu, and is, in my opinion, a massive security flaw: Once a VPN connection has been enabled, the OS should NOT switch back to an insecure connection until the user has been notified. To my amazement, few people seem to share my opinion, and so I have to find ad-hoc solutions every now and again to make sure that my network activity remains secure when using a VPN.

Windows has a very powerful application-level firewall, which can be used to block any application from using an insecure connection. The process is described in this post. I've also solved the problem in Ubuntu, although I'd have to do some digging to find out how (leave a comment if you want to know).

The last couple of days I have tried to find a way to block torrent downloading over insecure connections for MacOS, and encountered a couple of challenges:
  • The application level firewall of MacOS is a complete joke. (Found under System Preferences / Security & Firewall)
  • ipfw, the ip-based firewall that comes with a mac can only be used to block ALL non-VPN traffic.
  • There seem to be no free application level firewalls for MacOS, although if you have the money to spare Little Snitch seems to be a decent piece of software. (edit: I'm not sure if Little Snitch is powerful enough)
  • My torrent clients of choice, µTorrent and Transmission are not very configurable.
After a lot of searching I finally found a solution using the highly configurable torrent client Vuze (formerly called Azureus).

Step-by-step guide to forcing your torrent downloads to only use VPN on MacOS:
  1. Download and install Vuze. Make sure you do not install the additional software they push on you during the installation process. 
  2. Connect to your VPN service
  3. Open Vuze
  4. Go to Vuze / Preferences / Mode and activate advanced mode. (See picture below.)
  5. In the preferences, go to Connection / Advanced Network Settings. Find the name of your VPN network interface in the text box (e.g., "ppp0"). Enter the name of the interface into the text box "Bind to local ip address or interface". (See picture below,)
  6. Tick the option "Enforce IP bindings ..."
  7. Click save and exit the configuration screen
  8. Try out whether it works: Start downloading some torrent for testing purposes in Vuze, e.g., a Ubuntu installer disk image. The download should only work if your VPN is enabled. If you disconnect the VPN, the connections should fail, and the download should cease.
  9. Success. You have now configured your torrent client to securely download over VPN.




The above procedure is not ideal since it forces you to use Vuze, which is a big fat piece of bloatware, but it will at least make sure that you do not inadvertently expose your IP address when loading a torrent. If you know of a way to force µTorrent and Transmission to only use a VPN in MacOS, let me know.

As an aside, if you use a pptp based VPN you should also consider disabling ip6 to ensure security.

19 comments:

  1. Thanks for this guidance. One question based on one of the alternatives you suggest: If I were to use Little Snitch to try to limit traffic to my VPN in Mac OS, what type of rule or rules would I put in place? Little Snitch regulates outgoing traffic by destination, but my VPN is not the final destination for torrent traffic. Any help would be much appreciated -- the Little Snitch support page doesn't seem to have much to offer.

    ReplyDelete
  2. Sorry, but I didn't actually try out little snitch. I just assumed it would offer this functionality... I'll edit the post to reflect this

    ReplyDelete
  3. Hi– Which version of Vuze did you use for your demonstration? In the latest version on the Vuze website they appear to have removed the "Enforce IP bindings" option. It's simply missing, while everything else looks identical. Any idea why that would be? Or whether they simply reconfigured this option somehow?

    ReplyDelete
  4. Apologies, I was mistaken – ignore the last comment.

    ReplyDelete
  5. I use an apple script placed in preferences/accounts/login items on the mac to run Viscosity to log in to my VPN service and monitor for disconnection when starting up my Mac.
    The script will also turn Mac Airport off which I use for internet access and if Utorrent is running close it or within 1/2 second.

    Viscosity allows for apple scripts to be incorporated from in but it can take up to 7 seconds to achieve the above.

    The only disadvantage I can see with this script is in case of a disconnection of the VPN service to turn the Airport back on again requires a Manual Force Quit of the Script then once VPN is restored the script to be run in this case from the Mac dashboard again .

    Being very new to apple scripting I am sure others more enlightened would be able to modify the script accordingly to rectify the above paragraph .I have tested this quite rigorously and It works very well.

    Script as follows:
    ...............................................................
    tell application "Viscosity" to run
    tell application "Viscosity"
    if the state of the first connection is "connected" then
    end if
    end tell
    repeat
    tell application "Viscosity"
    if the state of the first connection is "Disconnected" then
    do shell script "networksetup -setairportpower en1 off"
    tell application "uTorrent" to quit
    end if
    end tell
    end repeat
    ........................................

    ReplyDelete
  6. Thanks this was very helpful.

    ReplyDelete
  7. Thanks for the guide. I'd be interested in seeing the instructions to do the same thing in Ubuntu. Thanks.

    ReplyDelete
  8. Great, very useful, thank you.

    ReplyDelete
  9. I'd be very interested in finding out how you did this for ubuntu...

    ReplyDelete
  10. Great post!
    Thanks a lot!

    ReplyDelete
  11. try waselpro vpn service for your mac and you will feel the big different , its fast , secured , cheap and very easy to use
    http://www.bestcheapvpnservice.com/download-mac-vpn/

    ReplyDelete
  12. Find here best torrent VPN for ultimate level downloading.

    ReplyDelete
  13. Thank you.Awesome posr about VPN connection for Mac.
    It works cool.Great work.
    10webhostingservice

    ReplyDelete
  14. I didn't see the "ppp0" interface however I saw a comment on another forum that said they had to use the "tun0" interface. I didn't see that either but I did see a "utun0" interface. Not sure if it is safe to use that but when I do turn my vpn off my torrent stops downloading, and turning it on starts downloading again. So I'm assuming it is.

    ReplyDelete
  15. there are many VPNs you can use in Mac OS but the best one is [Express VPN]( Express VPN )

    ReplyDelete
  16. First of all, it is a service completely free! Yes, as you hear: you don't have to pay any fees in order to use the search engine and then later on the sites where you find the most interesting torrents. VPN for p2p downloading

    ReplyDelete