Embed Size (px)
Citation preview
1 | P a g e
OpenVPN WatchDog V4.0 User Guide ABOUT OPENVPN WATCH DOG V4.0
OpenVPN Watch Dog is a windows based application to securely monitor for stable encryption of internet traffic, prevent exposure of real IP address, DNS leaks and guard against DNS hijacking or DNS changer malwares thereby offering the benefits of encrypted connection to the internet with IP address anonymity and complete secured OpenVPN tunneling. OpenVPN Watch Dog is a program designed to monitor your OpenVPN connection and ensures that you do not blow up your anonymity when you lose your OpenVPN connection.
When connected to an OpenVPN server and OpenVPN Watch Dog is enabled, you can be sure that all traffic leaving your computer is fully encrypted and void of DNS leaks and threats. When your OpenVPN crashes or is compromised, OpenVPN Watch Dog will automatically detect it, alert you of the danger and cut-off your internet access.
Warning!: OpenVPN is prone to IP and DNS leaks and threats particularly in Windows. It is essential that you are aware of this and should take adequate measures to safeguard your OpenVPN connection against such security issues!
OPENVPN WATCHDOG FUNCTIONS
• To prevent unencrypted traffic while connected to the VPN server and ensure that the traffic is routed across the VPN tunnel
• To prevent IP leaks thereby safeguarding the exposure of the real IP of the user while connected to the OpenVPN server
• To prevent DNS leaks thereby preventing the ability of your ISP or any third party entity to monitor or view the sites you visit while connected to the VPN server.
• To protect against all forms of DNS changer malwares aimed at changing your computer legitimate TCP/IP DNS IPs to rogue DNS servers in order to hijack your DNS queries for nefarious purposes such as phishing.
• To protect against DNS hosts file phishing attacks by monitoring the integrity and authenticity of the hosts file using secure hash algorithm (SHA 512)
2 | P a g e
HOW IT WORKS
Simply start the OpenVPN Watch Dog before initiating connection to your OpenVPN server. The program will automatically detect your real connection IP, OpenVPN server IP and your DNS IPs including the integrity of your windows Hosts file. Your real IP is stored internally when the program is started and then starts monitoring your connection IP every second after you start the OpenVPN session to make sure that your real IP is never exposed. The program ensures that all traffic leaving your computer is fully encrypted by monitoring and comparing the assigned private IP of the OpenVPN server and your local connection.
In addition, the program has the capability to lock down your OpenVPN connection and prevent DNS related threats such as DNS changer malware attacks and DNS hijacking via Hosts file. After locking down your OpenVPN connection, network traffic will only exit through your OpenVPN connection, and no other network interfaces thereby preventing DNS leaks and IP leaks through your VPN connection. In the event a security issue is detected, a barking dog sound is produced and an alert is given. In addition, the program will automatically deactivate all internet connections on your computer. To enable internet connection again, simply click the “Enable All Network Connections” button to restore the internet access.
SUPPORTED OPERATING SYSTEMS
Windows XP
Windows Vista
Windows 7
Windows 8
Windows Server 2003
Windows Server 2008
3 | P a g e
COMPUTER LAN SETTINGS PRE-REQUISITES
To ensure that all the features of Watchdog works correctly and reliably, there are certain pre-requisites that are necessary for your computer LAN (Local Area Network) settings. These are as follows:
1. You are required to know the names of your Network Internet Card (NIC) adapter responsible for your normal internet connection and OpenVPN connection. In most cases, the OpenVPN adapter will have the “TAP-Win 32 Adapter” description in your PC Network Connection settings. You can confirm the name of your LAN adapters in Windows 7 by going to Windows Control Panel then under "Network and Internet", select "View network status and tasks":
Click "Change adapter settings":
4 | P a g e
Then check the names of the Internet connection's icon as highlighted in the screenshot below. You can easily identify the active adapters by looking beneath the icons. Those will a red cross indicates that they are not active or in use. For example, as shown in the screenshot below, there are 2 active network adapters; the LAN adapter for your normal internet connection and the TAP adapter for your OpenVPN connection.
OpenVPN Watchdog starting from version 4 now allows you to select the appropriate NIC adapter when started as shown in the screenshot below:
5 | P a g e
2. Ensure that DHCP is disabled for your LAN network settings for the “Lock OpenVPN Connection” feature of the Watchdog to function. If your LAN adapter DHCP is enabled, the Lock Down OpenVPN connection feature will not work! Hence you must ensure that a valid IP, subnet mask, default gateway and DNS servers is configured for your LAN network settings for the “Lock OpenVPN Connection” feature of the Watchdog to function.
6 | P a g e
You can confirm your LAN adapter settings by Right-clicking on your Internet connection's icon and select "Properties":
7 | P a g e
Select the "Internet Protocol Version 4 (TCP/IPv4)" item, and click the "Properties" button:
8 | P a g e
It should be similar to the screenshot shown below:
9 | P a g e
To confirm if DHCP has been disabled, go to command prompt. This can be done by selecting Run from the Start Menu and entering cmd.exe or starting the command prompt application, typically located in the Accessories folder within Programs on your Start Menu, as shown below:
10 | P a g e
11 | P a g e
At the command prompt, enter: ipconfig /all Look for the entry that reads “DHCP Enabled……….” Under your normal Local Area Connection section and this should display “No”.
USAGE INSTRUCTIONS
To use the OpenVPN WatchDog simply follow these 7 steps:
1. Download and install the OpenVPN Watch Dog software from http://www.openvpnchecker.com/openvpnwatchdog.msi
2 . Start the OpenVPN Watch Dog program.
3. Select the appropriate NIC adapters for both your normal and OpenVPN connections
4. Lock Down your OpenVPN connection
5. Confirm the authenticity of the DNS servers and DNS Hosts file
6. Connect to your OpenVPN server
12 | P a g e
7. To disconnect your OpenVPN connection, close the watchdog program first before terminating the OpenVPN connection.
HOW TO INSTALL ON WINDOWS
This how to will help guide you through the installation process of the OpenVPN Watch Dog.
Step 1: Launching the application Launch the msi installer for the OpenVPN Watch Dog and click next:
Step 2: Installation settings
Leave the default location to install the program files for the program and click Next:
13 | P a g e
Step 3: Program Installation You are now ready to install the program, click Install to proceed:
14 | P a g e
Step 4: Installation Progress Please wait while the program Installs:
Step 5: Installation Completion The program is now installed; click Finish to complete the installation:
15 | P a g e
Step 6: Activating the program
After installing the program, a shortcut icon will be placed on your PC desktop as shown below. To start OpenVPN Watchdog simply double click on this icon and accept the User Access Control prompt when asked.
16 | P a g e
After clicking on ‘Yes”, the software activation window will now pop up as shown below:
Proceed to enter the license key which you received when you placed your order for the software and click on OK.
If you want to test run the application, you can get a free 1 month activation code by clicking on the “Get free license code” button.
Step 7: Selecting the appropriate NIC Adapters OpenVPN Watchdog (v4.0) now allows users to select the appropriate network adapter for both the normal internet and OpenVPN connections. In order for the program to function properly, the correct NIC adapters must be selected. You must determine the NIC adapters which are
17 | P a g e
responsible for your connections in the Network Connections settings in your PC. When started, the program displays an interface which allows the user to select the card as shown below:
If you wish to edit or change the NIC selections later, go to the “Options” menu in the program and click on “Select Adapters”. Then select the appropriate adapters and click on OK to save the settings as shown below:
18 | P a g e
19 | P a g e
Step 8: Enabling Program Auto Start at System Startup
OpenVPN Watch Dog has auto start feature and can be configured to automatically start at Windows startup to ensure that you do not forget to start the program before connecting to your OpenVPN server. To configure the program to start automatically on system startup, tick the “Automatically start OpenVPN Watch Dog on system startup” box under the “Options” tab.
20 | P a g e
Hence at system startup, the program automatically starts and you can access the program GUI and start monitoring your OpenVPN connection by double clicking on the desktop icon or start menu icon. The GUI shown below with “idle” status will appear indicating that OpenVPN Watch Dog is waiting for OpenVPN connection. The program automatically detects your real IP and the information is displayed on the GUI.
On the system tray applet, a yellow icon indicating an idle state for the program will appear in the lower-right corner of the screen as shown below:
21 | P a g e
Optionally, if you have a network connection that has dynamic IP and your real IP changes often, you can input the dynamic IP ranges under the “options” tab. If you do not know the dynamic IP ranges, you can request it from your ISP.
22 | P a g e
Step 9: Connection to OpenVPN Server Start your OpenVPN connection. As soon as a successful authentication is made to the OpenVPN server, the status of the OpenVPN Watch Dog changes to “Watching” and the yellow
23 | P a g e
icon changes to green. The program also detects the connection details of the OpenVPN server such as public and private IPs, host etc. and begins to monitor the OpenVPN connection.
The following details are automatically detected and displayed on the GUI:
• OpenVPN Connection Name: This is the OpenVPN adapter name
• OpenVPN Connection Private IP: This is the private IP which is automatically pushed to the client upon connection to the VPN server.
• OpenVPN Connection External/Public IP: This is the public IP of the VPN server which should replace your real IP when connected to the VPN server
• OpenVPN Connection Host: This is the hostname of the VPN server IP
• OpenVPN Connection Country: This is the VPN server IP location
• Real Connection External/Public IP: This is your real IP as assigned to you by your ISP
• Real Connection Host: This is the hostname of your real IP
• Real Connection Country: This is your real IP location
24 | P a g e
Step 10: Confirm the integrity of the Windows DNS Hosts File OpenVPN Watchdog is able to verify and monitor the integrity and authenticity of the DNS hosts file which can be used to hard code domain name translations. This hosts file is usually located at: C:\Windows\System32\drivers\etc\hosts and in most cases, it is never used. However, cybercriminals are able to edit this host file and assign the domain names of well-known companies to IP addresses of phishing websites thereby controlling what sites the user connects
25 | P a g e
to on the internet. Note that when a user enters a website URL in the browser address bar, it checks the local DNS information, such as the hosts file, before sending a DNS query to the Internet. That means if you type the web address for a website that’s been re-assigned using the hosts file, you’ll be directed to the phishing website instead of the legitimate one and tricked into divulging confidential personal information such as credit card numbers, account usernames and passwords, social security numbers, etc. To guard against these kind of attacks, OpenVPN Watchdog employs a method known as “Secure Hash Algorithm” to verify the authenticity and integrity of the hosts file against a reference SHA 512 value in real-time while connected to the VPN server. However, in order for the hosts file integrity checks to work, you are required to use the default windows hosts file with the same reference SHA 512 value. If you are using a custom or modified hosts file, then you must contact us to compile a custom version of the watchdog program for you.
Step 11: Confirm the authenticity of the DNS Servers After starting the Watchdog program, the program will automatically read and display your computer Local Area Connection (Local) and OpenVPN adapter DNS IPs in the program GUI. Before connecting to the VPN server, you must check these displayed IPs and ensure that they are authentic as configured by you or your VPN service provider. If the OpenVPN DNS servers IP are not displayed, you will have to initially connect to the VPN server first and then restart the watchdog program. Once you have determined that the DNS IPs are authentic, you must check the “DNS is authentic” checkbox to allow the program to save the IPs and watch over them in order to detect any changes while watching over your OpenVPN connection.
26 | P a g e
Step 12: Locking Down OpenVPN Connection & Clearing DNS Resolver Cache OpenVPN Watchdog has a unique feature to lock down your OpenVPN connection after connecting to the server. After locking down your OpenVPN connection, network traffic will only exit through your OpenVPN connection, and no other network interfaces thereby preventing DNS leaks and IP leaks through your VPN connection. This is particularly useful in preventing all forms of DNS leaks including Transparent DNS proxies which allow ISPs to intercept all DNS lookup requests and transparently proxy the results thereby effectively forcing you to use their DNS service for all DNS lookups. Even if you have changed your DNS settings to an open DNS service such as Google, Comodo or OpenDNS, some ISPs are still able to intercept your DNS queries using this technology (Transparent DNS proxy) In addition to preventing DNS leaks, the OpenVPN Connection Lock Down feature also effectively fixes DNS cache poisoning which is a filtering method commonly used by ISPs to block access to certain sites. Note that in order to help speed up Web browsing, Windows comes with a local cache containing any DNS addresses that have been looked up recently. Once an URL has been resolved by an Internet name server into a numerical IP, the information is stored locally. Anytime your browser requests an URL, Windows first looks in the local cache to see if it is there before querying the external name server used by your ISP. If it finds the resolved URL locally it uses that IP. However, this DNS cache can be poisoned by ISPs for sites such as Youtube, Facebook, Twitter etc when you attempt to visit these restricted sites before connecting to the VPN. Sometimes even after connecting to the OpenVPN server, you will still be unable to access these sites for at least 5 minutes which is the default time for retaining a negative DNS query response in the DNS resolver cache. In other words, once a negative response is received you will not be able to connect to the site for at least five more minutes. Thus in order to avoid this 5 minutes delay nuisance, you can use the Watchdog OpenVPN Connection Lock button to effectively clear the DNS resolver cache to remove any corrupted or poisoned DNS entries in your existing resolver cache before connecting to the VPN.
27 | P a g e
To lock down your OpenVPN connection, simply click on the “Lock OpenVPN Connection” button as shown above. Important: Make sure you click on the “Lock OpenVPN Connection” button before connecting to the OpenVPN server. Otherwise, the program will cut off your internet access. After pressing the button, your internet will be automatically disconnected and connected again. This brief internet disconnection and re-connection indicates that the OpenVPN connection has been locked.
28 | P a g e
DNS Hosts File Integrity and Authenticity Checks
With OpenVPN Watchdog version 4.0, a secure hash algorithm (SHA 512) based hosts file integrity checks is performed to prevent against phishing attacks or DNS hijacking attacks. The HOSTS file is a fast look up IP-address to domain name translation stored on your computer usually at: C:\Windows\System32\drivers\etc\hosts so your browser can find the web page you want faster without a query to a DNS server.
For example, if you try to visit paypal.com your computer sends the request to a DNS server which lets your computer know what the IP address of that domain name is so that your request can then be forwarded to the right server. The Hosts file supercedes DNS so by adding an entry in the Hosts file with the domain name “paypal.com” and a different IP address your computer can be redirected. Rather than being sent to the true paypal.com server your request will go to the address specified in the Hosts file.
However, some advanced malwares and Trojans are now capable of modifying the hosts file in order to redirect you to their fake websites for phishing purposes. Please note that although this windows hosts file can be deleted from your system, this does not address the risks. This is because if your computer is already infected with a Trojan or malware, the hosts file will keep reappearing or will be prevented from being deleted. If the hosts file keeps changing or cannot be deleted, there is a good chance you have a Trojan on your computer. Hence you must take the first step to remove the malware by using a good anti-malware or antivirus software such as Malwarebytes.
To perform the verification, the SHA 512 hash value or checksum of the hosts file on the user PC must be compared in real-time with the reference hash value which is hard coded into the program.
29 | P a g e
30 | P a g e
31 | P a g e
When the hosts file matches, the program reports the Hosts file as “Valid” and if there is a mismatch, the program automatically shut down the user internet connection and reports the Hosts file as “Invalid”. The program uses the official Windows default hosts file for Windows 7/Vista/8 with the SHA 512 checksum below:
37bc4eed67ad0c5c81f90240670a5c453959c24a563164ad101e0cdb65fa72f392886effb7f19cff0ab13256e2b56339c1336a172f9c5317d0821b87747d9ba0
This checksum is securely hardcoded into the program and cannot be changed!
32 | P a g e
If your hosts file SHA 512 hash value do not match the reference hash value in the program, take one of the following methods to correct this:
Method 1
1. Go to : C:\Windows\System32\drivers\etc\ directory in your system
2. In the folder that opens, you would find the “hosts” file. Rename it to hosts.bak.
3. Download the default hosts file to your computer. It contains the default Windows reference hosts file required for the Watchdog program and copy it to : C:\Windows\System32\drivers\etc\ directory
33 | P a g e
Method 2
1. Visit the Microsoft Fixit webpage at http://support.microsoft.com/kb/972034. 2. Click on the Fix It button to download the Microsoft Fix It tool.
3. Check the Agree checkbox to agree with the Microsoft license terms and then click Next.
34 | P a g e
4. After the Fix It tool has applied the changes to your system click the Close button to close the wizard.
5. It will ask you to restart the Windows for the changes to have effect. Click on the Yes button to restart Windows.
Method 3
If you are using a modified or custom hosts file, then you must contact us to compile a custom version of the Watchdog executable for you. We will need the SHA 512 checksum of your custom hosts file to build the executable. First compilation is free. A small compilation fee will be charged for subsequent compilation requests.
Automatic Monitoring for DNS Leaks
OpenVPN Watchdog offers the capability to monitor your DNS information in real time. Your DNS information configured on your network adapters are automatically read and displayed in the program GUI. Both your Local Area Connection (Real Connection) IP settings and OpenVPN adapter DNS IPs are automatically detected and displayed in the program GUI. In addition, the program will automatically detect and display the real time active DNS which is used in resolving websites. Using this information displayed, users can easily see the DNS server which is being used at any point in time and easily know if the DNS is leaking is or not when connected to the VPN server.
Note: When connected to the VPN server, the “Active DNS in Use” IP as displayed by the program must never be equal to the Local DNS IP. If this is so, then you have DNS leaks and the program will automatically detect this and shut down your internet connection.
35 | P a g e
The following DNS details are automatically detected and displayed in the program GUI: • Local DNS: This corresponds to the DNS settings that has been configured on your Local
Area Connection or Wireless Area Connection in your computer network adapter
• OpenVPN DNS: This corresponds to the DNS server that was automatically pushed to you by the OpenVPN server. The OpenVPN DNS can be a private DNS or a public DNS such as OpenDNS, Google DNS, Comodo etc. You can confirm the OpenVPN DNS IPs from your VPN service provider.
36 | P a g e
• Active DNS in Use: This is the real-time DNS which is used in resolving websites at any
point in time. Before connecting to the OpenVPN server, the Active DNS IP in Use will tally with one of your Local DNS IPs as displayed on the program GUI. When connected to the OpenVPN server, the Active DNS IP in Use should tally with one of your OpenVPN DNS IPs as displayed on the program GUI. If this is not so, then you have DNS Leaks. The Active DNS in Use data is automatically refreshed once every 10 seconds.
Automatic Internet Connection Shut-down
During your OpenVPN connection session, in the event that a problem is detected by the program a barking dog alert and visual alerts are produced. The alerts are triggered when either the program detects that unencrypted traffic is leaving your computer, your real IP is being exposed or your DNS is leaking or being hijacked. As a security measure, your internet access is automatically disabled when such alerts are triggered and you need to re-enable the internet access by clicking on the “Re-enable All Network Connections” button. At this point, you should be aware that your OpenVPN connection is no longer secure and appropriate steps should be taken to fix the issue. The following screenshots shows the different alerts that are available in the program:
37 | P a g e
On the system tray applet, a red icon indicating an alert state for the program will appear in the lower-right corner of the screen as shown below:
When alerts are triggered, it is important that you click on the “Re-enable All Network Connections” button to restore your internet access before closing the program. However, should you close the program in panic before clicking this button; you can still do this by starting the program again and clicking the “Re-enable All Network Connections” button.
38 | P a g e
Troubleshooting and Contacting Support:
The OpenVPN Watch Dog uses private GeoIP servers to determine your real and OpenVPN IP information. If the program is unable to determine the IP parameters, it might be due to server issues. Should you experience this, you can submit a trouble ticket using the contact button as shown below:
Things to Keep in Mind:
1. OpenVPN Watchdog is secure and will not breach your security. It does not transfer any data from your system nor log any information from your computer.
2. OpenVPN Watchdog is designed to automatically cut-off your internet when it detects that
your OpenVPN connection is no longer secure such as when your IP or DNS is leaking. To re-enable your internet, simply re-start the watchdog program and click on “Re-enable All Network Connections”
3. OpenVPN Watchdog will make an outbound secure connection to our secure GeoIP server
which is used in determining the location of your OpenVPN server IP and real connection IP
39 | P a g e
4. OpenVPN Watchdog uses GeoIP (IP to Location) database which may not be 100% accurate. Thus you may see a different country being reported for the actual country to which the IP belongs while using the program. Due to the nature of geo-location technology and other factors beyond our control, we cannot guarantee any specific future accuracy level.
5. When detecting your active DNS in use, the program may sometimes display the DNS info
with this error message “DNS Request Timed Out”. This error does not impact the functionality of the program. This error message is triggered when the remote DNS server fails to respond on time during the query.
6. OpenVPN Watchdog will perform best when you have a very stable internet connection. If your ISP internet connection is very shaky or unstable, you will get constant disconnections and Dog barkings which might be annoying.
For more details, please visit our website. If you have any issues or questions regarding the application, you can send us a support ticket at our support center:
https://www.anonyproz.com/supportsuite/
Anonyproz.com|Openvpnchecker.com
