Knowledgebase: Securing VPN & DNS
How to prevent an IP leak on Mac OS with Little Snitch
Posted by Max Biggavelli on 03 April 2016 15:19

This article describes a method how to prevent exposing your real IP incase of an unplanned VPN disconnection, or similar events, by using the Little Snitch firewall for Mac OS.

Little Snitch is a firewall that allows you to control connections from your computer to the internet. One of it's greatest features, introduced in version 3 is the Automatic Profile Switching”: the ability to automatically apply different rules depending on which network you are connected to.

We are going to use exactly this feature to provide unrestricted access to the internet when connected to the VPN, but otherwise automatically cut off all internet access!

What we will achieve with "Little Snitch" is this sort of segregation, but only as an either or solution, as further described in this article. Either you access the internet with the VPN, otherwise all traffic is blocked (you could adjust this pattern to your preference in the long run on your own, though this article here describes the complete traffic block if not connected to the VPN only).

1). Go ahead download and install Little Snitch (I have paid for the license, im not sure whether the free version would be able to work as well).

2). Stop Network filter and switch on the Silent Mode to Deny

Little Snitch has a tendency to be a bit verbose and will pester you with questions as soon as any application attempts a connection, which could eventually get annoying.

Fortunately for us, there is a Silent Mode” which will automatically allow/deny any connection and offer us some peace while wwork on the configuration. So:

  • Stop the Network Filter
  • Set Silent Mode” to Deny connection attempts"
https://nvpn.net/images/silent_mode_deny.jpg

3). Delete all default Rules

Little Snitch comes with a couple of default rules. They are mostly harmless, but if you are worried about privacy, it never hurts to be cautious. So let’s start off from an empty environment.

Open the Rules” screen and Delete (or disable) all the rules. You may get a few warnings, but just go ahead and do it anyway (you can always restore the factory defaults later).

4). Now, click on the "+" sign located in the left bottom corner and create two different Profiles, one for the VPN name it "nVpn" and another one for the insecure Traffic, name it "Unprotected"!

5). Let's go ahead and check the needed rules for each Profile:

Effective in all profiles: only keep two main rules for a restrictive start.

  • ICMP ping
  • Outgoing & Incoming connections to local network

When you are done, your rules should look like this:

https://nvpn.net/images/effective_in_all_profiles.jpg

nVpn Profile: In my case..

  • i had to allow com.avast.proxy as well, since im using Avast anti virus in your case this most lilely wont be needed. 
  • furthermore allow UDP/1194 Traffic on OpenVPN (if your used mode is TCP/443 then allow this, or simply allow all traffic to OpenVPN!)
  • mDNSResponder is needed to do DNS resolve.

https://nvpn.net/images/nVpn_profile.jpg

Unprotected Profile: as explained in the beginning in Unprotected profile all traffic is blocked, the only things allowed are ICMP (ping), Local network, DNS resolves and OpenVPN.

  • Any Process
  • mDNSResponder - is needed to do DNS resolve so if you use our hostname "uXXXXxX.nvpn.so" then you need DNS resolving, otherwise no connection can be made to OpenVPN, on the other hand if you use our VPN IP directly, then DNS resolve can be disallowed in the Unprotected profile as well.
  • openvpn - allows to connections to be made to OpenVPN protocol.

https://nvpn.net/images/unprotected_profile.jpg


6). Finally, restart the network filter now, click on "Stop Network Filter" and then "Start Network Filter". And as next, you need to make sure to turn your WIFI(Wlan) off and on!

Because now Little Snitch notices the Network change (during WIFI off/on) it prompts you to choose a profile, there choose the "Unprotectedprofile! Since the default rules do not explicitly allow any connection and we have additonally set “Silent Mode” to Deny”, we basically lost all internet access:

https://nvpn.net/images/unprotected_profile_all_tra.jpg

 

7). Good thats what we wanted for the start. Now connect to OpenVPN (we use viscosity for Mac OS here in this article, instead of Tunnelblick):

https://nvpn.net/images/connect_to_nvpn_now2_small.jpg

https://nvpn.net/images/connect_to_nvpn_now3_small.jpg

After the VPN connection gets established, you will be again prompted to choose a Profile and this time choose the "nVpn" Profile:

Move ahead and verify whether browsing works, visit www.whoer.net or http://check.nvpn.net:

https://nvpn.net/images/openvpn_connected_small.jpg

If browsing is possible on the VPN then its a good start, but below again compare the summary of the most important settings:

Silent Mode: Denies all connection attempts by default

https://nvpn.net/images/little_snitch_general_set2.jpg 

Automatic profile switching is enabled, though by default the "Unprotected" Profile is always chosen:

https://nvpn.net/images/little_snitch_aps_set2.jpg

Advanced:

https://nvpn.net/images/little_snitch_advanced_set2.jpg

 

8). Disconnect from OpenVPN now and test whether the internet access is instantly blocked again. After disconnecting from the OpenVPN network, Little Snitch will fallback to the "Unprotected" where all internet access is blocked:

https://nvpn.net/images/openvpn_disconnect_it_small.jpg

https://nvpn.net/images/openvpn_disconnected_now_sm.jpg

https://nvpn.net/images/all_stopped_by_default_smal.jpg

Since no VPN connection is active anymore at this point, make sure to verify the correct "Unprotected" Profile is chosen, because the currently used Profile should be "Unprotected" anytime when no VPN connection is active:

https://nvpn.net/images/unprotected_profile_as_defa.jpg


Thats basically it, if no browsing is possible on "Unprotected" Profile, but connecting to OpenVPN succeeds and browsing is possible on OpenVPN, then you are all set and the firewall is doing the job properly! :)

Now, every time you connect to a new network, Little Snitch will ask you to choose a profile and you can either choose the safe one ("nVpn"), or have all internet access blocked by using "Unprotected" Profile.

(5 vote(s))
Helpful
Not helpful