Little Snitch to secure VPN

If you have used a VPN for any amount of time, you know that there is a time between connecting to a Wi-Fi network and connecting to the VPN. During this time, your computer will send traffic over the Wi-Fi network where attackers or other malicious users may have man-in-the-middle. This is worrisome since it is up to App developers to "validate" their TLS connection. A review of dozens of iOS Apps show developers fail to validate certificates. While this research was done for iOS Apps, there is no reason to believe that the same problem doesn't exist on MacOS. Also, modern OSes have become very chatty: upgrading Twitter in the background, sending analytics data, and other unnecessary things.

Imgur

A while back Tom Robinson posted the following on twitter:

Is there a Mac / iOS VPN client as good as Cloak but works with a standard VPN server?
— tom robinson (@tlrobinson) December 6, 2016

to which I responded:

@tlrobinson proxpn has vpn guard which prevents certain applications from talking to anyone if not on vpn. Or, https://t.co/SvQIHwESSl
— Joubin Jabbari (@joubinj) December 6, 2016

ProXPN does provide a means of preventing applications from talking over the network in case the VPN disconnects. However, some applications have daemon processes that run but aren't necessarily associated with the same application name. I don't think this is a complete solution.

Imgur

Tiny Hardware Firewall is an awesome little tool that connects to an access-point, then creates a VPN connection and proceeds to send data over the VPN. The problem? You have to use their VPN and have yet another thing to carry around.

After exploring these options, I started looking around for a better solution. Then I found out that Little Snitch offers Automatic Profile Switching.

From their blog post:

When you join a Wi-Fi network, plug in an Ethernet cable, or connect to a VPN, it basically does what it says on the box: it automatically switches to a certain profile.

So how do you use it?

Create Profiles

By default, Effective in all profiles exists. It will contain default rules that the creators of Little Snitch thought necessary for smooth operations of the operating system. I recommend leaving it there!

Imgur

or if you want to disable some of the times

In my case, I had to white list my applications as they came up. This is going to be specific for you, so don't worry about copying it.

Imgur

But most importantly, you have to create an environment where nothing can leave your machine except the bare minimum to establish a VPN connection. For me that looks like:

Imgur

I use Pritunl as my OpenVPN client. So I have added Pritunl and its related processes as the only applications allowed to communicate over "Untrusted" networks.

From there, every time you connect to a new network, you will be asked to select a profile for that network.

Imgur

Alternativly, you can default to Untrusted

Imgur

Assume the following:

For the first time connect to Starbucks Wifi and select Activate "Untrusted"
Then connect to VPN of choice and Activate "Trusted"

Now, if for some reason, Starbucks WiFi kicks you off-line causing the VPN to disconnect, upon reconnecting to Starbucks Wifi all of your traffic will not leave your computer. Pritunl attempts to reconnect after a connection failure which will cause Little Snitch to automatically switch profiles to trusted; thus allowing traffic to egress.

February 14 2017