As most experienced users will have heard, using a Mac in a public untrusted Wi-Fi can be potentially harmful. A tool like Firesheep1 has made it very easy to intercept unencrypted communication.
Using a full tunnel VPN to encrypt all communication is as often mentioned as a magical solution to eavesdropping, but of course it's not that easy:
- Depending on the protocol and configuration of the VPN connection, the connection may drop easier. (e.g. TLS vs UDP)
- The VPN connection is not established instantly when you connect to a public network.
I think that the last two points matter a lot because whenever your network settings change the various applications immediately talk to their servers – I assume it's configd that informs them, right?
i.e. Before the VPN tunnel is established, most (running) processes that require
internet will communicate.
I see two components to being a good VPN user:
- Making sure things don't get sent in the clear before it's established.
- Making sure things don't get sent in the clear later if the VPN fails.
How can I use VPN on a Mac in a public network to restrict unencrypted traffic before the VPN starts up?
Best Answer
Let's set aside any solution where you bring a second piece of networking gear to the problem. Let's also let the problem of stopping traffic after the VPN fails to this related, but different question.
I look at this problem as a user centric solution and not something that's easily accomplished by modifying the OS X behavior.
Set up two accounts on your Mac (neither need be admin accounts, but if either is, you won't need a third account to change system settings).
So, with fast user switching enabled, you can log out of the main account. This ensures that no programs or processes from that user will continue running in the background. Most OS X apps are well behaved, and suspend network access when they don't have an active window on-screen, but you'd have to monitor and test this forever to be sure nothing is happening - logging out is simpler to maintain.
Now, you could also replace "account" above with OS and run a virtualization system like Fusion (or Parallels or any other) and only start the guest OS once the host OS has secured everything on a VPN. Depending on the VM software you choose, you also may have control over the network and can turn on and off access even when the guest OS (or OSes) are running. This is basically simulating the extra hardware I initially said I wouldn't consider.
I hope this shows one way you could be more secure while traveling and using a network that you don't trust while minimizing the risk that this will always entail. If someone else owns the network - they own DNS, can log packets, can try man-in-the-middle (MITM) attacks as well as inspect all of your packets deeply to try to determine what is flowing inside the VPN tunnel.