Hotspot Shield Routing

January 27th, 2009 by David Bradley >> 17 Comments

In a Sciencetext post entitled Hide WiFi Behind a Hotspot Shield, I previously discussed how you can use that program to protect yourself from security threats while using public wireless access points in coffee shops, libraries and other public amenities. It also lets you hide traffic from your internet service provider, although that’s a different matter.

Richard Roma posted a follow-up comment asking: “Do you know of a way to utilize Hotspot Shield without it taking over the whole computer; restricting it to only work on a designated port?”

I didn’t, but IT professional Naveed Ahmad did and responded with a detailed approach to controlling which IPs are routed uniquely through Hotpot Shield. Here’s what he had to say.

Hotspot Shield is software to create a Virtual Private Network (VPN) on your computer that changes the route your internet traffic takes through the network. So, after connecting through Hotspot VPN, web browsing or any type of application’s traffic like MSN Messenger, Yahoo Messenger, Bit Torrent traffic etc. is routed through the Hotspot Shield network, in encrypted format. It is not a matter of network ports. Its all about how the route is changed.

The concept is this: you have to clear the following routes:

Network Destination Netmask Gateway Interface Metric
0.0.0.0 128.0.0.0 10.7.144.1 10.7.144.59 11
128.0.0.0 128.0.0.0 10.7.144.1 10.7.144.59 11

Note down the gateway ip “10.7.144.1? that will be used again to add a persistent route.

With following CLI commands
prompt>route delete 0.0.0.0 mask 128.0.0.0 10.7.144.1
prompt>route delete 128.0.0.0 mask 128.0.0.0 10.7.144.1

Now all your internet traffic is routed through your normal network connection as it was before connecting to Hotspot Shield. To route a specific website or any application traffic through Hotspot, you then need to add a persistent route.

For example: for Pandora.com the IP address is 66.151.149.78

Add a persistent route using the gateway IP “10.7.144.1? that you noted previously.

prompt>route -p add 66.151.149.78 mask 255.255.255.255 10.7.144.1

That;s it, now all traffic for Pandora.com will be routed through Hotspot VPN.

You can verify this by running tracert (the trace route command, or an equivalent program) for Pandora.com from a command prompt under Windows:

C:Usersnaveed>tracert pandora.com
Tracing route to Pandora.com [66.151.149.78]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms [10.7.144.1]

If you hadn’t added this route after clearing the Hotspot VPN route, the tracert result would look like this:

C:Usersnaveed>tracert pandora.com
Tracing route to pandora.com [66.151.149.78]
over a maximum of 30 hops:
1 3 ms 1 ms 1 ms mygateway1.ar7 [192.168.1.1]

192.168.1.1 will be your normal local gateway IP address on your computer without the Hotspot VPN running. To verify, how other network traffic is being carried. Try this:

C:Usersnaveed>tracert yahoo.com
Tracing route to yahoo.com [68.180.206.184]
over a maximum of 30 hops:
1 326 ms 351 ms 292 ms 192.168.1.1

You can find the IP addresses for any domain using the comman nslookup so that you can create a persistent route for them like this:

C:Usersnaveed>nslookup pandora.com
Server: mygateway1.ar7
Address: 192.168.1.1
Non-authoritative answer:
Name: pandora.com
Address: 66.151.149.78

C:Usersnaveed>nslookup blog.pandora.com
Server: UnKnown
Address: 10.7.144.1
Non-authoritative answer:
Name: blog.pandora.com
Address: 66.151.149.79

Ahmad has created a customized program (an exe file) to do all this automatically, so leave a comment if you wish to find out more or need any additional help, or email him at Hotmail username naveed004

Use Hotspot Shield I used to think Anchorfree's Hotspot Shield was a very useful tool. Then, they started integrating toolbars and ad services ...
US TV in RoW with VPN Hotspot Shield, which I've mentioned here several times in the past is a virtual private network that spoofs your internet ...
Hide WiFi Behind a Hotspot Shield DO NOT USE HOTSPOT SHIELD. If you use WiFi access in public places or even at home or in an office, ...
Pandora Proxy If you are not acquainted with Pandora, then you really ought to get to know her, she is a virtual ...
Hotspot Spyware In the past, I've recommended Hotspot Shield from Anchor Free as a great virtual private network (VPN) application that allows ...

Leave a comment ↓

Mike Blyth // Feb 19, 2009 at 9:29 pm

Great tip. I’ve just heard about Hotspot Shield and wondered how it worked etc., and this helps clear it up. So, by creating these routes, the computer will automatically use the VPN tunnel only when routed through Hotspot Shield, and not for all other traffic?
Web Surf // Apr 24, 2009 at 7:42 am

Does this mean that if I route via gateway IP “10.7.144.1? then the PC does not need to be running the HSS software ?

How can I get another PC on a network to use the VPN started by one PC ?

Basically the idea is to get a WIFI phone to SKYPE via a HSS connection set up on one of the PCs on the network ( Direct access to SKYPE being banned in my country)
David Bradley // Apr 24, 2009 at 10:04 am

Routing might be possible although I don’t think HSS creates a traditional VPN like you would have for a group of distributed company employees, for instance. It might be worth a try….let us know how you get on and if it works I’ll spread the word.
Naveed Ahmad // May 11, 2009 at 8:37 am

I have just customized the Route Changer Utility ( created earlier) to support every one’s requirements. It will release the hotspot route control over the pc and will allow to add your own required destination routes (e.g. skype.com, actionvoip.com, orkut.com).

The output of running program is shown below:
===============================

Hotspot Route Changer Utility..Rev 7
Hotspot Route 0.0.0.0 deleted: OK!
Hotspot Route 128.0.0.0 deleted: OK!

Hotspot Control Released!

Press ‘Y’ to add route or just press Enter to re-instate hotspot and exit progra
m: Y
Please Enter Destination Address to add : skype.com
OK!

Press ‘Y’ to add another route or Just Press Enter to re-instate hotspot and exi
t program: Y
Please Enter Destination Address to add : actionvoip.com
OK!

Press ‘Y’ to add another route or Just Press Enter to re-instate hotspot and exi
t program:

================================

Any one, interested to use this, can send a request on my email id.
Bucks // May 11, 2009 at 4:31 pm

Hi Naveed Ahmad

Quote:
“Any one, interested to use this, can send a request on my email id.”

I am interested on your program.
Could you, please send it to me ?

Best regards.
Naveed Ahmad // May 14, 2009 at 11:32 pm

How can i send u Mr. Bucks I need to know ur email id to send. So just send an email to me.
David Bradley // May 15, 2009 at 7:34 am

Anyone wishing to make a donation to the Sciencetext site can use the donation button below:
Bill // Jul 18, 2009 at 5:00 pm

I am trying to get hotspot to work with firefox and it just will not conect to the site upon start up but it connects using internet explorer .I am using win7 rc .Thanks Bill
Harsheeta Mittal // Jun 29, 2010 at 2:38 am

Dear All, I am a System Administrator in my company. Company has its own policy to stop (banned) skype in our network but people who have personel laptop, they can connect to skype by by using Hotspot Shield in our our network. We are using bandwidth controller 1.21 and Kerio firewall 6.8XXX version as a firewall. Now the question is. How can I stop particular website or ip addess or domain even they use hotspot shield.
Thanks
David Bradley // Jun 29, 2010 at 8:36 am

Block the appropriate ports at router?
David Bradley // Jun 29, 2010 at 8:37 am

Block Hotspot Shield?
FeloP@s // Nov 16, 2010 at 4:33 pm

Hello,
I noticed that each time I connect to hotspotshield I’m routed through a different gataeway !!

Trying now to automate the route change with a script … Is there any command line to retrieve
the VPN gateway on a variable so I can use it on route command ?

Thanks.
Rocketero // Feb 8, 2011 at 10:11 am

Hello Naveed Ahmad,
Can you send me the utility you created to change the H.S S routes, I need to make my other computer in the local LAN to be able to use ICS from the main computer. thanks.
Rocketero // Feb 8, 2011 at 12:17 pm

I also want to add up, that the approach you posted (Naveed Ahmad), does not work as HotSpot Shield constantly changes the Virtual Network Interface’s IP address in the Range 10.31.X.X with subnet mask 255.255.248.0 in other words for instance I started with the IP 10.31.40.20 and 30 minutes later I checked and it was changed to 10.31.64.30

So if you make a Route add statement with one IP’s interface, it wont work later on as the interface’s IP has already changed.
Naveed Ahmad // Feb 12, 2011 at 8:57 pm

@Rocketero: IP Address uses to change when Hotspot shield is disconnecting and connecting again. It does not change in the mean time.
It is true that it is hard to change routes manually. That is why, i have created a program to do it for you automatically.
Naveed Ahmad // Feb 12, 2011 at 9:01 pm

@FeloPas: You can do it with PERL Script. I have already developed a program through PERL Script for this purpose.
Naveed Ahmad // Feb 12, 2011 at 9:04 pm

@FeloPas: Up to some extent you can also do it on command line Interface with “Route” command. To find out more about Route command, Just type “Route Help”.