Blocking Windows 10 Telemetry at the Router using OpenWRT
Posted on: 2016-07-28There's plenty on the web about windows 10 telemetry. Additionally Microsoft is actually back porting some of these 'features' to Windows 8.1 and 7.
There's a constant tick of Microsoft locking things down and giving you less control with forced updates. In effect meaning you aren't in control of your own machine. As a recent example, Windows 10 Anniversary takes back control.
On windows 10 there are several guides online on how to turn off the majority of it. You cannot turn it all off - they do not let you. Moreover it is incredibly dull to have to go and make all these changes, and check them on multiple machines even if you can fix within the operating system.
So I've been looking for a way to block unwanted connections at the router. I have in the past flashed my router with OpenWRT. OpenWRT allows you to create, install, and update software that runs on your router. Your router effectively just becomes a linux box. I've installed software on it to perform dynamic DNS, as well as track overall network usage. It works pretty well. To install it is not very hard but not for the nontechnical/faint of heart, and only works on a limited set of router hardware.
https://www.openwrt.org/ https://wiki.openwrt.org/doc/start
Once you have that on your router, you can set up the firewall and dns to block windows telemetry. I came across this github project...
https://github.com/crazy-max/WindowsSpyBlocker
It has a variety of solutions and there may be one there that is more appropriate for your situation. Luckily for me it has the config files for openwrt.
https://github.com/crazy-max/WindowsSpyBlocker/tree/master/data/openwrt/win10/spy
To install is fairly straight forward if you are used to using a linux terminal. I logged into my OpenWRT router using putty (http://www.putty.org/). Typically your router is located at 192.168.1.1 IP address, but that depends how you set up OpenWRT. Login as root, with the password you have set up on OpenWRT. Once logged in...
% cd /etc
Backup the old files...
% cp dnsmasq.conf dnsmasq.conf.old
% cp firewall.user firewall.user.old
% vi dnsmasq.con
Press the i key (to put vi in insert mode) copy the contents of the dsmasq.conf file you downloaded from github by selecting the contents and pressing CTRL-C Click on the putty window with the left mouse button and then press the right mouse button - the contents of the clipboard should appear Press return Press CTRL and '[' Type wq and press return to write the file (or just q if you messed up)
%vi firewall.user
Do the same as above with the firewall.user file
If the vi/putty stuff seems a little obtuse, you could also just upload the files using scp. Just go to 192.168.1.1 and give, root and password and set where you want the files to upload to (WinSCP is a reasonable free windows SCP client).
Now reboot the router (by going into OpenWRT user interface (point browser to http://192.168.1.1) you should get a login page. Login, then click 'System' tab, and then 'Reboot' and finally click 'Perform Reboot'.
After rebooting you can test by pinging the domains off the dsmasq.conf list (say aidps.atdmt.com). You typically don't get a response but ping will bring up an IP address if it can reach it - if the change worked ping will not resolve to an ip address. Testing the firewall you can use traceroute 207.68.166.254 (one I just selected from the firewall.user list). It should not be able to reach past the router.
Comments
Jonathan on March 31, 2017 at 11:40 am said:
I had a quick look at adblock on openwrt – looks pretty handy. I think for something that changes so often as much as adblocking that it’s preferable to have something installed in the browser – like ublock origin. Since you may want to turn it off. Because the router is something that you want to touch rarely.
You could apply the same argument to Win10 telemetry blocking – but it’s a much smaller and more defined problem. The lack of control of what’s going on under the hood pushed me to that place. With ad blocking – it’s more transparent what’s going on, I can see that the ads are blocked. With telemetry – I’ve got no idea what ms is doing, when and why. It’s all invisible and therefore I’m forced to take a more extreme position. I also install the Win10 blocking utilities on win10 machines too – such as spybot antibeacon.
The tables do block ip addresses without ip lookup though the firewall.user file I believe.
It’s interesting that you have seen those ip uses change.
Philippe on June 16, 2017 at 7:52 am said:
I have employed a slightly different method on my OpenWRT router. It is derived from this one: https://www.snbforums.com/threads/how-to-disable-windows-10-tracking-using-ipset-entware.26615/
It basicly allows resolving the DNS but routes any traffic directed to the resolved IPs into a proverbially black hole. That way i only have to keep track of some hardcoded IPs as my Win10 machine(s) thinks it can connect but does not get any response. Once a month i search online, look through the network traffic and update the block list of IPs and DNS entries.
Jonathan on September 10, 2017 at 3:39 pm said:
Hi Philippe,
thanks for the link and the information. This does look like a good approach, and I will look into it some more.
My current fight for privacy has meant using a VPN on a router flashed with TomatoAdvanced. Unfortunately that has broken some of my windows 10 telemetry blocking, as the VPN tunnels past all the protection on my OpenWRT router.
This problem might be a push to try something new.
Thanks,
Jonathan
Connor on March 28, 2017 at 6:51 pm said:
This blocking list is now also available within the adblock addon for openwrt.
Unfortunately blocking of dns resolution is not enough as microsoft now hardcodes the ip’s into their programs.
Are you running a practical solution for this?
Of course one could create a blocking entry for all those ip’s, but that is tiresome and i found already some of the dns resolve to different ip’s as they did a year ago.