2016-05-05



Many people use Virtual Private Networks (VPNs) to mask their identity, encrypt their communications, or browse the web from a different location. All those goals can fall apart if your real information is leaking through a security hole, which is more common than you’d think. Let’s look at how to identify and patch those leaks.

How VPN Leaks Occur

The basics of VPN usage are pretty straightforward: You install a software package on your computer, device, or router (or use its built-in VPN software). This software captures all your network traffic and redirects it, through an encrypted tunnel, to a remote exit point. To the outside world, all your traffic appears to be coming from that remote point rather than your real location.

This is great for privacy (if you’re in an oppressive country whose government is spying on you), it’s great for virtual border hopping (like watching U.S. streaming services in Australia), and it’s an overall excellent way to cloak your identity online.

However, computer security and privacy are perpetually a game of cat and mouse. No system is perfect, and over time vulnerabilities are uncovered that can compromise your security–and VPN systems are no exception. Here are the three major ways your VPN can leak your personal information.

Flawed Protocols And Bugs

In 2014, the well publicized Heartbleed bug was shown to leak the identities of VPN users. In early 2015, a web browser vulnerability was discovered that allows for a third party to issue a request to a web browser to reveals the real IP address of the user (circumventing the obfuscation the VPN service provides).



This vulnerability, part of the WebRTC communication protocol, has still not been completely patched, and it’s still possible for the web sites you connect to, even when behind the VPN, to poll your browser and get your real address. In late 2015 a less widespread (but still problematic) vulnerability was uncovered wherein users on the same VPN service could unmask other users.

These kind of vulnerabilities are the worst because they are impossible to predict, companies are slow to patch them, and you need to be an informed consumer to ensure your VPN provider is dealing with known and new threat appropriately. None the less, once they are discovered you can take steps to protect yourself (as we’ll highlight in a moment).

DNS Leaks

Even without outright bugs and security flaws, however, there’s always the matter of DNS leaking (which can arise from poor operating system default configuration choices, user error, or VPN provider error). DNS servers resolve those human-friendly addresses you use (like www.facebook.com) into machine-friendly addresses (like 173.252.89.132). If your computer uses a different DNS server than your VPN’s location, it can give away information about you.

DNS leaks are not as bad as IP leaks, but they can still give away your location. If your DNS leak shows that your DNS servers belong to a small ISP, for example, then it greatly narrows down your identity and can quickly geographically locate you.

Any system can be vulnerable to a DNS leak, but Windows has historically been one of the worst offenders, due to the way the OS handles DNS requests and resolution. In fact, Windows 10’s DNS handling with a VPN is so bad that the computer security arm of the Department of Homeland Security, the United States Computer Emergency Readiness Team, actually issued a briefing about controlling DNS requests in August of 2015.

IPv6 Leaks

Finally, the IPv6 protocol can cause leaks that can give away your location and allow third parties to track your movement across the Internet. If you’re not familiar with IPv6, check out our explainer here–it’s essentially the next generation of IP addresses, and the solution to the world running out of IP addresses as the number of people (and their internet connected products) skyrockets.

While IPv6 is great for solving that problem, it’s not so great at the moment for people worried about privacy.

Long story short: some VPN providers only handle IPv4 requests and ignore IPv6 requests. If your particular network configuration and ISP are upgraded to support IPv6 but your VPN doesn’t deal IPv6 requests, you can find yourself in a situation where a third party can make IPv6 requests that reveal your true identity (because the VPN just blindly passes them along to your local network/computer, which answers the request honestly).

Right now, IPv6 leaks are the least threatening source of leaked data. The world has been so slow to adopt IPv6 that, in most cases, your ISP dragging their feet even supporting it is actually protecting you against the problem. Nonetheless, you should be aware of the potential problem and proactively protect against it.

How to Check for Leaks

So where does all this leave you, the end user, when it comes to security? It leaves you in a position where you need to be actively vigilant about your VPN connection and frequently testing your own connection to ensure it isn’t leaking. Don’t panic, though: we’re going to walk you through the whole process of testing for and patching known vulnerabilities.

Checking for leaks is a pretty straightforward affair–though patching them up, as you’ll see in the next section, is a bit trickier. The internet is full of security-conscious folks and there is no shortage of resources available online to assist you in checking for connection vulnerabilities.

Note: While you can use these leak tests to check if your proxied web browser is leaking information, proxies are a completely different beast than VPNs and should not be considered a secure privacy tool.

Step One: Find Your Local IP

First, determine what the actual IP address of your local internet connection is. If you’re using your home connection, this would be the IP address supplied to you by your Internet Service Provider (ISP). If you’re using the Wi-Fi at an airport or hotel, for example, it would be the IP address of their ISP. Regardless, we need to figure out what a naked connection from your current location to the greater internet looks like.



You can find your real IP address by temporarily disabling your VPN. Alternatively, you can grab a device on the same network that isn’t connected to a VPN. Then, simply visit a website like WhatIsMyIP.com to see your public IP address.

Make note of this address, as this is the address you do not want to see pop up in the VPN test we’ll conduct shortly.

Step Two: Run the Baseline Leak Test
Next, disconnect your VPN and run the following leak test on your machine. That’s right, we don’t want the VPN running just yet–we need to get some baseline data first.

For our purposes, we’re going to use IPLeak.net, since it simultaneously tests for your IP address, if your IP address is leaking via WebRTC, and what DNS servers your connection is using.

In the above screenshot, our IP address and our WebRTC-leaked address are identical (even though we’ve blurred them out)–both are the IP address supplied by our local ISP per the check we performed in the first step of this section.

Further, all the DNS entries in the “DNS Address Detection” along the bottom match up with the DNS settings on our machine (we have our computer set to connect to Google’s DNS servers). So for our initial leak test, everything checks out, since we are not connected to our VPN.

As a final test, you can also check to see if your machine is leaking IPv6 addresses with IPv6Leak.com. As we mentioned earlier, while this is still a rare issue, it never hurts to be proactive.

Now it’s time to turn on the VPN and run more tests.

Step Three: Connect To Your VPN and Run the Leak Test Again
Now it’s time to connect to your VPN. Whatever routine your VPN requires to establish a connection, now is the time to run through it–start the VPN’s program, enable the VPN in your system settings, or whatever it is you normally do to connect.

Once it’s connected, it’s time to run the leak test again. This time, we should (hopefully) see totally different results. If everything is running perfectly, we’ll have a new IP address, no WebRTC leaks, and a new DNS entry. Again, we’ll use IPLeak.net:

In the above screenshot, you can see that our VPN is active (since our IP address shows we’re connected from the Netherlands instead of the United States), and both our detected IP address and the WebRTC address are the same (which means we’re not leaking our true IP address via the WebRTC vulnerability).

However, the DNS results at the bottom show the same addresses as before, coming from the United States–which means our VPN is leaking our DNS addresses.

This isn’t the end of the world from a privacy standpoint, in this particular case, since we’re using Google’s DNS servers instead of our ISP’s DNS servers. But it still identifies that we’re from the U.S. and it still indicates that our VPN is leaking DNS requests, which is not good.

NOTE: If your IP address hasn’t changed at all, then it probably isn’t a “leak”. Instead, either 1) your VPN is configured incorrectly, and isn’t connecting at all, or 2) your VPN provider has totally dropped the ball somehow, and you need to contact their support line and/or find a new VPN provider.

Also, if you ran the IPv6 test in the previous section and found that your connection responded to IPv6 requests, you should also re-run the IPv6 test again now to see how your VPN is handling the requests.

So what happens if you detect a leak? Let’s talk about how to deal with them.

How to Prevent Leaks

While it’s impossible to predict and prevent every possible security vulnerability that comes along, we can easily prevent WebRTC vulnerabilities, DNS leaks, and other issues. Here’s how to protect yourself.

Use a Reputable VPN Provider

First and foremost, you should use a reputable VPN provider that keeps its users abreast of what is going on in the security world (they’ll do the homework so you don’t have to), and acts on that information to proactively plug holes (and notify you when you need to makes changes).

To that end, we highly recommend Private Internet Access–a great VPN provider that we’ve not only recommended before but use ourselves.

Want a quick and dirty test to see whether or not your VPN provider is remotely reputable? Run a search for their name and keywords like “WebRTC”, “leaking ports”, and “IPv6 leaks”. If your provider has no public blog posts or support documentation discussing these issues, you probably don’t want to use that VPN provider as they’re failing to address and inform their customers.

Disable WebRTC Requests

If you’re using Chrome, Firefox, or Opera as your web browser, you can disable WebRTC requests to close the WebRTC leak. Chrome users can download and install one of two Chrome extensions: WebRTC Block or ScriptSafe. Both will block WebRTC requests, but ScriptSafe has the added bonus of blocking malicious JavaScript, Java, and Flash files.

Opera users can, with a minor tweak, install Chrome extensions and use the very same extensions to protect their browsers. Firefox users can disable the WebRTC functionality from the about:config menu. Just type about:config into the Firefox address bar, click the “I’ll be careful” button, and then scroll down until you see the media.peerconnection.enabled entry. Double click on the entry to toggle it to “false”.

After applying any of the above fixes, clear the cache of your web browser and restart it.

Plug DNS and IPv6 Leaks

Plugging DNS and IPv6 leaks can either be a huge annoyance or trivially easy to fix, depending on the VPN provider you use. Best case scenario, you can simply tell your VPN provider, via the settings of your VPN, to plug the DNS and IPv6 holes, and the VPN software will handle all the heavy lifting for you.

With Private Internet Access, this option is trivial to enable. Simple open up the settings of the VPN management application and check “DNS Leak protection” and “IPv6 Leak Protection”. The software will automatically make changes to the network configuration of your device to plug the DNS leaks and IPv6 leaks.

If your VPN software doesn’t provide this option, you’ll need to manually set your DNS provider and disable IPv6 at the device level. Even if you have helpful VPN software that will do the heavy lifting for you, however, we recommend you read over the following instructions on how to manually change things, so you can double-check that your VPN software makes the correct changes.

We’ll demonstrate how to do so on a computer running Windows 10, both because Windows is a very widely used operating system and because it’s also astoundingly leaky in this regard (compared to other operating systems). The reason Windows 8 and 10 are so leaky is because of a change in how Windows handled DNS server selection.

In Windows 7 and below, Windows would simply use the DNS servers you specified in the order you specified them (or, if you didn’t, it would just use the ones specified at the router or ISP level). Starting with Windows 8, Microsoft introduced a new feature known as “Smart Multi-Homed Named Resolution”. This new feature changed the way Windows handled DNS servers.

To be fair, it actually speeds up DNS resolution for most users, if the primary DNS servers are slow or unresponsive. For VPN users, however, it can cause DNS leakage, as Windows can fall back on DNS servers other than the VPN-assigned ones.

The most foolproof way to fix that in Windows 8, 8.1, and 10 (both Home and Pro editions), is to simply set the DNS servers manually for all interfaces.

To that end, open up the “Network Connections” via Control Panel > Network and Internet > Network Connections, and right click on each existing entry to change the settings for that network adapter.

For each network adapter, uncheck “Internet Protocol Version 6”, to protect against IPv6 leaking. Then select “Internet Protocol Version 4” and click the “Properties” button.

In the properties menu, select “Use the following DNS server addresses”.

In the “Preferred” and “Alternate” DNS boxes enter the DNS servers you wish to use. The best case scenario is that you use DNS server specifically provided by your VPN service. Private Internet Access users can, for example, use their private DNS servers 209.222.18.222 and 209.222.18.218.

If your VPN doesn’t have DNS servers for you to use, you can instead use public DNS servers not associated with your geographic location or ISP, like OpenDNS’ servers, 208.67.222.222 and 208.67.220.220.

Repeat this process of specifying the DNS addresses for every adapter on your VPN-enabled computer in order to ensure Windows can never fall back on the wrong DNS address.

Windows 10 Pro users can also disable the entire Smart Multi-Homed Named Resolution feature via the Group Policy Editor, but we recommend also performing the above steps (in case a future update enables the feature again your computer will begin leaking DNS data).

To do so, press Windows+R to pull up the run dialog box, enter “gpedit.msc” to launch the Local Group Policy Editor and, as seen below, navigate to Administrative Templates > Network > DNS-Client. Look for the entry “Turn off smart multi-homed name resolution”.

Double click on the entry and select “Disable” and then press the “OK” button. Again, for emphasis, we recommend manually editing all your DNS entries so even if this policy change fails or is altered in the future you are still protected.

So with all these changes enacted, how does our leak test look now?

Clean as a whistle–our IP address, our WebRTC leak test, and our DNS address all comes back as belonging to our VPN exit node in the Netherlands. As far as the rest of the internet is concerned, we’re from the Lowlands.

Playing the Private Investigator game on your own connection isn’t exactly a thrilling way to spend an evening, but it’s a necessary step to ensure your VPN connection isn’t compromised and leaking your personal information. Thankfully with the help of the right tools and a good VPN, the process is painless and your IP and DNS information is kept private.

Show more