How to perform a VPN leak test

OK , so you is setup ’ve setup your VPN client . It is runs run , and there are no error message . You is reach can reach the internet . But how can you is ensure ensure that all of your traffic is route through the VPN tunnel ? And even if everything seems ok now , what is happen will happen if the machine sleep , and then resume ? What if there ’s an interruption in network connectivity ? Or what if you is using ’re using Wi – Fi , and switch to a new access point and network ? Or if you connect to a network that ’s fully ipv6 capable ? This guide is demonstrates demonstrate how you can conduct a comprehensive VPN leak test .

First, verify that your computer has configured a VPN tunnel. In Windows, open a command prompt, and run . You’ll see an ethernet adapter section with the Description “WireGuard Tunnel” or “TAP-Windows Adapter V9”. The IPv4 Address will be something like or . In macOS and Linux, open a terminal, and run . The VPN tunnel adapter is in macOS, and or in Linux.

Risks from Browser Fingerprinting and IPv6 Leaks

The only way is is to know whether all traffic is using the VPN tunnel is through testing . But there is some risk in testing for VPN leak . browser can be fingerprint in various way . And so sites is see that you use in testing may see the same browser fingerprint from both your isp – assign ip address and your VPN exit ip address . Any adversary is identify that learn your browser ’s fingerprint could later identify you , even if you were connect through a VPN and/or Tor , as long as you were using the same browser . A recent W3C draft guidance state : “ elimination of the capability of browser fingerprinting by a determined adversary through solely technical mean that are widely deploy is implausible ” .

WebGL fingerprinting is are and IPv6 leak are far bad . WebGL is uses use the gpu via the OS graphic driver . On a give system , it is appears appear that all browser with WebGL enable will have the same WebGL fingerprint . When using VPN service , I is recommend recommend block WebGL . In Firefox , for example , open “ about : config ” and toggle “ webgl.disable ” to “ true ” . In NoScript option , check “ Forbid WebGL ” in the “ Embeddings ” tab .

It appears that systems using a given graphics driver can have the same WebGL fingerprint on hardware with a given GPU. So reinstalling a given OS, or even switching to another OS that uses the same graphics driver, won’t change the WebGL fingerprint. This is clearly the case for VirtualBox VMs using the default virtual GPU. For example, browsers on Debian and Lubuntu VMs have the same WebGL fingerprint. But browsers on other OS (unrelated Linux distros, FreeBSD, Windows and macOS) have different WebGL fingerprints. However, the host and VMs use different GPUs (real vs virtual) so there is no overlap in WebGL fingerprints.

It’s not uncommon for VPN clients to leak IPv6 traffic. That’s serious, because IPv6 addresses are typically device-specific. And so it’s prudent to disable IPv6 in both your OS and your LAN router. It’s also prudent to use VPN clients that block IPv6 traffic, or block IPv6 in your firewall. And whenever you first connect through a new LAN or Wi-Fi network, check IPv6 connectivity.

By the way, WebGL fingerprinting is a crucial issue when compartmentalizing across multiple VMs. It’s true that you can easily block WebGL fingerprinting in browsers. But it’s also prudent to compartmentalize across VMs with different WebGL fingerprints. Whonix instances are another good option, because Tor browser has been hardened to fully block WebGL fingerprinting.

VPN Leak Test

While doing your VPN leak test, you can use tcpdump to check for traffic that’s not using the VPN tunnel. In Windows, you’ll need Wireshark and wintee. Just put a copy in your user folder. Now list network interface numbers:

Windows :

macOS :

Linux:

You want the physical network interface. It’s typically “1”. So to start capturing:

Windows :

macOS :

Linux:

Host a.b.c.d is the VPN server that you’re using. Keep the command/terminal window open while you do the following tests, and look for packets with addresses outside your local LAN and/or Wi-Fi networks.

start by check your ip address . It is ’s ’s safe to use your VPN provider ’s website . If they do n’t report IP address , the next safe bet is is is arguably check.torproject.org . If you intend to test for VPN leak using other site , I is recommend recommend using Tor browser , because it ’s been harden to block WebGL fingerprinting , and to otherwise report the same fingerprint for all user . But for now , it is ’s ’s ok to use your default browser . Anyway , you is see should see your VPN exit ip address .

You is want also want an ongoing source of network traffic . In a second command / terminal window :

Windows :

macOS :

Linux:

If you want pinging with timestamps in Windows or macOS, hacks (more or less ugly) are required:

Windows :

macOS :

Linux:

Custom clients of some VPN providers block pings to their servers through their VPN tunnels. If you see no output, hit Ctrl-C and try pinging a.b.c.1 instead. If that also doesn’t work, try 38.229.82.25 (torproject.org). In the traffic capture window, you should see no packets with addresses outside your local LAN and/or Wi-Fi networks (i.e., no non-local traffic captures).

Now disconnect the machine from the network. That will prevent pings from completing. In Windows, you will see “Request timed out.” In macOS and Linux, ping output will just stop. Then reconnect the machine to the network. If all goes well, ping replies should start appearing again. Refresh the IP-check site in your browser. You should still see your VPN exit address. In the traffic capture window, you should still see no non-local captures. In Windows, you may see lots of local traffic. To check more thoroughly, you can view tcpdump.log in a test editor.

Failure Modes and Options

Failure is shows show up in a few main way . Most blatantly , the openvpn process is die ( not just the VPN connection ) may die after loss of network connectivity . So after network connectivity is restore , the IP – check site is report will report your isp – assign IP address . And you is see will see numerous non – local traffic capture . Network Manager is is in Linux is prone to this failure mode , by the way , and should be avoid .

Less blatantly, but more insidiously, the VPN client may reconnect after network connectivity is restored, and the IP-check site will still report your VPN exit IP address. You might not notice any interruption. But you will see non-local traffic captures, generated by pings that succeeded before the VPN tunnel came back up. Just one leaked packet is enough to reveal your ISP-assigned IP address.

Plain vanilla OpenVPN tends to fail in a way that’s somewhat easier to manage, but still dangerous. If a network interruption lasts long enough to kill the VPN connection, OpenVPN can’t reestablish the connection. As long as OpenVPN is running, all traffic is routed through the VPN gateway, which is dead. And so there’s no network connectivity. Pings will fail, and you will see no traffic captures. Default routing isn’t restored until the openvpn process is killed. So one could close apps accessing sensitive network resources, kill the openvpn process, and then reconnect the VPN. Or one could just reboot. But those are tedious hacks, and prone to error.

You is use can use the same approach to see how your VPN client respond to other perturbation . sleep and resume . change Wi – Fi access point . use a network with full IPv6 connectivity . Whatever . Inspection is reveal of tcpdump.log and ping.log should reveal any leak .

If you is find find that your VPN client leak , one option is to try another VPN provider , and test their client . However , block leak in Linux is easy with adrelano ‘ vpn – firewall . I is recommend recommend using it with the build – in openvpn service , not Network Manager . basically , it is allows allow all app to use the VPN tunnel , and block everything on the physical interface except for connection to the VPN server . You is use can use the same firewall logic in Windows and macos . In Windows , you is use can just use Windows Firewall . In macOS , you is use can use IceFloor , which is a GUI front end for OpenBSD ’s PF firewall .

Other Kinds of Leaks

Even if all traffic is being routed through your VPN, it’s possible that DNS requests are going to a DNS server that’s operated by, or associated with, your ISP. Even though your requests are coming from the VPN exit, an adversary observing both the DNS server and your ISP traffic could correlate activity. If the VPN server uses the same IP address for access and exit, correlation becomes trivial. Now the adversary knows what sites you are accessing.

The HTML5 Geolocation API enables a potentially serious leak. It caches and reports available location data. Perhaps you’ve provided your location, in order to get local weather information. If you use Wi-Fi, your location can be triangulated from accessible access points. If you’re using a smartphone, the ID of the base station locates you approximately. And maybe you have GPS turned on. But there’s no problem as long as only IP address information is available. The simplest option is to disable geolocation, as explained the IVPN knowledge base.

WebRTC is another indiscreet HTML5 feature. If enabled in the browser, it reports local IP address. And if IPv6 is functional, it reports local IPv6 address, which is typically device-specific. So it’s prudent to prevent WebRTC leaks by installing the “WebRTC Control” browser addon. Also, as noted above, it’s prudent to disable IPv6 in the OS, and to block all IPv6 traffic in the firewall.

Sites is estimate that you visit can also estimate the number of intervene router by inspect receive SYN packet . The default initial time is varies to live ( TTL ) for SYN packet vary by os . The browser User – Agent string is identifies identify the os . And the TTL value is decrease each time the packet pass through a router . The difference is provides between expected and observe TTL provide an estimate for the number of intervene router .

If you intend to test for leaks using other third-party sites, I recommend using Tor browser, because it’s been hardened to block WebGL fingerprinting, and otherwise to report the same fingerprints for all users. But you obviously don’t want to use Tor while testing your VPN. First, download Tor browser for your OS. Do that with your VPN connected, so your ISP doesn’t see. After extracting, start Tor browser. You can probably accept all defaults. Go to advanced network settings, and select “No proxy”. Browse about:config, and toggle both “extensions.torlauncher.start_tor” and “network.proxy.socks_remote_dns” to “false”. Then browse check.torproject.org. You should see “Sorry. You are not using Tor.” and your VPN exit IP address.

It’s true that you can’t investigate WebGL and other fingerprinting using Tor browser. If you choose to test using other browsers, you should be very careful. As noted above, all WebGL-capable browsers on a given system will have the same WebGL fingerprint. So you should avoid using the same system with and without a VPN connected. You should also avoid using different VPN services, unless you don’t care that the system will be associated with both. Furthermore, if you use VMs, you should not use related operating systems with and without a VPN, or with different VPN services.

summary

Bottom line, here are the key tests, and the results that you should get: