Mind the gap: watch out for VPN leaks

You can only be sure about your online privacy 24/7 when the VPN is properly configured. Otherwise, there is no guarantee your IP-address is actually hidden: at some point, advertisers may get access to your browsing data, or you are repeatedly denied to access a location-specific website despite connecting via the VPN. Both situations are true signs of the security breach associated with a VPN leak.

How VPN gaps arise

The first significant trigger of security leaks is a web browser, or, to be more precise, Web Real Time Communication protocol (WebRTC) built in such popular browsers as Chrome, Opera, Mozilla Firefox.  The protocol ensures end-to-end communication performed via browser clients placed in different networks in the form of file sharing, voice and video calls etc. Unfortunately, WebRTC technology is prone to hacking even when the VPN is on.

Another web-based vulnerability relates to plugins likely to leak user IP addresses – Java and Flash player.

Naturally, VPN leaks may arise on the service provider side, and this is when users actually have no control over the situation. Take a DNS provider which you will inevitably connect to regardless of whether you use a VPN or not: in the case of DNS privacy failure, your real IP address, as well as your ISP, get totally ‘naked’. VPN providers also fail from time to time: the root causes vary from a buggy code to fraud operations related to reselling user information.

At the end of 2015 Perfect-Privacy.com also disclosed a so-called ‘port fail’ vulnerability occurring when a VPN provider applies port forwarding as a part of their technology. Being a user of the same VPN server with a port forwarding feature on, an attacker lures the victim into proceeding via a web link, whose port is controlled by the attacker. The link automatically redirects the victim’s traffic to a controlled port (click bait scheme), which results in a VPN leak – your real IP address is successfully tracked. Many VPN providers have fixed the issue since then, including Perfect Privacy itself and other big companies like Private Internet Access. However, port fail leaks are still on the surface.

Speaking of bugs, some of you will probably remember the Heartbleed issue dealing with a security breach found in OpenSSL standard that is implemented within TLS protocol: the library was introduced in 2012 and publicly revealed in 2014. Both users and service providers suffered from the Heartbleed.

You’d better check for VPN leaks

No need to stress how important it is to choose a reliable VPN provider from the start. But even if you think you have made the right choice, do not relax – trust but verify:

  1. Go to IPleak.net and check your IP address prior to running the VPN (you can use any similar online tool for this).
  2. Connect to the VPN.
  3. Clear the browser cache and check your current IP address again – it should change by now. Open another browser and double-check.
  4. Go to WebRTC test: the public IP address must be the same as the IP provided to you by the VPN.

Some advice on how to prevent or tackle the VPN leak

  • Unfortunately, not all VPN services provide a DNS leak protection feature. What can you do? Pick up a reliable DNS server on the side – in fact, you don’t have to use the one provided by the ISP. There are several famous third-party DNS providers: Google Public DNS, Level3 DNS, OpenDNS, Norton ConnectSafe DNS, Comodo Secure DNS, etc. In return, you will get higher connection speeds and additional protection features.
  • To patch WebRTC vulnerability, you can install a special browser extension like the one offered by Chrome – WebRTC Leak Prevent, but make sure that your VPN supports WebRTC browser extensions first!. FYI, Chrome, Opera and Firefox run WebRTC by default, while IE and Safari don’t (if you saw your actual IP address during the WebRTC test, it is enabled).Alternatively, you can disable WebRTC at all. This may affect some web apps using the computer camera or microphone – if that happens, you can temporarily enable WebRTC back. If you actively use Mozilla Firefox, WebRTC can be disabled directly by opening a tab and entering “about:config” in the address bar: there, you should set the “media.peerconnection.enabled” to “false.” Also, certain web browser extensions can be installed to disable WebRTC:
Chrome, OperaScriptSafeChrome Web Store
Mozilla FirefoxDisable WebRTCMozilla Add-ons
  • Keep kill-switch feature on – for that, make sure your VPN actually has one. Kill-switch will immediately terminate your online activity as soon as the VPN gets disconnected. Not all VPN providers apply a reliable kill-switch feature within their protection technology, so take a better look at VPN services’ reviews.

And a few tips provided by Perfect Privacy for the VPN providers in case they discover some leakage-likely spot in their technology:

  • ensure to have many IP addresses
  • allow incoming traffic to connect via ip1, exit connections via ip2-ipx, perform port forwarding on ip2-ipx
  • monitor the client connection side: make sure the server firewall blocks the client’s real IP to access port forwards related to another user.