It’s generally regarded that if you’re using a VPN, you’re safe and anonymous. That no one can see where you are located or trace requests back to you (assuming your provider doesn’t keep server logs). I’ve always kept in the back of my mind that during the course of casual browsing, with or without a VPN, you’re leaking a lot of information but I’ve never dived in to the particulars.
I’m on the road a lot, clocking up some 160,000 km last year. As such I need to use a static IP otherwise I’m constantly having to adjust whitelists, which isn’t always feasible. I also have to connect to unsecured networks in hotels and airports, so naturally VPNs are my best friend. Earlier today I decided to do a quick test to see just how anonymous a VPN keeps you. As it turns out, you can use a VPN and not actually benefit from it, with the exception of your ISP not being able to see what you’re up to.
I downloaded a Linux image with the intention of connecting to a free VPN service and seeing what information is leaked and what steps were required to lock everything down. The distro of choice was Kali Linux, YMMV with other flavours. Once the OS was up and running I followed these steps to get an OpenVPN tunnel running using Proxy and VPN Guard. Simple!
I connected to a Finnish VPN and started Googling for a site that would try and sniff out any leaks. I ended up at ipleak.net and despite being connected to a VPN which fooled a few other sites, ipleak.net was still able to determine that I was actually in Germany. Hmmm.
WebRTC is a set of communication protocols to enable peer-to-peer communication, e.g. video calling etc and is in the process of being standardised by the W3C. One of the methods available in the API allows a remote server to determine your true IP (internal and external!), regardless of any VPN tunnel you might be using. Ouch.
As this is a browser technology, it doesn’t impact all browsers so check ipleak.net or visit https://diafygi.github.io/webrtc-ips/ for each browser that you use to determine if you’re vulnerable. You can also check the WebRTC Wikipedia article to see which browsers have support.
If needs be, there are a number of options to disabling or blocking WebRTC outlined here.
The easiest way to tell if you are leaking your IPv6 address is to point your browser to ipleak.net whilst connected to your VPN. If you see your true IPv6 address showing up, you’re doomed. For Linux users, you can follow the steps listed in this blackmoreops.com article to disable IPv6 at the OS level, otherwise there are myriad extensions available for various browsers.
VPNs are not a silver bullet to online privacy. As clearly seen above, even with a security oriented Linux distro, there are a few simple hurdles that can render any VPN useless. If you’re a casual user who wants to make sure their privacy remains intact, make sure you check that you’re protected.
There are another two issues that you need to be aware off. The first is when your VPN connection disconnects without you noticing, followed by DNS leaks. To read more about these issues and possible solutions, read more at the VPN University website.