Hello, my name is Nicholas Cuts. I am an employee of SwitcherryVPN. The topic of my new article is VPN security. Today we’re going to talk about whether your VPN connection is truly 100% secure, as your VPN provider claims, or whether your VPN shield has “holes” and “cracks” that could potentially lead to sensitive information leaks.
Most VPN users mistakenly believe that any paid VPN service is guaranteed to provide them with anonymity and protect them from all online threats without exception. In reality, many, even expensive VPN services that are considered “elite”, are often unable to provide their customers with even a basic level of protection. This article will tell you what defects your VPN connection can potentially have, and how they can lead to loss of privacy. You will also learn how to test your VPN connection for leaks, and what solutions exist to eliminate the identified vulnerabilities. It is also worth reading an article about common mistakes when setting up and using a VPN.
Table of contents
- 1 Potential weaknesses of your VPN connection
- 2 Checking a VPN connection for leaks
- 3 How to manage your VPN’s vulnerabilities
- 4 SwitcherryVPN – Reliability, Security & Privacy
- 5 FAQ
Potential weaknesses of your VPN connection
In theory, a VPN tunnel is supposed to provide complete anonymity and confidentiality, but as some studies show, over 80% of VPN services are vulnerable to some form of threat that jeopardizes that connection’s security. Here is a list of privacy leaks:
- IP address leak;
- DNS leak;
- WebRTC leak;
- missing KillSwitch leak;
- Google Chrome browser VPN extension leak.
The user’s own IP address leak
As I’ve mentioned many times in my other articles, if you know a user’s “native” IP address, identifying the former’s actual geolocations, down to their home address. Which is why IP address leaks are so dangerous. After all, the vast majority of VPN customers use VPNs to hide their real IP address. I wrote about IP address masking in detail here. The main cause of IP address leaks is the incompatibility of the new “wide” IPv6 IP addresses with most VPN protocols. The leak occurs due to the fact that some ISPs provide their users with IP addresses of both the old IPv4 and the new IPv6 format. And requests originating from a “wide” IPv6 address go past the VPN tunnel. A good VPN client must either support IPv6 addressing or block all IPv6 requests to prevent any sort of leaks.
The domain name system is used to convert “human” site names to digital ones. When it comes to online data exchange, only digital IP addresses are used. For example, the google.com website has the following IP address: 22.214.171.124 (in reality, this is one of the IP addresses of Google’s numerous servers). When the user enters the “human” domain name (google.com) in the browser’s search bar and clicks Enter, the request is sent to the server of that person’s Internet provider that, in order to identify google.com’s digital address, in turn, sends a request to the nearest DNS servers. DNS servers store a distributed database that translates “human” domain names into numeric IP addresses — in this case, changing google.com to 126.96.36.199.
A DNS leak occurs when a user’s computer, despite a running VPN client, accesses the DNS servers of its ISP. In this case, it is not the user’s own IP address that becomes visible, but the IP address of their Internet provider. In other words, a DNS leak immediately reveals the user’s country and region. In addition, by exploiting a DNS leak, hackers can carry out a so-called “DNS hijacking attack”. A DNS hijacking attack is carried out in the following way: a hacker breaks into a DNS server and spoofs certain IP addresses in it, for example, the IP address of your bank. Now, when you think you’re visiting your bank’s website, you are actually being sent to a hacked website that looks identical to the former. And, not noticing the change, you enter your login and password which the hacker immediately gets a hold of. To prevent DNS leaks, good VPN providers redirect all DNS queries to their own DNS servers.
The WebRTC (Web Real-Time Communication) technology enables users to communicate online by creating direct peer-to-peer connections between browsers. With the help of WebRTC, you can conduct audio/video chats and video conferencing in real time. WebRTC support is built into most modern browsers. A WebRTC leak occurs when the browser starts making requests bypassing the VPN tunnel. As a result, the user’s “native” IP address immediately becomes visible.
Leak due to lack of emergency shutdown tool
The VPN client, like any other program, can crash. Problems can also occur on the side of the VPN server. In case of any issue related to the VPN, a good VPN client should immediately block the Internet connection (have a built-in Kill Switch option). Otherwise, your Internet traffic will go past the VPN tunnel, revealing your real IP address and killing all the anonymity and privacy you enjoyed before the issue.
Google Chrome browser VPN extension leak
VPN extensions for the Google Chrome browser are insanely popular. However, recent research has shown that many Chrome VPN extensions are susceptible to the DNS leak we described above. The leak occurs due to the built-in DNS Prefetching option, which allows you to access websites faster by reducing the delay caused by accessing DNS servers. If the DNS Prefetching option is enabled, then the browser turns to pre-selected servers to speed up page loading time. Despite the VPN extension working, these requests go past the VPN tunnel, which leads to a leak.
Checking a VPN connection for leaks
Experienced users are recommended to use special programs that analyze Internet traffic, such as Wireshark. Everyone else can use the free online services listed below.
IP address leak test
It’s very easy to do:
- find out and write down your real IP address. To do this, with the VPN turned off, go to any online service that shows you your IP, or simply type the phrase “what is my IP” into the browser search bar;
- launch your VPN client and connect to the VPN;
- go to ipleak.net;
- make sure your IP address matches the IP address of your VPN server and that there is no IPv6 leak (like in the screenshot below).
DNS leak test
To start testing, click on the Extended test button. If there is no DNS leak, then all DNS servers should have the same geolocation as your new IP address:
For example, if your real location is Great Britain, and you have connected to an American VPN server and have a visible American IP address, then all provided DNS servers must also be American. The presence of at least one UK DNS server on the list indicates a DNS leak.
WebRTC leak test
- Before the test, find out your real IP address;
- Enable the VPN and open the WebRTC Leak Test page in your browser. If your visible IP address matches the IP address of your VPN server, it means you’ve successfully passed the test:
But if you see your real IP address, then your VPN connection is susceptible to a WebRTC leak.
Lack of emergency killswitch leak test
- first, find out your real IP address;
- enable your VPN and via your browser, go to ipleak.net in multiple tabs at once and right down your current IP address;
- with a working VPN connection, disconnect from the Internet;
- reconnect and quickly refresh the browser tabs.If the IP addresses on the tabs do not change, then your VPN connection is reliable. If you see your real IP address on even one of the tabs, then you have a leak on your hands caused by the absence of a Kill Switch in your VPN client.
Google Chrome browser VPN extension leak test
- launch your VPN extension in Google Chrome and connect to the VPN server;
- go to the extended settings page chrome://net-internals/#dns and click “Clear host cache”;
- go to DnsLeakTest or ipleak.net and check your VPN connection for a DNS leak like we described in point 2.
How to manage your VPN’s vulnerabilities
The actions described below should be remembered and should always be performed at the slightest suspicion.
IP address leak
Choose only VPNs that support IPv6 or simply block IPv6 requests. If your VPN client can leak an IP address because it’s incompatible with “wide”IPv6 addresses or you just don’t want to change your VPN provider for whatever other reason, you can still fix the leak manually by blocking IPv6 requests in your OS.
Blocking IPv6 in Windows 10
Open Network and Sharing Center by right-clicking the Network or Wi-Fi icon and choosing “Open Network and Sharing Center” from the menu that pops up:
In the Network and Sharing Center window that opens, choose the Change adapter settings on the right panel:
In the window that opens, you will see a complete list of your available network connections (network adapter) – something like this:
Right-click the active network connection and in the menu that opens pick Properties:
In the Properties window on the Networking tab, find the “Internet Protocol Version 6 (TCP/IPv6)” option and tick the flag:
For the changes to apply, reboot your computer.
Blocking IPv6 on macOS
- open the System Preferences window and click Network;
- in the Network window, click Advanced…;
- go to the TCP/IP section;
- for the Configure IPv6 option, select Off (see image):
After that click OK to close the window and for the changes to apply, reboot your computer.
If your version of macOS does not allow you to change the network settings in the Network window, then use the Terminal app and disable IPv6 using the necessary commands:
- launch Terminal.app;
- enter the networksetup -listallnetworkdevices command – that will show you all available connections, such as Ethernet and Wi-Fi;
- enter the networksetup -setv6off Wi-Fi command if the Wi-Fi is your active connection or the networksetup -setv6off Ethernet command if you’re using Ethernet;
- also you can disable IPv6 for all connections, both Wi-Fi and Ethernet with a single command: networksetup -setv6off Ethernet && networksetup -setv6off Wi-Fi;
- If you later need to re-enable IPv6, enter the following command in the Terminal window: networksetup -setv6automatic Wi-Fi && networksetup -setv6automatic Ethernet.
Blocking IPv6 on a router
If you have a VPN on your router, then in order to protect all devices connected to it from IP address leaks, all you need to do is disable IPv6 support on the router itself. There are countless router models with different operating systems, with each specific one potentially having their own way to disable IPv6 support. Refer to your router’s datasheet for how to disable IPv6 on this particular device. For example, for most routers with DD-WRT firmware, IPv6 support is disabled like this:
- go to your router’s control panel (I talked about how to do that in a previous article);
- go to the Administration tab and then to Management;
- in the IPv6 Support section, select Disable for the IPv6 option and after click Save and Apply Settings.
The only way to fix a DNS leak is to choose a new VPN provider.
If your VPN connection is prone to a WebRTC leak, just block the WebRTC function on all the browsers you use. Keep reading to learn how to do this.
Blocking WebRTC in Google Chrome
There is no built-in way to disable WebRTC in Google Chrome. To do this, you will have to download and install an extension that blocks WebRTC. There are many such extensions, the most popular of which are WebRTC Leak Prevent, Easy WebRTC Block and WebRTC Control. To install any of these, go to the Chrome Web Store. Find the page of the selected application, click Add to Chrome and confirm the installation by clicking Add extension in the dialog box. After downloading and installing it, activate the extension – now WebRTC will be blocked and the leak will be fixed.
Blocking WebRTC in Mozilla Firefox
There is no need to install any third-party extensions to block WebRTC in Firefox. You can disable WebRTC in the browser settings:
- in the address bar, enter about:config and click Enter;
- click “I accept the risk!” on the warning page;
- in the address bar, enter media.peerconnection.enabled;
- change the option value from true to false.
Blocking WebRTC in Opera
Opera, like Google Chrome, needs an add-on to block WebRTC. There are also several similar add-ons, for example: WebRTC Leak Prevent, Easy WebRTC Block, WebRTC Control. To install the selected add-on, follow these steps:
- go to the Opera Add-ons website and find the page of the add-on you selected;
- click Add to Opera;
- activate the add-on to block WebRTC.
Blocking WebRTC in Microsoft Edge
There is no way to disable the WebRTC feature in Microsoft Edge, but you can make changes to your browser settings that will completely fix the WebRTC leak.
- enter about:flags in the address bar and click Enter;
- tick the Hide my local IP over WebRTC connections checkbox;
- reboot your browser.
Blocking WebRTC in Safari
In Safari, WebRTC can easily be blocked in the settings:
- click Safari on the top bar of the browser and select Preferences from the drop-down menu;
- go to the Advanced section and tick the Show Develop menu in menu bar checkbox;
- click Develop on the top bar of the browser and in the drop-down menu, hover over WebRTC;
- in the menu that opens, uncheck the Enable Legacy WebRTC API checkbox.
Lack of emergency killswitch leak
Unfortunately, the only way to fix this leak is to change your VPN provider.
Google Chrome browser VPN extension leak
The easiest way to fix your VPN extension leak in Google Chrome is to disable the DNS Prefetching option. Here’s what you need to do:
- go to the browser settings (to do this, enter chrome://settings/ in the browser’s address bar);
- go to Advanced settings and then to Privacy and security;
- disable the “Use a prediction service to help complete searches and URLs typed in the address bar” and “Use a prediction service to load pages more quickly” options (see image).
SwitcherryVPN – Reliability, Security & Privacy
Choosing a good VPN provider isn’t easy. Hundreds of VPN providers around the world offer VPN services to users, and each of them claims that their service is the best – the most reliable, the fastest and most secure. However, independent research shows that more than 80% of VPN services are susceptible to some form of leaks that threaten users’ anonymity and privacy. Naturally, no VPN provider would openly admit that their service is flawed. The only way to know if your VPN connection is actually secure is to run a full check for all types of leaks yourself. However, not all VPN providers offer the opportunity to try their service for free. SwitcherryVPN is a welcome exception. You can thoroughly test our VPN service even on a free plan and make sure that we provide VPN services of pristine quality.
1. I installed and launched the VPN client, but I cannot connect to the VPN server. What’s the problem?
1. I installed and launched the VPN client, but I cannot connect to the VPN server. What’s the problem?
The VPN client can fail to connect to the VPN server for the following reasons:
- the VPN server you selected may be malfunctioning. Try changing your geolocation and connecting to a different VPN server;
- if you are using a free VPN, then most likely the VPN server is simply not responding to the VPN client’s requests due to an overwhelming number of requests. Wait a while and try again;
- there’s a chance that viruses and other malware are interfering with the VPN. Update your antivirus and run a scan on your computer;
- in countries like China, Iran, Saudi Arabia and some others, ISPs are required to block access to independent VPN services. In other words, it’s quite possible that in these states the entire lineup of your VPN provider’s IP addresses is blocked. The only way around this situation is to change your VPN provider. Good VPN providers constantly update and expand their VPN server arsenal to bypass all kinds of blocks and bans.