When something leaks, it's usually bad news. A leaking pipe in the kitchen or a leaking radiator. The same principle applies to your VPN. When a poorly designed VPN fails and leaks your data, that's the start of a bad day.
Unfortunately, there is no visible indication that your VPN is leaking. Obviously, well-designed VPN services do not leak, my favourites being:
When looking for VPN leaks, we typically evaluate these angles:
- DNS leaks
- IP address leaks (IPv4 & IPv6)
- WebRTC leaks
Below are basic instructions on how to quickly identify VPN leaking. If you are more paranoid or highly technical and demand to use your magical IT skills, you can also inspect the packets using tcpdump or WinDump while running the below tests.
It's time to start testing
- ipleak.net (tests IPv4, IPv6, WebRTC & DNS)
- dnsleak.com (tests DNS)
- perfect privacy ip checker (tests IPv4 & IPv6)
- perfect privacy WebRTC check (test WebRTC)
- testipv6.com (tests IPv6)
- dnsleaktest (use extended - tests DNS)
- browserleaks WebRTC (tests WebRTC)
- browserleaks IP (tests IPv4 & IPv6)
- ipx.ax (tests IPv4, IPv6, WebRTC, DNS)
What am I looking for?
Obviously, you connect to your VPN service first, then visit all of these sites. The hope is that none of the information shown should actually be associated with your "real" computer (IP address, DNS server and WebRTC).
The most significant failure I see with most VPNs is DNS and WebRTC leakage.
If your VPN service provider offers multiple servers, then you should run the tests with the various servers.
If your VPN service provider offers multiple protocols, then you should run the test with each of the protocols.
I have found some VPN providers where it did not leak on one server but leaked on another. Where it did not leak via one protocol but leaked with another. Testing the various combinations is time-consuming but critically important.
The above test shows that the VPN is protecting my IP and DNS information but in this case was leaking my private 10.x test lab internal IP address (which is obviously bad). When I switched to a new server from the same provider, the leak stopped.
Mobile phone VPN leaks
An August 2016 research paper highlighted the issue of IP leakage on Android smartphones. They discovered that 84% of Android VPN apps leaked the user's "real" IP address.
What is WebRTC and why does it leak?
WebRTC is an API standard that allows voice and video chat without needing to install any plug-ins. It is a cross-platform web browser standard.
If vulnerable, you will see your internal IP Address in the WebRTC response.
What is DNS and why does it leak?
The domain name system (DNS) is a special global directory that converts URLs into numeric addresses that the internet can route. If you enter kiledjian.com into your browser from New York, your DNS server will return the numeric routable IP address for my website 220.127.116.11.
DNS services are typically provided by your internet service provider or company. Anytime you try to access a webpage; you ask that DNS server for the numeric routable IP address of the site and thus your provide (or school or company) have a running list of every website you tried to access. When using a good VPN service, all DNS requests should be routed to their anonymous DNS service thus protecting your browsing information. When your browser sends the request to your ISP DNS anyway, that is called a DNS leak because your privacy is "broken".