Using Firewall rules (a global fix)
One of the primary reasons to use a VPN is to hide your true IP address. When using a VPN, all your internet traffic is encrypted and sent to a VPN server run by your VPN provider, before exiting to the internet.
This means that outside observers can only see the IP address of the VPN server, and not your true IP address. The only way for them to discover your true IP address, therefore, is to convince your VPN provider to hand it over to them (and good providers use robust measures, such as using shared IPs and keeping no logs, to make this as difficult as possible.)
At least this is the theory…
Unfortunately, and for various reasons discussed below, it is sometimes possible for websites to detect your true IP address, even when using a VPN.
I have discussed all the issues listed here at length before on BestVPN (and will link to relevant articles where appropriate), but it is time to bring together all known causes that may answer the questions: Why is my IP leaking even though I am connected to a VPN? And how do I fix it?
To determine if you are suffering an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address (or even just your ISP’s name) anywhere on this page then you have an IP leak. Note that ipleak.net now detects IPv6 DNS leaks.
The Domain Name System (DNS) is used to translate the easy-to-understand and remember web addresses that we are familiar with, to their “true” numerical IP addresses: for example translating the domain name www.bestvpn.com to its IP address of 184.108.40.206.
Every internet connected device, and every internet connection, has a unique IP address that is used to identify it (although these can change), including your computer and smart phone, etc. We call this your “real IP” (as opposed to the “fake IP” provided by your VPN server.)
This DNS translation process is usually performed by your ISP, but when using a VPN all DNS requests should be sent through your encrypted VPN tunnel, to be handled by your VPN provider instead.
Using the right scripts, a website can determine which server resolved a DNS request directed to it. This will not allow it to pinpoint your exact real IP address, but will foil attempts to geo-spoof your location, and allows police etc. to demand that your ISP hand over your real IP address (ISPs keep records of these things, while good VPN providers do not.)
Most VPN providers run their own dedicated DNS servers in order to perform this DNS translation task themselves, but some make use of public DNS services such as Google DNS instead. Although not ideal, this is not the privacy nightmare it might at first seem, as the DNS requests appear to come from your VPN provider, not your real IP.
IPv4 DNS leaks
Until recently, the entire internet used the Internet Protocol version 4 (IPv4) standard to define IP addresses. Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out (in fact technically speaking they have already done so), as IPv4 only supports a maximum 32-bit internet address. This translates to 2^32 IP addresses available for assignment (about 4.29 billion total). For now, however, the vast majority of internet addresses still use the IPv4 standard.
When using a VPN, your Operating System (OS) can sometimes get confused, sending IPv4 requests through to the DNS server specified in its default settings (usually run by your ISP), instead of through the VPN tunnel (as it’s supposed to.) This can occur with any OS, but Windows is notably guilty in this respect.
- Use a VPN client with built-in “DNS leak protection”. This is basically just a firewall that ensures no internet traffic can leave your computer unless it goes through the VPN. Many good providers offer this feature in their custom VPN clients (sometimes called something else), but it is not available in the generic open source OpenVPN client.
- Use VPNCheck Pro (Windows). Although primarily an “internet kill switch”, the Pro version of this tool also includes a DNS leak fix.
IPv6 DNS leaks
While various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard – IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available number web addresses to 2^128, which should keep us supplied with IP addresses for the foreseeable future.
Adoption of IPv6, however, has been slow – mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of websites do not yet bother.
This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to from an address that only supports IPv4, they will serve up an IPv4 address, but when connected from an address that supports IPv6, they will serve up an IPv6 address.
Unfortunately, most VPN software fails to direct IPv6 traffic through the VPN tunnel, so when you connect to an IPv6 enabled website, your browser will make an IPv6 DNS request outside the VPN, which is therefore handled by your ISP.
VPN providers that offer “DNS leak protection” in their clients’ usually side-step the problem by simply disabling IPv6 in the OS. This is effective at preventing IPv6 leaks, but is hardly forward looking, and we would like to see providers offer true IPv6 support in their products (Mullvad is the only provider that claims to properly route IPv6 calls. We have not tested this yet, but if true then Mullvad is very much to be commended.).
Here we can see a clear IPv6 leak. You tell the address is IPv6 because it is much longer than the IPv4 address above it (which shows no leak)
This is an interesting case. IPv6 has been blocked (not reachable), but is nevertheless leaking via WebRTC (see below). Note that IPv4 WebRTC leaks have been properly blocked here
iOS is supposedly (.pdf) immune to IPv6 leakage.
This result shows that IPv6 has been disabled, so IPv6 leaks are not possible. In a perfect world it should be possible to enable IPv6, while only detecting your VPN provider’s IP address (you can check who an address belongs to by entering “whois [ip address] into a search engine.)
- Use a VPN client with built-in “DNS leak protection”. This disables IPv6.
- Disable IPv6 manually. Instructions for doing so are available for Windows, OSX Mac, and Linux. The more paranoid out there may prefer to do this even if using a VPN client with “DNS leak protection”.
- The OpenVPN for Android app has the option to properly route all IPv6 traffic over the VPN. To ensure this is enabled:
Go to the specific server connection settings, then navigate to Routing
Ensure that IPv6 -> “Use default Route” is checked. Note also the IPv4 leak protection
Smart Multi-Homed Name Resolution (mainly a Windows 10 problem)
A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.
Under Windows 7 all DNS requests were made in simple order of DNS server preference, but this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sends out DNS requests to all available interfaces, but only uses non-preferred servers if the main DNS server failed to respond.
This makes Windows 8.x systems somewhat liable to DNS leaks, but Windows 10 makes the situation much worse as it simply chooses whichever DNS request responds quickest. In addition to being major security risk, there are also reports of Windows 10 users suffering slow page loading and timeouts due to this issue
- There is now an OpenVPN plugin to fix this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)
- Anecdotally, I have never suffered DNS leaks in Windows 8.1 due to this issue, but nevertheless advise all Windows 8, Windows 8.1, and especially Windows 10 users to disable Smart Multi-Homed Name Resolution if possible*. Avast has published some great instructions on how to do this.
*Unfortunately, the Group Policy Editor is not available in Windows Home Editions. Luckily, the OpenVPN plugin mentioned above should fix the problem for most users’ anyway. Whew!
The WebRTC “bug”
Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.
A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.
Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.
Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address is to disable WebRTC in your bowser completely (although the Statutory add-on does allow you whitelist individual websites.)
The WebRTC issue only affects the Firefox, Chrome, and Opera browsers (not Internet Explorer or Safari etc., as these do not include WebRTC functionality.) Update: newer versions of the stock Android browser appear to implement WebRTC, and so should be avoided.
1. Type ‘about:config’ into the URL bar to enter Firefox’s advanced settings, and then change the ‘media.peerconnection.enabled’ value to false.
For more information on the WebRTC “bug”, full instructions on how to disable WebRTC in Firefox, plus a more detailed look at the various browser plug-in solutions available (various browsers,) please check out my article on The WebRTC VPN “Bug” and How to Fix It.
Update: WebRTC leaks can now be blocked at both the VPN client and VPN server levels. In fact, the latest version of OpenVPN GUI includes WebRTC leak protection. We therefore now expect VPN software to include WebRTC protection. This is not always the case however (especially with IPv6 protection), so we strongly recommend that you continue to manually disable WebRTC in your browser. Just to be sure.
VPN dropouts (or why you need a “kill switch”)
Sometimes VPN connections fail. With a good VPN provider this should not happen very often, but it occasionally happens even to the best. If your computer continues to remain connected to the internet while after this happens, then your real IP will be exposed.
Although not technically an “IP leak”, as the problem occurs exactly because you don’t have a VPN connection, the effect is the same – you think that you are protected by VPN, when in fact the whole world can see your IP address.
This is particularly a problem for P2P downloaders who leave BitTorrent clients running while they are away from their computers (often for long periods of time). If the VPN connection drops, their true IP is therefore exposed to any copyright enforcers tracking a torrent they are downloading.
- Use a “VPN kill switch” (also called, somewhat more accurately, an “internet kill switch”.) These either monitor your internet connection and shut it down when they detect a VPN dropout, or use firewall rules to prevent any internet traffic leaving your computer outside of your VPN connection.
Many providers’ custom VPN clients include a built-in kill switch (sometimes called something else, such as “network lock”,) or you can use third-party solutions such as VPNetMon, VPN Check, or VPN Watcher. The Viscosity OpenVPN client even supports per app kill switches (you can specify which individual apps can only access the internet using VPN.)
Interestingly, the OpenVPN for Android app can be setup to work as a kill switch. The app will automatically attempt to reconnect to your VPN in the event of a VPN dropout (which is good, as this will occur whenever you move between WiFi routers, or WiFi and a mobile connection!).
To configure the app as a kill switch, edit the specific VPN connection (see IPv6 above), and navigate to “Advanced”.
Check “Persistent Tun” and set “Connection retries” to Unlimited. Ta-da! You now have an OpenVPN kill switch for Android.
- Create your own kill switch using Firewall rules (see below.)
- Configure the Vuze BitTorrent client to only download over VPN. This is not a true solution to the problem, but can be very effective for those whose primary concern is VPN dropouts while downloading via P2P. Detailed instructions how to setup Vuze to do this are available here (where I also discuss how to configure VPNetMon and VPN Check as kill switches.)
Using Firewall Rules ( a global fix)
A unified solution to all of the above issues is to use a firewall, configuring it so that only connections to the VPN server are permitted through the firewall. Details differ by OS and firewall program, but the basic principles are:
1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device.
2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider)
3. Add an exception for your VPN provider’s IP addresses
4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.*
I have a detailed guide for doing this using Comodo Firewall (Windows), and guides are also available using the Windows 7 (not 8+) built-in firewall, and Little Snitch (Mac OSX). Those familiar with iptables should have no problem doing something similar in OSX and Linux. * My thanks to reader x22 for concisely formulating these principles.
If using a good VPN client that features “DNS leak protection” and a kill switch, you should have little to worry about when it comes to accidentally exposing your real IP address when using VPN (although Windows 10 users should watch out for the Smart Multi-Homed Name Resolution issue.)
OpenVPN for Android users should be particularly chuffed that DNS leak protection and kill switch functionality are built into the generic OpenVPN app (just make sure that they are enabled.)
If your VPN software does not include these features, never fear, as there are plenty of third party solutions to fill the gaps.