How to fully leakproof your VPN

Other platforms, generic questions.
Post Reply
LilTroy
Member
Member
Posts: 35
Joined: Fri Apr 19, 2024 12:32 am

How to fully leakproof your VPN

Post by LilTroy »

Unfortunately most VPN clients either already have or eventually will leak at some point. It's just a question of when & how often. Even the most reputable ones do at times and it can happen for a variety of reasons. The usual culprits are IPv6, DNS & WebRTC protocols. DNS leaks are by far the most prevalent. All it takes is for a single packet of your internet traffic to be sent outside the tunnel and your identity and/or data can be exposed (ieg., to a snooping 3rd party). For the average end-user this might not be a big deal but for torrent users that touch copyright protected material, whistleblowers, dissidents, and investigative journalists it can be absolutely critical not to leak anything. Especially if you live in a nation-state that has a repressive regime like China or Russia. Consider your threat model.

Leak Testing 💧

The majority of leak tests out there that most people use on the web will only detect the occasional leak. They're largely passive and typically require little or no user interaction other than visiting a site. You should still use them but you can't solely rely on them. The more thorough type of leak testing is active. It can't be fully automated since it requires actual user interaction in an attempt to trigger a leak within various transitional states. This might include manually switching VPN servers while connected, pulling an ethernet cable & plugging it back in, manually disconnecting from Wi-Fi & reconnecting, enabling airplane mode & disabling it, putting your device to sleep & waking it, etc. For checking qBittorrent specifically, or any other torrent client, you can add a unique magnet link to detect leakage. It can be left in your torrents list while its corresponding tracker site continually logs your public IP address alongside a timestamp. There are also leak testing tools out there that you can download and run on your device. ExpressVPN offers a whole suite of them on Github and they're all open source. Below are some useful sites that I'd recommend.
Airtight VPN Setups 💨☔

If possible always run your VPN client directly on your router when you're at home. This will inherently prevent ALL leaks outside the tunnel provided that there are no bugs in the client itself or elsewhere in the router's firmware that could cause traffic to escape. By running it on a separate intermediary node upstream it's positioned to catch any leaks that otherwise might not be caught if the VPN were to be running on the same host. Some routers also have built-in packet capture which makes it convenient to monitor all egress WAN traffic in order to verify that there are no leaks. Does your router not have a built-in VPN client? If it doesn't you can flash it with 3rd party firmware such as DD-WRT, OpenWRT, or Tomato assuming it's compatible. Worst case scenario you can buy a VPN router that's been pre-flashed or is already pre-configured for your provider.
Don't want to replace your firmware or buy a new router? There's a workaround. Instead you can simply tether to another device on your LAN/WLAN that's running your VPN client and share the VPN connection. It will serve as a virtual router and become your gateway. If the VPN interface ever goes down, or it's disconnected for any reason, then you won't have any internet connectivity until it's back up. Windows makes this setup easy. All it takes is a couple clicks to configure. Afterwards you can just run Wireshark or another packet sniffer on it to verify that it isn't leaking. This setup is especially useful if you're often away from home and don't own a travel router/gateway with a VPN client installed.
However, if you insist on running it on the same host then you should invest in a VPN with a persistent (permanent) kill switch. Select clients, such as ProtonVPN, have this advanced feature and it works by cutting off all internet access unless you're connected to the VPN. Usually you need to manually enable it first. If your client lacks persistence then you can firewall it yourself by explicitly denying all internet traffic from leaving your other network interface(s) and only allow it out via your VPN network adapter. If your client is closed, crashes, or you manually disconnect then you won't be able to access the internet until it's reconnected to the VPN server. This will also protect you, for example, against any start-up apps that might load before the VPN does and prevent your device from leaking any traffic when it shuts down. Unfortunately almost all VPN clients default to a standard kill switch. This mode is automatic but fails to protect your internet traffic in all instances because it only works when you're connected/(re)connecting to the VPN server. It doesn't remain engaged at all times—a persistent kill switch does.

qBittorrent Configuration 🛠️

If you're running your VPN client on the same host make sure that you explicitly bind qBittorrent to your VPN interface. This will ensure that no torrent traffic leaks. Unfortunately many other torrent clients don't have this handy feature. If you do occasionally use any of them then you can configure it to connect through a SOCKS5 proxy server (use a private one that requires auth). You could also configure it system-wide but then it'd slow everything down. The proxy will provide an additional layer of protection in the event that any torrent traffic does leak outside the tunnel. Just remember to always force protocol encryption since SOCKS itself doesn't have native support. Side note: qBittorrent's I2P integration looks promising but it's still considered experimental.

WebRTC Leaks 🔓

If you're running your VPN client on the same host you'll want to disable or at least filter WebRTC as a precaution. Even if your VPN provider claims their client protects you against this class of leak. Go into your browser's settings and configure it appropriately or install one of the various browser extensions, such as uBlock Origin, that will block/filter it at the application layer. Some VPN providers also offer their own browser extensions that protect against WebRTC leaks. You'll have to do this for every browser you use. Some web-based torrent clients such as WebTorrent rely on WebRTC. Libtorrent, which qBittorrent is based on, also has support for WebTorrent. However, I've never heard that leaks were an issue with its implementation. The apps primarily affected tend to be web browsers and some mobile apps that use WebRTC for real-time P2P connectivity.
IPv4/IPv6 Leaks 🚿

If you have frequent IPv4 leaks then you should change your provider. Approximately 60% of the web still uses it. The other ~40% is IPv6 according to Google's latest IPv6 adoption statistics. Most VPN providers still don't support IPv6 but that's changing. There are now several that claim to. Providers that only offer partial support are the main reason why we have IPv6 leaks. They need to either support it fully or block it entirely. You're safer to disable it on your system's network adapters. Unbind IPv6 protocol from your device's respective adapter(s) and reboot. You should also disable IPv6 on your router. If you don't want to do this, or you require IPv6, then Windows users should at least disable Teredo. It's a defunct tunneling migration method that's still occasionally used by the Xbox for NAT traversal. Use this command to disable it →

Code: Select all

netsh int teredo set state disabled
DNS Leaks 💦

This usually means that your DNS queries were inadvertently sent to your ISP outside the tunnel. Alternatively, if you've manually set 3rd party public DNS servers (ieg., Cloudflare, Google Public DNS, OpenDNS…), it means that your DNS traffic was sent outside the tunnel and ‘in the clear’ (unencrypted) to their recursive resolvers. In either case your origin IP is exposed, which reveals your identity & approximate location, along with your data. If using public DNS make sure that your queries are always encrypted (ieg., via DoH, DoT, DoQ, DNSCrypt…) and manually configure it with global scope if possible depending on your platform. By encrypting your public DNS queries it will protect them in transit on the back segment after they've left the tunnel. Additionally, if your DNS traffic were to leak outside the tunnel, then your ISP or government wouldn't be able to intercept or hijack it via a transparent proxy or DPI appliance. Ideally your DNS provider should also deploy DNSSEC to protect the resource records themselves. Another thing you should do is ensure that your setup doesn't fall back to insecure DNS if encrypted DNS resolution fails. Lastly, avoid setting DNS at the application level (ieg., inside your web browser). It was never intended to be used there and is easy to forget about.

Recently it was discovered that Android's persistent system-wide kill switch—“Always-On VPN” & “Block connections without VPN”—is buggy and under certain conditions can leak DNS traffic. ☹️ Mullvad reported it to Google a few months ago. They've published the details here. A couple years prior to this privacy flaw it was also discovered that Android leaks connectivity check traffic. So, I would be careful about running your VPN client on your phone/tablet if you're an Android user until this has been patched.

It's also come to my attention that the iOS VPN framework has multiple vulnerabilities. One of which is a DNS leak that appears Apple has yet to fix. Reportedly it's still unpatched in iOS 16 and below. Is iOS 17 also affected? Possibly. ProtonVPN has been tracking these issues over the last several years. Apple also refuses to give regular end-users a persistent system-wide kill switch. Apparently you have to be an enterprise user enrolled in a Mobile Device Management (MDM) solution to access such functionality. ☹️

If you do have a confirmed DNS leak then immediately flush your DNS cache and manually configure your device's DNS settings. The command to do this on Windows is →

Code: Select all

ipconfig /flushdns
3rd Party VPN Monitoring Utilities 👮🏻‍♂️

These types of apps exist, both freeware & commercial, and may be able to assist if you have a VPN that either lacks a kill switch or has one that's leaky. Personally, I think that you're much better off investing in a VPN with a proper kill switch and reinforcing it by manually firewalling your device but not everyone has the knowledge to manage it. Fortunately some of these apps will do it for you. I've never used any but here's an incomplete list of them: OpenVPN Watchdog, VPN Watcher, VPNCheck & VPNNetMon. It'd be interesting to hear if any of you actually use one of these tools.

Things To Avoid ⚠️

Split tunnel VPN configs are quite convenient but also problematic in general. You're asking for trouble if you use them since many leaks over the years have been attributed to their use. ExpressVPN just suffered a DNS leak related to it. They should really be a last resort. Don't use so-called “VPN” browser extensions. They work similarly to HTTPS proxies and only tunnel web traffic within your browser. Actual VPNs work at Layer 2 (TAP) or Layer 3 (TUN) and encrypt & tunnel all of your device's internet traffic unless using the aforementioned split tunnel config. Also avoid installing other VPN clients on your device. They can potentially conflict with your primary VPN as can some AV/anti-malware apps. Uninstall any other VPN apps and be careful with any endpoint security software solutions that you install. The latter, for instance, may hijack your DNS for web filtering which has historically led to leaks. Finally, avoid using app-specific kill switches. As mentioned previously it's safer to utilize a persistent system-wide kill switch or a manually firewalled setup. Otherwise you're just choosing convenience over privacy & security which is precisely what you're doing by configuring your VPN to operate in split tunnel mode.
Last edited by LilTroy on Fri Aug 30, 2024 12:31 am, edited 3 times in total.
bob2306
Veteran
Veteran
Posts: 91
Joined: Mon Jun 12, 2023 8:56 pm

Re: How to fully leakproof your VPN

Post by bob2306 »

In order to send a threatening letter demanding money, they need to establish that copyrighted material was transferred, and then link that to an identity. Most VPNs have many users on each public IP address, so a leaked IP address isn't a problem, unless it can be closely linked to that data transfer. Even if you paid extra for a fixed IP address, it's probably going to be difficult for anyone to determine that. I think it's unlikely that leaked DNS is much of a problem. Leaked IPv6 torrent connections going directly to a peer could be.

Unless I'm missing something, the case against WebRTC is being exaggerated. A lot of people writing on the subject just advise turning it off, without explanation, or give an implausible explanation - usually involving STUN. As I understand it, WebRTC clients share enough information to enable two peers on the same LAN to connect directly. Modern client implementations share randomized local host names that can be resolved locally with mDNS. This means that a torrent peer could be identified if the torrent surveillance is being conducted from the same LAN. The other possibility is that an older, or botched, implementation might share a public IP address configured on the LAN interface. Most people can easily rule out both cases. Also, for torrents, it would have to be a WebRTC tracker, unrelated WebRTC activity in a browser would be mitigated by the shared IP address.
LilTroy
Member
Member
Posts: 35
Joined: Fri Apr 19, 2024 12:32 am

Re: How to fully leakproof your VPN

Post by LilTroy »

bob2306 wrote: Sat Aug 24, 2024 2:19 am In order to send a threatening letter demanding money, they need to establish that copyrighted material was transferred, and then link that to an identity. Most VPNs have many users on each public IP address, so a leaked IP address isn't a problem, unless it can be closely linked to that data transfer. Even if you paid extra for a fixed IP address, it's probably going to be difficult for anyone to determine that. I think it's unlikely that leaked DNS is much of a problem. Leaked IPv6 torrent connections going directly to a peer could be.

Unless I'm missing something, the case against WebRTC is being exaggerated. A lot of people writing on the subject just advise turning it off, without explanation, or give an implausible explanation - usually involving STUN. As I understand it, WebRTC clients share enough information to enable two peers on the same LAN to connect directly. Modern client implementations share randomized local host names that can be resolved locally with mDNS. This means that a torrent peer could be identified if the torrent surveillance is being conducted from the same LAN. The other possibility is that an older, or botched, implementation might share a public IP address configured on the LAN interface. Most people can easily rule out both cases. Also, for torrents, it would have to be a WebRTC tracker, unrelated WebRTC activity in a browser would be mitigated by the shared IP address.
P2P file sharers around the world receive copyright infringement notices every day. They either go through the authorities, or are governmental entities themselves, so ISPs are generally more than happy to comply in mapping an IP address to its corresponding user. In the US it's filed under the DMCA but other countries have their own equivalents. Internationally there's WIPO. The MPAA & RIAA in the US have been going after pirates for decades. They mostly target seeders but downloaders/leechers have also been busted. In some cases they've been 80 year old grandmothers. By even requesting such material that's often enough to prove intent. The aforementioned organizations will offer fake files called spoofs and P2P users will unknowingly connect to their honeypots or they'll simply join swarms to passively monitor them. Even if a user is behind a verified no-log VPN with shared address space their torrent traffic can still leak which may lead to them being caught. More concerningly certain users have their torrent clients set up to be fully automated via the use of “broadcatching” (RSS feeds + torrenting). Their client is instructed to automatically grab the latest content fed to it which can include copyright protected material. A large number of VPN & proxy users access it daily.

When a VPN leaks your traffic it isn't encrypted or authenticated to the VPN server. It bypasses it entirely. The packets are sent directly from your device to their actual destination, that is outside the tunnel, like how your normal internet traffic is routed when the VPN is off (or in a split tunnel configuration). A VPN provider that uses shared IP addresses is irrelevant when leaks occur because it's your real (origin) IP address that is exposed to the destination endpoint as well as to any 3rd parties that can monitor the path. If any leaked packets contain a payload and that data wasn't separately encrypted by other means (ieg., TLS/HTTPS/SSH/etc) then not only is your real identity exposed to on-path observers but the data itself is also associated with it. Worse yet, even when using a separate layer of encryption on your traffic there's almost always some form of metadata visible which can still expose your activities whenever there's a leak. The whole point of a consumer VPN is to hide the user's real identity and online activities. More specifically to break the link between your identity and your data. By default the only thing that your ISP should ever see is that you're connected to the VPN server.

WebRTC is just the latest protocol known to cause leaks. The requests themselves can be made over IPv4 or IPv6. It's an invasive NAT traversal protocol that Google developed in the early 2010s. What it does is enumerates your device's network interfaces, pulls the IP addresses, and transmits them as ICE candidates. Local addresses are sent in this manner but reportedly there have been cases where they were public IP addresses. STUN is used to discover your NAT type, external public IP address, and the source port you're communicating on. The STUN server then exchanges this information with both hosts wishing to communicate so that they can establish a P2P connection through hole punching (or a TURN relay if hole punching fails). WebRTC doesn't ask the user for permission to enumerate their device's network interfaces. It does it automatically behind-the-scenes when the Javascript library loads on a website or within a mobile app. There's also no way to completely disable it system-wide on any popular platform that I'm aware of. You have to go into each app's respective settings to block/filter it or install an extension that will do this. Local IP addresses transmitted over WebRTC are obfuscated nowadays in many apps but it's not always on by default. It depends on the app. One of the biggest concerns with local IP addresses being leaked unobfuscated is that sites can use them to track visitors. The New York Times was caught using this sneaky fingerprinting method years back. Replacing them with mDNS addresses will only mask a user's local IP address to hosts outside the network. If you're both on the same subnet, for example, you can still resolve the “.local” mDNS addresses to the user's local IP. The main concern here for VPN users is their external public IPv4/IPv6 address(es) being leaked.

The corporate security world also shuns WebRTC because it can bypass their policy. You could visit a website right now and be downloading/seeding illict material over WebTorrent, which depends on WebRTC, without even knowing it. Nothing was installed by the user, no browser permission was granted, no prompt was given, it all happens automatically behind-the-scenes. WebRTC could also enable a shady site to hijack your browser for use as a Tor snowflake proxy (as long as the page's tab/window stays open). It's entirely up to them whether or not to explicitly ask the user for permission on the page that makes peer connections. They don't have to. This technology also enables resilient browser-based botnets to be built. Lastly, aside from its glaring privacy issues, WebRTC doesn't have a good security track record in general. If the Signal project couldn't even get it right then just imagine how flawed some of these other implementations are. They've had multiple security vulnerabilities related to it and some of them were even critical.
LilTroy
Member
Member
Posts: 35
Joined: Fri Apr 19, 2024 12:32 am

Re: How to fully leakproof your VPN

Post by LilTroy »

Here's a leak that recently affected ProtonVPN's client on Windows 10.
Image
“However, leaks were reported by the pcWRT router when the computer went to sleep and woke up, when the VPN was trying to reconnect. This happened with and without turning on the kill switch.”
The article concludes by mentioning a couple important things—both of which I've already recommended in the OP.
“With the permanent kill switch turned on, no VPN leak was reported by the pcWRT router when the computer went to sleep and woke up again.”
“In general, it is safer to run the VPN client on a router to avoid VPN leaks of this kind.”
They'll also protect you against severe or even critical targeted attacks like TunnelVision, which was made public only a few months ago, and TunnelCrack which was published just last year. Virtually all VPNs are/were affected by at least one of these clever exploits to some extent or another. Check and see if your VPN provider has formally addressed these recently discovered vulnerabilities. Mine already has. Transparency is nice and provides customer reassurance. A typical end-user can potentially do a lot with just a leaked IP address alone. I reminded my friend of this only weeks ago. 😂

If you suspect that your VPN may be occasionally leaking traffic then it's worth investigating. It isn't difficult to verify yourself. Just start a live packet capture session on your device and monitor your physical NIC for your Ethernet/Wi-Fi internet connection. If you plan to keep it on then you'll either want the sniffer running as a background app/service or in the form of a lightweight console app (ieg., TShark, tcpdump, …). Configure your capture filters appropriately for all of the different types of traffic present on your network. Contrary to popular belief Windows provides built-in packet capture. There are at least 4 different ways to do it (pktmon, netsh trace, netmon which still works but was discontinued, and a mixture of PowerShell Net Events cmdlets). That said, I prefer using flexible 3rd party tools like Wireshark/TShark for capture & display. It has a tremendous number of protocol dissectors for traffic classification & inspection. My capture filter looks like this. It will only catch leaked traffic 99.99% of the time. Not bad for such a simple expression.

Code: Select all

!(arp || broadcast || igmp || multicast) && host !45.39.207.61
As you can see, I've had no leaks today. 8)
VPN_Leak_Capture_Window.png
VPN_Leak_Capture_Window.png (25.26 KiB) Viewed 929 times

If any traffic ever did somehow manage to leak then I'd not only be aware of it I'd also know which apps' traffic bypassed the tunnel. Some packet sniffers can map network communication to process identifiers (PID). It can certainly come in handy. For example, the netsh trace & pktmon commands on Windows have it built-in. If your sniffer doesn't support this functionality then you could simply start a live capture with either of the aforementioned commands and then use a separate app like Wireshark to actually display the packets. Once you have the socket owner's respective PID you can simply open taskmgr and under the Details column it'll list them for every process. Alternatively you can spawn an elevated command prompt and run netstat -aboqv or similar as long as the -b & -o switches are included.
PID.png
PID.png (15.91 KiB) Viewed 839 times
PID_Lookup.png
PID_Lookup.png (2.52 KiB) Viewed 839 times

Wireshark can also be used to do lots of other cool stuff. Notice that not only am I sniffing my VPN's virtual interface (some VPN users cannot do this) I'm also decrypting my browser's SSL/TLS traffic in real-time. Network visibility is essential. In the example below it's my active HTTPS session on this site which is being protected by the latest version of TLS 1.3.
TLS_1.3_Decryption.png
TLS_1.3_Decryption.png (97.46 KiB) Viewed 929 times

Hope this was helpful to some of you guys! Cheers.

Note: My tunnel IP address is part of the 100.64.0.0/10 block which was allocated for Carrier Grade NAT (CGN/LSN) deployments. It isn't publicly routable address space. Lots of VPN providers & ISPs are using it these days.
bob2306
Veteran
Veteran
Posts: 91
Joined: Mon Jun 12, 2023 8:56 pm

Re: How to fully leakproof your VPN

Post by bob2306 »

Some leaks are evidence of torrenting, but most are only evidence that you share a VPN address with a someone torrenting. The latter are not really relevant IMO, and include most leaks from browsers.

Here's an example that's more extreme than a VPN leak: I'm seeding Amazon Prime torrents, and I go to Amazon and buy something. They have have my name and address and can match my VPN IP address with the seeder's IP address, but they still have no real evidence, just a 1 in N chance that I'm the seeder, without even knowing what N is. Over the course of a month they may find numerous candidates for the seeder. It's similar with VPN leaks, most of them provide no way of connecting the leak with a torrent data transfer - provided that the torrent data itself goes through the VPN.

With the ProtonVPN leak, and similar leaks, the important thing is whether or not a bittorrent client bound to the VPN interface would have be able to connect to other clients before the VPN established a connection - I would hope not.

I don't use kill switches, I don't think you can really trust them, I simply block any traffic going around the VPN without good reason. It seems a better solution than running a VPN on a router.

Whether or not an IP address is usable in a court depends on local law and precedent. My understanding is that in the US (where the situation gets more media attention) an IP address is no longer considered adequate in a copyright prosecution. The early prosecutions started in an era when internet accounts were associated with a single computer - eventually the law caught up with WiFi. In this case the VPN is really just about losing your ISP account.
LilTroy
Member
Member
Posts: 35
Joined: Fri Apr 19, 2024 12:32 am

Re: How to fully leakproof your VPN

Post by LilTroy »

bob2306 wrote: Mon Sep 02, 2024 11:05 pm Some leaks are evidence of torrenting, but most are only evidence that you share a VPN address with a someone torrenting. The latter are not really relevant IMO, and include most leaks from browsers.

Here's an example that's more extreme than a VPN leak: I'm seeding Amazon Prime torrents, and I go to Amazon and buy something. They have have my name and address and can match my VPN IP address with the seeder's IP address, but they still have no real evidence, just a 1 in N chance that I'm the seeder, without even knowing what N is. Over the course of a month they may find numerous candidates for the seeder. It's similar with VPN leaks, most of them provide no way of connecting the leak with a torrent data transfer - provided that the torrent data itself goes through the VPN.

With the ProtonVPN leak, and similar leaks, the important thing is whether or not a bittorrent client bound to the VPN interface would have be able to connect to other clients before the VPN established a connection - I would hope not.

I don't use kill switches, I don't think you can really trust them, I simply block any traffic going around the VPN without good reason. It seems a better solution than running a VPN on a router.

Whether or not an IP address is usable in a court depends on local law and precedent. My understanding is that in the US (where the situation gets more media attention) an IP address is no longer considered adequate in a copyright prosecution. The early prosecutions started in an era when internet accounts were associated with a single computer - eventually the law caught up with WiFi. In this case the VPN is really just about losing your ISP account.
As I said before your VPN provider's shared IP address pool won't protect users from losing their privacy when their traffic leaks. Maybe they're lucky and none of the leaked packets contain anything too sensitive or incriminating but, at the very least, their real identity is always exposed to the destination and anyone else monitoring the path between their device and the destination. All leaks reveal your real ISP-assigned public IP address and often user data with it. You might as well have a direct connection to the internet when this happens. When your VPN client is working properly all of your traffic is routed through the VPN server by default (full tunnel mode) so there's no leak. That's when your VPN provider using a shared IP addressing scheme can significantly improve a user's privacy.

It only takes a single packet of data to expose your real identity & your activity. This also applies to leaked torrent traffic. It's also possible for an observer to use traffic analysis to perform end-to-end correlation and 'deanonymize' a VPN (or Tor) user even if there is no leak. This is why some VPN providers offer multi-hop mode to try and make it more difficult and to offer stronger censorship circumvention. A global passive adversary like the US government, for example, can do it quite easily and this is without any leak or active interference whatsoever. In fact, you don't even need to have global network visibility, just the ability to observe both ends of the VPN tunnel. There are multiple side channel attacks that such an observer could use by looking at timing, packet sizes, traffic characteristics and flow statistics to correlate the packet flows entering & exiting the VPN tunnel. Single-hop VPNs, which is what most people use, are especially vulnerable to this (see studies by Murdoch, Danezis, Woo, et al). On a properly implemented mix network, however, these passive attacks would be much more difficult to perform.

Yes, laws vary by jurisdiction. Some repressive governments like China have jailed people on the mainland just for using a VPN that wasn't authorized. Or they were caught simply visiting a site that stood in opposition to their government. It doesn't take much to get into legal trouble in many places around the world particularly in strict countries with dictatorships (China, Russia, Iran, Tunisia, etc). I've already covered the safest ways to use a VPN client. Running it on a router is considered the safest of them all and I explained why that is. It just isn't that convenient for most people and switching VPN servers isn't as accessible to them. VPN providers like TorGuard also recommend it for increased privacy & security. It's only appropriate considering that VPN clients themselves are routing-based. They all reconfigure your local routing table and add firewall rules to intercept and redirect internet traffic. Running the client on your router also only counts as a single concurrent connection usually. Most VPN providers limit your concurrent connections to some low number. My provider only allows 8 (devices) but it used to only be 5.
“Perhaps the best way to be protected from WebRTC and similar vulnerabilities is to run the VPN tunnel directly on the router. This allows the user to be connected to a VPN directly via Wi-Fi, leaving no possibility of a rogue script bypassing a software VPN tunnel and finding one’s real IP,” Van der Pelt says.

“During our testing Windows users who were connected by way of a VPN router were not vulnerable to WebRTC IP leaks even without any browser fixes,” he adds.
Huge Security Flaw Leaks VPN Users’ Real IP-Addresses

Speaking of the TorGuard service the person below was using their VPN client on the same device while torrenting copyright protected material and got nabbed. He's a qBittorrent user. Most leaks we hear about are software VPN leaks with the VPN client running on the same device as the rest of your apps. Had he been running TorGuard on his router then this wouldn't have happened. All of his outbound traffic would've been forcefully encapsulated, encrypted, and authenticated to the VPN server even if qBittorrent wasn't explicitly bound to his VPN's interface. It's nearly impossible for any traffic to ever sidestep it. The default setting in qBittorrent is to use any available network interface. Ultimately the blame is on TorGuard's VPN client. It obviously failed to protect his torrent traffic since it was able to bypass the tunnel.

Received a copyright violation while using TorGuard
Busted.png
Busted.png (61.07 KiB) Viewed 702 times
bob2306
Veteran
Veteran
Posts: 91
Joined: Mon Jun 12, 2023 8:56 pm

Re: How to fully leakproof your VPN

Post by bob2306 »

You are posting this in a qBittorrent forum, so there is an implication that it should have some relevance to BitTorrent, and much of it really doesn't. When packets leak, unless they are directly linked to the torrenting, they don't really matter. For most of us it's fine for general traffic to go directly to the internet.

Clearly if you setup a VPN for torrenting, you need to have the torrent client use it. If you don't know what you are doing, don't try to be selective about what goes through the VPN.

Regarding this link:

https://torrentfreak.com/huge-security- ... es-150130/

I've yet to see an explanation of how this can work (and I did follow the dead links via archive.org). It implies that Javascript is capable of sending STUN UDP packets both around the VPN and through it, but I've not seen any explanation anywhere about how this can happen. Perhaps it simply relies on the browser starting before the VPN (which is avoidable), but it's a very substantial omission either way. And it leaves open the possibility that disabling WebRTC is only a symptomatic fix for an underlying problem. Note that there are several issue around WebRTC, and when experts are quoted, it's not always clear what is being referred to.
LilTroy
Member
Member
Posts: 35
Joined: Fri Apr 19, 2024 12:32 am

Re: How to fully leakproof your VPN

Post by LilTroy »

bob2306 wrote: Sun Sep 08, 2024 10:34 pmYou are posting this in a qBittorrent forum, so there is an implication that it should have some relevance to BitTorrent, and much of it really doesn't.
I've made many torrent references throughout the thread. Given torrent client configuration settings, posted screens of users reporting that their torrent traffic had leaked from behind their VPN, and linked to leak testing resources that are torrent-specific. It just isn't the main theme. We're on the qBittorrent message board but this particular forum's name is Generic. That's why I created the thread here.
bob2306 wrote: Sun Sep 08, 2024 10:34 pmWhen packets leak, unless they are directly linked to the torrenting, they don't really matter. For most of us it's fine for general traffic to go directly to the internet.
Maybe to you but the majority of VPN users, who use it mainly to enhance privacy, would vehemently disagree. Leaks are a big concern in the industry and within the infosec community. Consumer VPN leaks literally defeat its fundamental purpose. When they occur their Virtual Private Network tunnel over the untrusted public internet is no longer truly private. It's an even bigger deal in the business world. The remote workforce typically relies on VPNs and they're also used for connecting different branch locations site-to-site. They originated in business and have been in use there since the late 90s. If a telecommuter establishes a secure tunnel to their workplace over the internet and it leaks sensitive data then their company's internal resources could be exposed. Though unlikely, the data leak may even lead to a full scale breach. Depending on your threat model, and how sensitive the traffic is that leaked, it could spell disaster. In the torrent world it usually means facing a copyright infringement case as mentioned before. You might be sued and lose your internet service. ISPs consider piracy an instant Terms of Service (TOS) violation. Some gamers also use VPNs to conceal their real IP from other gamers. Many have already been a target of DDoS attacks. The latter is common to see with online multiplayer games and most of these games, even for consoles, are P2P-based by design. A script kiddie can effortlessly pull another gamer's IP address and attack them with ready-made tools like LOIC & HOIC. It happens every day.
bob2306 wrote: Sun Sep 08, 2024 10:34 pmClearly if you setup a VPN for torrenting, you need to have the torrent client use it. If you don't know what you are doing, don't try to be selective about what goes through the VPN.

Regarding this link:

https://torrentfreak.com/huge-security- ... es-150130/

I've yet to see an explanation of how this can work (and I did follow the dead links via archive.org). It implies that Javascript is capable of sending STUN UDP packets both around the VPN and through it, but I've not seen any explanation anywhere about how this can happen. Perhaps it simply relies on the browser starting before the VPN (which is avoidable), but it's a very substantial omission either way. And it leaves open the possibility that disabling WebRTC is only a symptomatic fix for an underlying problem. Note that there are several issue around WebRTC, and when experts are quoted, it's not always clear what is being referred to.
I've already provided several sound reasons to disable or at least filter WebRTC particularly if you're a VPN user. It's invasive, not easy to implement securely, and has already been demonstrated to have a high potential for abuse particularly within the browser space. Generally your attack surface will increase significantly when it's enabled. A user might have the option to configure it more securely but not many will bother, or they won't know what they're doing, which is why so many VPN providers & cyber security experts just recommend disabling it altogether. Not all WebRTC-based apps even allow you to disable or configure it. Some require it just to function.

Yes, Javascript can call WebRTC's APIs to send STUN packets to the signaling server. UDP is preferred but in some cases TCP can also be used as a fallback mechanism. WebRTC can bypass the VPN *when it's running on the same host* because by default it enumerates all of your device's network adapters. Not only does it collect your IP addresses from the interfaces it can send packets from them (path probing, ICE candidate selection, etc). Most users today are running an OS with a dual stack configuration (both IPv4 & IPv6) so if your VPN doesn't fully support IPv6—or doesn't actively block it if they don't—then it can step around it. There are other scenarios where IP leakage can occur that doesn't involve IPv6, like when using virtualization, but they're less common. WebRTC is open source so you can always review the code yourself to see how it works. Implementations may differ but the core codebase remains the same.
If you run the VPN client on your router then there's simply no need to bind your torrent client to its respective interface. Additionally, you don't have to be concerned with blocking or filtering WebRTC in your browser and other apps. A quick Google search yielded the results below. This is only some of the results from the first page. It's safe to assume that these users were running their torrent client on the same host/device as their VPN client and didn't have it bound. But, not all torrent clients offer this option. In fact most don't. Even those that do wouldn't have it on by default anyway. They all default to using any available network interface unless the user has explicitly indicated otherwise. Ultimately it's the VPN client, assuming it was actually connected at the time, which should have prevented these leaks regardless of what triggered them.
DMCA.png
DMCA.png (69.82 KiB) Viewed 74 times
DMCA_2.png
DMCA_2.png (35.98 KiB) Viewed 74 times
DMCA_3.png
DMCA_3.png (33.07 KiB) Viewed 74 times
Post Reply