Leak Testing
The majority of leak tests out there that most people use on the web will only detect the occasional leak. They're largely passive and typically require little or no user interaction other than visiting a site. You should still use them but you can't solely rely on them. The more thorough type of leak testing is active. It can't be fully automated since it requires actual user interaction in an attempt to trigger a leak within various transitional states. This might include manually switching VPN servers while connected, pulling an ethernet cable & plugging it back in, manually disconnecting from Wi-Fi & reconnecting, enabling airplane mode & disabling it, putting your device to sleep & waking it, etc. For checking qBittorrent specifically, or any other torrent client, you can add a unique magnet link to detect leakage. It can be left in your torrents list while its corresponding tracker site continually logs your public IP address alongside a timestamp. There are also leak testing tools out there that you can download and run on your device. ExpressVPN offers a whole suite of them on Github and they're all open source. Below are some useful sites that I'd recommend.
Airtight VPN Setups
If possible always run your VPN client directly on your router when you're at home. This will inherently prevent ALL leaks outside the tunnel provided that there are no bugs in the client itself or elsewhere in the router's firmware that could cause traffic to escape. By running it on a separate intermediary node upstream it's positioned to catch any leaks that otherwise might not be caught if the VPN were to be running on the same host. Some routers also have built-in packet capture which makes it convenient to monitor all egress WAN traffic in order to verify that there are no leaks. Does your router not have a built-in VPN client? If it doesn't you can flash it with 3rd party firmware such as DD-WRT, OpenWRT, or Tomato assuming it's compatible. Worst case scenario you can buy a VPN router that's been pre-flashed or is already pre-configured for your provider.
Don't want to replace your firmware or buy a new router? There's a workaround. Instead you can simply tether to another device on your LAN/WLAN that's running your VPN client and share the VPN connection. It will serve as a virtual router and become your gateway. If the VPN interface ever goes down, or it's disconnected for any reason, then you won't have any internet connectivity until it's back up. Windows makes this setup easy. All it takes is a couple clicks to configure. Afterwards you can just run Wireshark or another packet sniffer on it to verify that it isn't leaking. This setup is especially useful if you're often away from home and don't own a travel router/gateway with a VPN client installed.
However, if you insist on running it on the same host then you should invest in a VPN with a persistent (permanent) kill switch. Select clients, such as ProtonVPN, have this advanced feature and it works by cutting off all internet access unless you're connected to the VPN. Usually you need to manually enable it first. If your client lacks persistence then you can firewall it yourself by explicitly denying all internet traffic from leaving your other network interface(s) and only allow it out via your VPN network adapter. If your client is closed, crashes, or you manually disconnect then you won't be able to access the internet until it's reconnected to the VPN server. This will also protect you, for example, against any start-up apps that might load before the VPN does and prevent your device from leaking any traffic when it shuts down. Unfortunately almost all VPN clients default to a standard kill switch. This mode is automatic but fails to protect your internet traffic in all instances because it only works when you're connected/(re)connecting to the VPN server. It doesn't remain engaged at all times—a persistent kill switch does.
qBittorrent Configuration
If you're running your VPN client on the same host make sure that you explicitly bind qBittorrent to your VPN interface. This will ensure that no torrent traffic leaks. Unfortunately many other torrent clients don't have this handy feature. If you do occasionally use any of them then you can configure it to connect through a SOCKS5 proxy server (use a private one that requires auth). You could also configure it system-wide but then it'd slow everything down. The proxy will provide an additional layer of protection in the event that any torrent traffic does leak outside the tunnel. Just remember to always force protocol encryption since SOCKS itself doesn't have native support. Side note: qBittorrent's I2P integration looks promising but it's still considered experimental.
WebRTC Leaks
If you're running your VPN client on the same host you'll want to disable or at least filter WebRTC as a precaution. Even if your VPN provider claims their client protects you against this class of leak. Go into your browser's settings and configure it appropriately or install one of the various browser extensions, such as uBlock Origin, that will block/filter it at the application layer. Some VPN providers also offer their own browser extensions that protect against WebRTC leaks. You'll have to do this for every browser you use. Some web-based torrent clients such as WebTorrent rely on WebRTC. Libtorrent, which qBittorrent is based on, also has support for WebTorrent. However, I've never heard that leaks were an issue with its implementation. The apps primarily affected tend to be web browsers and some mobile apps that use WebRTC for real-time P2P connectivity.
IPv4/IPv6 Leaks
If you have frequent IPv4 leaks then you should change your provider. Approximately 60% of the web still uses it. The other ~40% is IPv6 according to Google's latest IPv6 adoption statistics. Most VPN providers still don't support IPv6 but that's changing. There are now several that claim to. Providers that only offer partial support are the main reason why we have IPv6 leaks. They need to either support it fully or block it entirely. You're safer to disable it on your system's network adapters. Unbind IPv6 protocol from your device's respective adapter(s) and reboot. You should also disable IPv6 on your router. If you don't want to do this, or you require IPv6, then Windows users should at least disable Teredo. It's a defunct tunneling migration method that's still occasionally used by the Xbox for NAT traversal. Use this command to disable it →
Code: Select all
netsh int teredo set state disabled
This usually means that your DNS queries were inadvertently sent to your ISP outside the tunnel. Alternatively, if you've manually set 3rd party public DNS servers (ieg., Cloudflare, Google Public DNS, OpenDNS…), it means that your DNS traffic was sent outside the tunnel and ‘in the clear’ (unencrypted) to their recursive resolvers. In either case your origin IP is exposed, which reveals your identity & approximate location, along with your data. If using public DNS make sure that your queries are always encrypted (ieg., via DoH, DoT, DoQ, DNSCrypt…) and manually configure it with global scope if possible depending on your platform. By encrypting your public DNS queries it will protect them in transit on the back segment after they've left the tunnel. Additionally, if your DNS traffic were to leak outside the tunnel, then your ISP or government wouldn't be able to intercept or hijack it via a transparent proxy or DPI appliance. Ideally your DNS provider should also deploy DNSSEC to protect the resource records themselves. Another thing you should do is ensure that your setup doesn't fall back to insecure DNS if encrypted DNS resolution fails. Lastly, avoid setting DNS at the application level (ieg., inside your web browser). It was never intended to be used there and is easy to forget about.
Recently it was discovered that Android's persistent system-wide kill switch—“Always-On VPN” & “Block connections without VPN”—is buggy and under certain conditions can leak DNS traffic. Mullvad reported it to Google a few months ago. They've published the details here. A couple years prior to this privacy flaw it was also discovered that Android leaks connectivity check traffic. So, I would be careful about running your VPN client on your phone/tablet if you're an Android user until this has been patched.
It's also come to my attention that the iOS VPN framework has multiple vulnerabilities. One of which is a DNS leak that appears Apple has yet to fix. Reportedly it's still unpatched in iOS 16 and below. Is iOS 17 also affected? Possibly. ProtonVPN has been tracking these issues over the last several years. Apple also refuses to give regular end-users a persistent system-wide kill switch. Apparently you have to be an enterprise user enrolled in a Mobile Device Management (MDM) solution to access such functionality.
If you do have a confirmed DNS leak then immediately flush your DNS cache and manually configure your device's DNS settings. The command to do this on Windows is →
Code: Select all
ipconfig /flushdns
These types of apps exist, both freeware & commercial, and may be able to assist if you have a VPN that either lacks a kill switch or has one that's leaky. Personally, I think that you're much better off investing in a VPN with a proper kill switch and reinforcing it by manually firewalling your device but not everyone has the knowledge to manage it. Fortunately some of these apps will do it for you. I've never used any but here's an incomplete list of them: OpenVPN Watchdog, VPN Watcher, VPNCheck & VPNNetMon. It'd be interesting to hear if any of you actually use one of these tools.
Things To Avoid
Split tunnel VPN configs are quite convenient but also problematic in general. You're asking for trouble if you use them since many leaks over the years have been attributed to their use. ExpressVPN just suffered a DNS leak related to it. They should really be a last resort. Don't use so-called “VPN” browser extensions. They work similarly to HTTPS proxies and only tunnel web traffic within your browser. Actual VPNs work at Layer 2 (TAP) or Layer 3 (TUN) and encrypt & tunnel all of your device's internet traffic unless using the aforementioned split tunnel config. Also avoid installing other VPN clients on your device. They can potentially conflict with your primary VPN as can some AV/anti-malware apps. Uninstall any other VPN apps and be careful with any endpoint security software solutions that you install. The latter, for instance, may hijack your DNS for web filtering which has historically led to leaks. Finally, avoid using app-specific kill switches. As mentioned previously it's safer to utilize a persistent system-wide kill switch or a manually firewalled setup. Otherwise you're just choosing convenience over privacy & security which is precisely what you're doing by configuring your VPN to operate in split tunnel mode.