-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/16/2016 10:28 AM, grarpamp wrote:
On 6/16/16, Mirimir <mirimir@riseup.net> wrote:
I tested 29 Windows VPN clients for DNS, IPv4 and IPv6 Leaks.
Nice.
You might want to include - For clients that may be doing packet filtering instead of just modifying kernel routing tables... test ICMP, generic UDP (non-DNS), TCP, etc. - The codebase and VPN protocol of each client (OpenVPN, SoftEther, etc)
Thanks. I've been thinking about how to test harder. I did ICMP ping 8.8.8.8 and wget google.com, but not other packet types. I'll take a closer look at the clients. In many cases, it was just stock OpenVPN, or maybe with a wrapper.
hit VPN-specified nameservers directly while reconnecting after uplink interruption. But that's not a huge issue, in that they didn't hit other nameservers.
Seems big if the direct hits were not encrypted over the VPN and user's requirement is to encrypt to the VPN termination.
Good point. I'll tweak that language.
After uplink interruption, some failed to reconnect automatically
These interruption, reconnect, renegotiation, timeout, edge cases are important to discover.
Yes, it's why doing your own leak prevention is best. Unless the VPN provides its own IPv6 address, disable IPv6 everywhere you can, and block it with firewall rules. Use firewall rules to allow connections on physical interface only to VPN server. Restrict everything else to VPN tunnel. And make sure that you're using VPN-assigned DNS server(s) through VPN tunnel. But the six totally leak-free Windows VPN clients do that. Indeed, FrootVPN and Perfect Privacy provide their own IPv6 addresses. And FrootVPN is leak-free using stock OpenVPN, doing just server-side.
More advanced users of Tor + OpenVPN might be interested in this capability... https://community.openvpn.net/openvpn/ticket/577
Interesting. VPN SOCKS5 port. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXYubxAAoJEGINZVEXwuQ+SPIH/igDGoMyQeqm/ZD8XlluRuOK A7ZhSW5aYZ8si8nel9ulj1EyS1AsfUnMJHZmidHDp7PaQMWjyt0fk1StiAIaqaoq NKc4qF68QpZOpfuhijL6JFvaWbNYnsn1aAZ5KDINDz2VRKfGNOnOjkx6BwqXKApg 3VcCV4oc9L79nbXZzjA3JdERQVSA2mA32g6VMN/BkLXXYkb2escV3QlWOst4SaCQ v11hITwGDP0jMRM/hfiTLND2r/h0kzhCVqV7AVLodB09wIZm0pT7fG4Uw1EADwoa x6YV/PHRjqKVsTHc9v/B+WsI1R+AG7Vsv/nQL6smHeqjC3k++ClgUtyAEKErdq8= =T60g -----END PGP SIGNATURE-----