Only nine of the 29 Windows VPN clients that I tested didn't leak
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://vpntesting.info/ I tested 29 Windows VPN clients for DNS, IPv4 and IPv6 Leaks. Six (AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN) performed perfectly. Three others (CyberGhost, oVPN.to and SecureVPN.to) hit VPN-specified nameservers directly while reconnecting after uplink interruption. But that's not a huge issue, in that they didn't hit other nameservers. The other 20 Windows VPN clients failed in various ways. Over half leaked IPv6 packets whenever the machine was connected to the Internet. After uplink interruption, some failed to reconnect automatically, and some leaked IPv4 packets. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXYjtvAAoJEGINZVEXwuQ+DrQH/2KZYuuj8Gy9uW0txWL/JInP s2VxNZGV7q3glqW25tgjGDEXSCV7wS6z7YGBgoORYgv9VgsG27ISdVvmSKTGeKuN zvDghFv5uHjGBMCLqOeb06sAVqBb6neldnwqNOOIgyK0pRRdET0/j1lbw8LkxyGD pr+Ne1ura3yywAl4OwjOGEENhmFGqboF9m8b99/Jeznr+fMHvi5oJwrCMurIJ41n ojpOtYgNZU4boEh8osUZV+Q9+WGVV2xrZSL/FQUbjyibM6gjXI+cfXJnYOg0T7QV wE13FOAaFE7nJypEC0HiEDEZPmJ0jH9JcMCDgn0cMQmdcWFbG0eYjSaQ2M6kS5A= =2eVp -----END PGP SIGNATURE-----
On 6/16/16, Mirimir <mirimir@riseup.net> wrote:
I tested 29 Windows VPN clients for DNS, IPv4 and IPv6 Leaks.
Nice. You might want to include - For clients that may be doing packet filtering instead of just modifying kernel routing tables... test ICMP, generic UDP (non-DNS), TCP, etc. - The codebase and VPN protocol of each client (OpenVPN, SoftEther, etc)
hit VPN-specified nameservers directly while reconnecting after uplink interruption. But that's not a huge issue, in that they didn't hit other nameservers.
Seems big if the direct hits were not encrypted over the VPN and user's requirement is to encrypt to the VPN termination.
After uplink interruption, some failed to reconnect automatically
These interruption, reconnect, renegotiation, timeout, edge cases are important to discover. More advanced users of Tor + OpenVPN might be interested in this capability... https://community.openvpn.net/openvpn/ticket/577
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/16/2016 10:28 AM, grarpamp wrote:
On 6/16/16, Mirimir <mirimir@riseup.net> wrote:
I tested 29 Windows VPN clients for DNS, IPv4 and IPv6 Leaks.
Nice.
You might want to include - For clients that may be doing packet filtering instead of just modifying kernel routing tables... test ICMP, generic UDP (non-DNS), TCP, etc. - The codebase and VPN protocol of each client (OpenVPN, SoftEther, etc)
Thanks. I've been thinking about how to test harder. I did ICMP ping 8.8.8.8 and wget google.com, but not other packet types. I'll take a closer look at the clients. In many cases, it was just stock OpenVPN, or maybe with a wrapper.
hit VPN-specified nameservers directly while reconnecting after uplink interruption. But that's not a huge issue, in that they didn't hit other nameservers.
Seems big if the direct hits were not encrypted over the VPN and user's requirement is to encrypt to the VPN termination.
Good point. I'll tweak that language.
After uplink interruption, some failed to reconnect automatically
These interruption, reconnect, renegotiation, timeout, edge cases are important to discover.
Yes, it's why doing your own leak prevention is best. Unless the VPN provides its own IPv6 address, disable IPv6 everywhere you can, and block it with firewall rules. Use firewall rules to allow connections on physical interface only to VPN server. Restrict everything else to VPN tunnel. And make sure that you're using VPN-assigned DNS server(s) through VPN tunnel. But the six totally leak-free Windows VPN clients do that. Indeed, FrootVPN and Perfect Privacy provide their own IPv6 addresses. And FrootVPN is leak-free using stock OpenVPN, doing just server-side.
More advanced users of Tor + OpenVPN might be interested in this capability... https://community.openvpn.net/openvpn/ticket/577
Interesting. VPN SOCKS5 port. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXYubxAAoJEGINZVEXwuQ+SPIH/igDGoMyQeqm/ZD8XlluRuOK A7ZhSW5aYZ8si8nel9ulj1EyS1AsfUnMJHZmidHDp7PaQMWjyt0fk1StiAIaqaoq NKc4qF68QpZOpfuhijL6JFvaWbNYnsn1aAZ5KDINDz2VRKfGNOnOjkx6BwqXKApg 3VcCV4oc9L79nbXZzjA3JdERQVSA2mA32g6VMN/BkLXXYkb2escV3QlWOst4SaCQ v11hITwGDP0jMRM/hfiTLND2r/h0kzhCVqV7AVLodB09wIZm0pT7fG4Uw1EADwoa x6YV/PHRjqKVsTHc9v/B+WsI1R+AG7Vsv/nQL6smHeqjC3k++ClgUtyAEKErdq8= =T60g -----END PGP SIGNATURE-----
participants (2)
-
grarpamp -
Mirimir