Only nine of the 29 Windows VPN clients that I tested didn't leak

Mirimir mirimir at riseup.net
Thu Jun 16 10:50:44 PDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/16/2016 10:28 AM, grarpamp wrote:
> On 6/16/16, Mirimir <mirimir at riseup.net> wrote:
>> https://vpntesting.info/
>> 
>> I tested 29 Windows VPN clients for DNS, IPv4 and IPv6 Leaks.
> 
> Nice.
> 
> You might want to include - For clients that may be doing packet
> filtering instead of just modifying kernel routing tables... test
> ICMP, generic UDP (non-DNS), TCP, etc. - The codebase and VPN
> protocol of each client (OpenVPN, SoftEther, etc)

Thanks. I've been thinking about how to test harder. I did ICMP ping
8.8.8.8 and wget google.com, but not other packet types.

I'll take a closer look at the clients. In many cases, it was just
stock OpenVPN, or maybe with a wrapper.

>> hit VPN-specified nameservers directly while reconnecting after
>> uplink interruption. But that's not a huge issue, in that they
>> didn't hit other nameservers.
> 
> Seems big if the direct hits were not encrypted over the VPN and
> user's requirement is to encrypt to the VPN termination.

Good point. I'll tweak that language.

>> After uplink interruption, some failed to reconnect
>> automatically
> 
> These interruption, reconnect, renegotiation, timeout, edge cases
> are important to discover.

Yes, it's why doing your own leak prevention is best. Unless the VPN
provides its own IPv6 address, disable IPv6 everywhere you can, and
block it with firewall rules. Use firewall rules to allow connections
on physical interface only to VPN server. Restrict everything else to
VPN tunnel. And make sure that you're using VPN-assigned DNS server(s)
through VPN tunnel.

But the six totally leak-free Windows VPN clients do that. Indeed,
FrootVPN and Perfect Privacy provide their own IPv6 addresses. And
FrootVPN is leak-free using stock OpenVPN, doing just server-side.

> More advanced users of Tor + OpenVPN might be interested in this
> capability... https://community.openvpn.net/openvpn/ticket/577

Interesting. VPN SOCKS5 port.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXYubxAAoJEGINZVEXwuQ+SPIH/igDGoMyQeqm/ZD8XlluRuOK
A7ZhSW5aYZ8si8nel9ulj1EyS1AsfUnMJHZmidHDp7PaQMWjyt0fk1StiAIaqaoq
NKc4qF68QpZOpfuhijL6JFvaWbNYnsn1aAZ5KDINDz2VRKfGNOnOjkx6BwqXKApg
3VcCV4oc9L79nbXZzjA3JdERQVSA2mA32g6VMN/BkLXXYkb2escV3QlWOst4SaCQ
v11hITwGDP0jMRM/hfiTLND2r/h0kzhCVqV7AVLodB09wIZm0pT7fG4Uw1EADwoa
x6YV/PHRjqKVsTHc9v/B+WsI1R+AG7Vsv/nQL6smHeqjC3k++ClgUtyAEKErdq8=
=T60g
-----END PGP SIGNATURE-----



More information about the cypherpunks mailing list