While using a VPN, our primary purpose is to hide our real IP address to stay private and anonymous on the internet. VPN does so by encrypting your internet traffic passing to-and-forth between VPN servers and your device.
VPN servers hide and assign you a cloaking IP address that is shown to the observers instead of yours real IP address. The only way for third-parties to access your IP location is if they ask your VPN provider (and trustworthy use strict measures such as no-logging and shared IPs, to make you untraceable).
Unfortunately, for various reasons it becomes possible for third-party websites to track the provenance of your real IP address, even though you are using a VPN connection.
Now, the question is that what are these reason which causes IP leaks and how can I prevent IP leaking? We will discuss all the issues and solutions available related to IP leak in this article.
A quick overview of IP leak test is to visit doileak.com or ipleak.net and run the test while connected to your VPN. If the test results show your real IP address, then you have an IP leak. The test does include IPv6, but to check it separately visit test-ipv6.com.
DNS – Dynamic Name System – is used to translate the alphabetic domain names into their respective IP addresses for computers to understand. For Example, translate www.abcxyz.com to its respective IP address 111.222.333.444.
Why is this necessary? It is because IP address is your unique identity on the internet. Your ISP performs this function from its end. If you are using a VPN, then all DNS requests are sent through encrypted VPN tunnels managed by your VPN provider.
Most VPN providers perform DNS translation task by running their own dedicated DNS servers, and some other VPN providers use public DNS services e.g. Google DNS. Although, using public DNS sounds uncomfortable at first, but the DNS request appears to come from VPN servers, and not your real IP address.
Unfortunately, your ISP settings and VPN settings contradict with each other and your network traffic then passes through your default ISP DNS.
IPv4 DNS Leaks
Before the release of IPv6, the entire world wide web used standard IPv4 (Internet Protocol Version 4) to specify IP addresses. After IPv6, world wide web started to shift gradually from IPv4, because IPv4 only supports 32-bit IP addresses. However, it is still being used today along with IPv6.
While using a VPN, your OS often gets confused to which DNS should be preferred and sends traffic through the default DNS settings (provided by your ISP) instead of VPN tunnel. As this is a general problem it can occur on any operating system.
How to Fix IPv4 DNS Leak?
Use a VPN service that offers “DNS Leak Protection.” It is a feature that acts as a firewall and forces your internet traffic to ‘must’ pass through VPN tunnel. This feature, however, is not available in generic open source VPN client application.
Use third-party DNS leak protection software. Although it is advised not to use such software unless you are using generic open source VPN client application, as it costs further money and takes more resources of your system.
Use Google’s Public DNS to override your ISP default DNS settings. Visit Google Public DNS help page.
IPv6 DNS leaks
The limitations of IPv4 has been addressed in latest IPv6 technology. It offers 128-bit IP addresses (more than 3.40 trillion) for foreseeable future. However, the adoption is slow because of different reasons, therefore, many web services support both IPv4 and IPv6.
Unfortunately, most of the VPN connections fail to direct IPv6 traffic through VPN tunnels and passes it through default ISP DNS instead. VPN that uses “DNS Leak Protection” simply disables the IPv6 in your operating system. This may be effective against IPv6 leaking, but it is not the efficient as it completely disables the IPv6 functionality.
As discussed above, to test IPv6 leaking, visit the website test-ipv6.com.
The results show that our IPv6 is disabled, therefore IPv6 leak is not possible.
How To Fix IPv6 Leak?
Use a VPN client that offers “DNS Leak Protection.” (It will disable IPv6)
Disable your IPv6 manually by following these instructions on Windows, Linux, and Mac OS X. (iOS is immune to IPv6 leak)
OpenVPN for Android app has a built-in option to direct IPv6 traffic through VPN connection. To enable this feature.
In Profiles tab, click on any VPN connection that you have setup.
In that specific server settings, go to the “Routing” tab.
Under the IPv4 and IPv6 head, Check on “Use default route“.
Smart Multi-Homed Name Resolution Feature
Microsoft has implemented a feature named “Smart Multi-Homed Name Resolution” in Windows 8 and 10 to improve the web performance by directing DNS requests to paralleled VPN tunnel and default ISP DNS at the same time but prefer the quickest possible.
This feature has led problems for the official United States Readiness Team (US-CERT) to issue an alert.
How To Disable Smart Multi-Homed Name Resolution?
There is a plugin on GitHub OpenVPN plugin that resolves this issue in Windows 8 and 10 and also works with “most” of the custom VPN software that uses ovpn settings.
To disable this feature manually:
Open Start Menu and type ‘gpedit.msc’ in the search bar. Double click the ‘gpedit.msc’ to open the Policy Editor.
Navigate to Computer Configuration > Administrative Templates > Network > DNS client > Turn off smart multi-homed name resolution (double click) > Enabled and click Apply.
Do note here that, manual settings are not available in Windows Home versions. You can use the above OpenVPN plugin to fix the problem.
WebRTC Feature Bug
The Web Real-Time Communication (WebRTC) is a standard feature that helps web browsers to conduct the video chat, voice calling, and P2P file sharing from within your web browser, without using any extensions.
Unfortunately, WebRTC directs traffic through your default DNS instead of VPN tunnel, and VPN users have to disable this feature to prevent websites from knowing your real IP address. WebRTC is enabled by default in your browsers. There are few easy steps that you can take to prevent IP leaking by disabling WebRTC feature in your browser.
Internet Explorer & Safari Browser
IE and Safari browsers do not have the support for WebRTC. You don’t have to do anything.
Chrome supports WebRTC, and you would have to disable it. You would have to go under the hood to disable this feature. Luckily, you can do it with the help of ScriptSafe extension from the Chrome Web Store. It will disable the WebRTC function through its interface.
Opera has a simple interface and it is easy to find this feature. Hit (Alt+P or Menu) to open the settings window, go to “privacy & security,” under WebRTC heading and select “Disable non-proxied UDP.” Alternatively, you can use the extension “WebRTC Leak Prevent.”
Firefox also supports WebRTC function. You can disable this function using the extension Disable WebRTC. Or you can manually disable it with these steps.
Type “about:config” in the address bar.
Select “I’ll be careful, I promise!”
A long list of settings will open up with a search bar.
Type in the search bar, “media.peerconnection.enabled” and tap enter key.
Double click on the resulting setting and set it to false.
Close the tab and restart your Firefox.
Alternatively, you can install Statutory.xpi plugin for FireFox from GitHub to whitelist website that you want to use for WebRTC feature.
Do note here that, newer mobile versions of web-browsers are now coming with WebRTC feature. Be aware of this feature, and disable it using the same procedure above if you are using these web-browsers in your mobile.
Why Do You Need Internet Kill Switch?
You have to accept the fact that, VPN connection drops out sometimes due to various reasons. With a reliable VPN service provider, it shouldn’t happen often. During the VPN connection loss, your computer stays connected to the internet, then it means that your real IP address is being exposed.
This should concern P2P downloaders or torrent-ers who leaves the BitTorrent software running in the background while they are away from their computers, sometimes overnight. It exposes their downloading and real IP address, not only to their peers but also ISPs which can throttle your internet or sends warning for copyright infringements.
How To Fix VPN Dropouts?
Use a VPN that offers built-in Internet Kill Switch (also named Network Lock). This feature blocks all internet traffic when your VPN connection drops out and re-establishes it when there is a stable connection.
OpenVPN app for Android can be setup to act as an internet kill switch.
In OpenVPN app, click on your VPN connection.
In that specific VPN settings, head to Advanced.
Check on “Persistent Tun” under Client behaviour head.
Under “Reconnection settings,” tap on “connection retries” and set it to unlimited.
Setup Your Firewall To Solve All Above Problems
You can set up your firewall so that is passed internet traffic only to the VPN server. Settings vary depending on the firewall program and operating system, but basic principles are same:
Add a rule to block all incoming and outgoing internet traffic from passing through your Local Ethernet Device.
Make a rule to add exception for your preferred DNS server (for VPN provider hostname)
Add exception for your preferred IP address (for VPN provider IP address)
Make a rule for your VPN device or tap/tun to allow all outgoing internet traffic from VPN tunnel.
If you are using a VPN service that offers “DNS Leak Protection” and “Internet Kill Switch” then you don’t have to worry about such problems. See our 5 best VPN services article which is trustworthy and offer these features. However, for Windows 10 users it is crucial to disable Smart Multi-Homed Name Resolution feature.
If your VPN service does not offer these features, you can download OpenVPN app for android and set it up for DNS protection and Internet Kill Switch.
It is recommended, to periodically check ipleak, doileak, and test-ipv6 websites mentioned above, to remain up-to-date on your leak status.
Peter Kendrick is a writer with emphasis on security and other interests. Contributing Author at Most Secure VPN. He is passionate about latest security issues, technology, traveling and blogging. You can reach Peter Kendrick on Twitter @peterkendrickk