How to Test a VPN Tunnel for IP, DNS and Browser Leaks

Nick Congleton Informative Internet Guides

VPN leaks are bad news. Not only can they easily go unnoticed, but they also undermine the entire purpose of using a VPN tunnel. You want to be sure your VPN connection is not leaking your private information.

Thankfully, LiquidVPN provides a hardened client and well-tested VPN configurations. So, when you connect to LiquidVPN’s servers, your information is going where you want it to be.

Of course, that claim doesn’t mean much of you cannot test it out yourself. So, this guide will walk you through the steps that you can take to verify that your VPN connection is secure. Testing it yourself is the only way to be certain none of your information ends up in the wrong hands.

VPN Client Setup and First Connection

First off, if your running a different VPN client then you can skip this section. Otherwise, if you haven’t set up your LiquidVPN client, we need to do that. Whether you are on Windows, Mac, or Linux, the process isn’t complicated, and you will be running in no time.

Windows VPN Setup

 

We have an easy to use client available for Windows. You just need to head over to our download page and get it. Be sure that you’re downloading the latest version.

When the download finishes, it’s always best to verify the checksum of your download. Open up the command prompt and navigate to the folder where your downloads are. Then, type in the following command to get the MD5 hash.

certutil -hashfile liquidvpn_1_30_build1.exe

Compare the result of the hash to the download page.

Now that you’ve compared the checksums, you can run the installer. Everything is relatively straightforward. Follow the instructions, and you’ll have a working install of the LiquidVPN client.

MacOS VPN Setup

 

You can download the LiquidVPN graphical client from our download page. Check that you’re downloading the latest version.

Before you install it, verify the MD5 checksum of your installer. It’s relatively straightforward even if you haven’t done it before. Open up a terminal window. Then, change directory to your download folder, and use OpenSSL to verify.

$ cd ~/Downloads
$ openssl md5 LiquidVPN_1.30.dmg

 

Compare the result with the hash on the download page.

Mount the .dmg, and drag the resulting icon into your Applications folder to install.

Linux VPN Setup

We don’t currently have a graphical client for Linux. That’s all right, though, because LiquidVPN fully supports OpenVPN. You can connect to any of our servers from a regular OpenVPN client.

Start by installing OpenVPN on your distribution. Almost every distribution has it available in its repositories.

Now, you can generate a configuration file through your LiquidVPN account dashboard. This guide from our Knowledgebase will walk you through it.

After you have your configuration, rename it to openvpn.conf and place it in /etc/openvpn/. Create a text file in the same directory called auth.txt. Put your username on the first line and your password on the second line of that file. Then, open up your configuration file and find the line that reads:

auth-user-pass

Change that line to read:

auth-user-pass auth.txt

You can now restart or start OpenVPN. On most distributions, you would use the following command.

systemctl start openvpn

Once OpenVPN starts up, your computer will connect to LiquidVPN.

Connect to your VPN on Windows & MacOS

 

 

 

When you first run the LiquidVPN client, you’ll be presented with the default settings. You might want to change some things before you connect. If you click the map marker arrow at the top next to the server location, you can log into any of the available servers. The client lists the current ping of each server, so you know how the latency to your selected location will be.

 

 

After you select a location, take a look at the big button in the middle of the client. Click on it to enable Liquid Lock for even more protection.

 

 

When you have everything set up the way you want it, click the button at the top to connect.

VPN Leak Testing With Wireshark

We test every VPN connection in this guide twice. There are online tests and local tests.

On the local side of things, there’s Wireshark. You’ll be using it to monitor the traffic on your network and see where it’s coming from and where it’s going to.

Wireshark is a powerful program that professionals use to analyze network traffic. You can use it the same way to see where your network routes your VPN traffic.

Wireshark collects data in real time and logs it. So, you can run Wireshark alongside the other tests and compare.

Install Wireshark

Wireshark is an open source program that’s available on every major operating system. You can download and install it freely on whichever platform you’re using.

Download and Install Wireshark on Windows

Windows users can head over to Wireshark’s download page. Pick up the right installer for your version of Windows.

After your download finishes, verify the checksum before installing Wireshark. You can do this the same way that you did with the LiquidVPN client. The hashes from Wireshark are available here.

The installer is simple, and the defaults are all good. Feel free to spam “Next.” When you reach the section that asks about USBPcap, click the checkbox to install it if you’re using a USB network adapter.

Download and Install Wireshark on MacOS

The Mac version of Wireshark is also available from Wireshark’s download page. Download it. Alternatively, Wireshark is available through Homebrew, if you have that installed.

You should probably verify your download before installing. Follow the same procedure as before, using the hashes here for comparison.

The Wireshark installer is a .dmg, so mount it and drag it into your Applications.

Download and Install Wireshark on Linux

Wireshark is probably available from your distribution’s repositories. It is a popular tool. Use your package manager to install Wireshark.

Start Collecting Traffic From your Network and the VPN Tunnel

Open up Wireshark. Don’t be intimidated; it’s a powerful program with a lot of features and capabilities. For this, you’re not going to need to scratch the surface. You only need to monitor and record the traffic coming from your computer.

In the top menu, click on Capture. Then find Options. A window will open up that lists all your computer’s network interfaces. There may be a lot of them. You need to locate and select the interface that you’re using to connect to your network. Then choose the tun interface. Windows users will see it listed as a TAP adapter. If you don’t see a TAP adapter click on each interface until you find one connected to an IP that is not on your local network. That’s the one you’re connected to LiquidVPN with. Depending on your operating system you may see checkboxes next to them. If you do, check them to select. Otherwise, use “Ctrl + Click.” It’s important the “Promiscuous Mode” is unchecked.

Once you have everything in order, click the Start button at the bottom of the window. Wireshark will begin collecting all the traffic through the interfaces that you selected.

Look for Traffic Leaking from the VPN Tunnel

The second that you click “Start,” Wireshark will coming collecting all your traffic. There’s going to be a lot of junk there. Don’t worry. Pay attention to the IP addresses and the protocols.

You’re looking for traffic from your actual LAN IP address and your LiquidVPN IP. The protocols that you need to pay attention to are, TCP, DNS, HTTP, and SSL. You probably won’t see them all. Ignore MDNS if you see it, it’s local multicast DNS traffic searching for local network devices.

Browse to a website. You’ll see the new traffic appear. It all should be between your LiquidVPN IP and the IP address of the site. You’ll also see some traffic between your network and the IP of your VPN server on a different protocol. That’s all right too. You don’t want to see traffic from your local network IP to any external IPs. That means that there is a leak. Windows 10 users may see Windows telemetry traffic being sent to Microsoft outside of the VPN tunnel. Unfortunately, blocking that traffic with a software firewall is impossible. You need to block it at the perimeter of your network.

Now, there’s a way to filter out all the noise. You should be aware that it’s there first, but for continued monitoring, get it out of the way.

Look at the toolbar area. At the bottom is a field labeled, “Filter.” You can use that to limit what protocols Wireshark displays. Add the line below to that field.

tcp || http || ssl || dns

 

Keep browsing around, and see the flow of traffic. Keep looking out for where the traffic is coming from and going to. You should only ever see external contact being made from the LiquidVPN network.

Leave Wireshark running, and check it after every test for added verification as you go.

DNS Leak Testing

The most common type of leak that you may encounter is a DNS leak. When you connect to a website, your browser first contacts a Domain Name Service. These services match web URLs with their actual IP addresses.

Usually, the DNS that you’ll connect to belongs to your ISP. When you’re using a VPN, though, that’s the last thing you want. Connecting to your ISP’s DNS exposes who you are and what sites you’re looking for. Instead, you need to make sure that you log into a  different DNS through your VPN connection.

DNSLeakTest

DNSLeakTest is a good place to start testing for leaks. When you first arrive, it displays your public IP and approximate location. Below, you’ll find two buttons both check for leaks. Obviously, if you’re seeing your actual location, you have a bigger problem. If not, click on the extended test.

DNSLeakTest will test your connection to see which DNS servers you are using. It performs multiple queries to discover every DNS server your machine is using. When it finishes, it will display its findings. You should only see your LiquidVPN DNS.

CryptoIP

CryptoIP is a site that we at LiquidVPN run. It provides another option for DNS leak testing.

Head over to the site. The first page has information about your connection including your location. It will also tell you who your ISP is. Again, if you see your real ISP and not information from your LiquidVPN connection, your traffic is not using the VPN tunnel.

If everything looks right, click on the “DNS Leak Testing” tab at the top. On the page that opens up, click “Advanced Test.”

The test will try to determine all the DNS servers that you’re connected to and display them. Like before, you should only see the server from your VPN connection and you will have two green alerts for confirmation.

DoILeak

DoILeak is a more feature-rich test, but it’s still pretty straightforward. Just open the site in your browser and click the button to start the test.

The test should only take a couple of seconds to run. When it’s finished, it’ll present you with a load of information about your connection and your browser.

The first thing that you’ll see is your public IP address and your ISP. This should reflect your VPN connection.

The rest of the report that DoILeak generates is a complete profile of your system and your browser. It grants you an invaluable glimpse into the information that people on the web can see about you.

Your operating system and browser are among the top items listed. DoILeak can detect your actual operating system, even if you’re using an agent spoofer. It will also attempt to identify whether your computer’s timezone is in the same zone as your IP’s location.

The next section shows information about your IPv4 and IPv6 DNS connections. Our IPv6 rollout is happening as I write this but it will not go live until August 1st. If you are doing this test before August 1, 2017, then you should not have an IPv6 connection.

The rest of the information relates to tests covered later in the guide in more depth. These are methods of gaining identifying information from the browser itself. Look out for the WebRTC, Flash, and WebGL sections. They are the most dangerous. DoILeak should not have been able to access any of them.

BrowserLeaks

BrowserLeaks is a lot more than just DNS leaks. So, expect to come back here, but for right now, you’ll just be testing for DNS leakage.

When you first arrive at the site, you’ll notice a side menu bar with a series of icons. Click on the icon that looks like the letter, “i.” It’s the “IP Address” test, but it also provides a lot more information about your connection.

BrowserLeaks displays everything in an easy to read table. That table contains your public IP, ISP, location, and even your local time.

Below that, BrowserLeaks automatically tests for Flash and WebRTC leaks too. Take note of that.

Finally, BrowserLeaks will show you a list of DNS servers. Once again, check that it’s only showing LiquidVPN DNS.

There’s a lot of other information there too. Feel free to have a look around and see what other information sites can gather about you from your browser.

 

Browser Fingerprinting and Browser Leaking

There are less obvious and more insidious ways that you can be tracked online. Your browser can betray you even if your VPN works correctly.

As developers add more features to web browsers, their potential to be abused by attackers increase. You need to make sure that the same technology that lets you play games in your browser and view animated content isn’t selling out your privacy.

If you’re using a default version of your browser with no privacy add-ons, you will fail these tests, big time. Check out our privacy guide for more information on how to configure your browser.

WebRTC Leak Testing

The aim of WebRTC is to provide real-time communication capabilities to web browsers. It provides a set of APIs and communication protocols. Browsers can implement these to transfer resources and information in real time.

While that all sounds nice, it’s not. WebRTC gives access to your private hardware and software information. That information is available to any server that requests it. WebRTC exposes your real public IP and your local network IP to malicious URLs. WebRTC can also reveal connected cameras and microphones to an attacker.

diafygi.github.io

This first WebRTC test just displays any IP addresses it was able to obtain via WebRTC. diafygi.github.io is an open source site with the code available through Github. If you can go to the site and not see anything listed for each IP address, WebRTC is not leaking.

BrowserLeaks WebRTC

BrowserLeaks WebRTC is the WebRTC test available from BrowserLeaks. It automatically scans for information exposed by your browser and shows you a page with the results.

This test checks for more than leaked IP addresses, it scans for connected webcams and microphones too.

Browser Geolocation Testing

Obviously, you don’t want your browser giving away your location. Whether you disable geolocation entirely or ask for a prompt is up to you.

BrowserLeaks Geolocation

You can test out your browser’s response to geolocation requests with BrowserLeaks Geolocation. If you configured your browser to prompt you, it will. Otherwise, you’ll just get the results. Be sure to reject the request if you get it.

WebGL Leak Testing

WebGL is a JavaScript library for 3D graphics. It directly uses your GPU for rendering. Because of that, it has access to information about your GPU. That includes uniquely identifiable characteristics. So, your online activity can be directly attributed to you through your GPU.

BrowserLeaks WebGL

Once again BrowserLeaks is the source of the test. Go to BrowserLeaks WebGL. It will automatically try to detect support. You should see that both WebGL and WebGL 2 are both disabled.

HTML5 Canvas Fingerprinting

Here’s yet another rendering technology sites can use for tracking. Browsers use HTML5’s canvas in conjunction with JavaScript for 2D rendering and animations.

Each browser and computer configuration renders content in an HTML canvas slightly differently. Fonts, library versions, and operating systems all contribute to how your browser displays content. It’s possible for websites to record and track your configuration fingerprint.

BrowserLeaks Canvas

Head over to BrowserLeaks Canvas. It will automatically attempt to assess your browser’s support for HTML5 canvas. If it can, you will see your browser’s signature as well as a rating of its uniqueness. You can see how many unique entries are in the BrowserLeaks database.

Panopticlick

Panopticlick is a tool created by the Electronic Frontier Foundation(EFF) to test web browsers for fingerprinting.

When you arrive at the site, click on the orange button labeled, “Test Me.” Panopticlick runs through several tests to see what information it can gather from your browser. It will also see what it can make your browser do.

After it’s done, it will present you with the results. Most of it is pretty self-explanatory. Look out for the uniqueness rating, though. Ideally, your browser should be unique among the smallest number of browsers possible. That means that there are a lot of browsers identical to yours, and you are much harder to identify and track.

It’s nearly impossible for your browser not to turn up mostly unique through Panopticlick without disabling JavaScript altogether.

Final Thoughts

It’s incredibly important to ensure that your VPN connection is set up correctly. It should not be leaking any personal information. It’s equally important that your browser isn’t selling you out either.

Running through these tests once doesn’t mean that you’re permanently protected. Re-run these tests somewhat regularly. At the same time, keep an eye out for new browser technologies and changes. They could potentially be a new threat.

If you can pass all of these VPN leak tests, great! You can browse the web with confidence knowing that your VPN and browser are protecting you.