I have been reading up on VPNs but have not found a definitive answer for this newbie question: Can website owners, lets use Wilderssecurity as an example, find out my originating IP address or other specific information about my name and location if I use a VPN service?
It's possible. Different factors which could leak a person's local IP. Like plugins such as Flash being used. HTML5 WebRTC, 2013 Article: https://hacking.ventures/local-ip-discovery-with-html5-webrtc-security-and-privacy-risk/. Perhaps research about TorBrowser, might give some more information on the subject.
Lot of information already provided by the wilders community on the subject. Example: https://www.wilderssecurity.com/thre...pts-cookies-reveal-real-ip-behind-vpn.173300/
If they're clever enough, they can. As Phant0m notes, properly crafted Flash content can force connections that bypass the VPN connection and leak the ISP-assigned IP. Java webapps can also do that. The solution is to firewall non-VPN traffic and DNS lookups. Also, downloaded content may contain embedded hotlinks to remote content. And so when opened later, when the VPN isn't connected, it may "phone home". The website could even drop malware that does that automatically. The solution is to work in machines or VMs that never see the Internet except through the VPN.
The sad state of affairs is, for a newbie - yes, "they" can get your IP address. Flash is a disaster in so many ways, but unfortunately, modern browsers have also morphed into something quite complex and way beyond their original brief (which can compromise both security and privacy). If you want to achieve this, then a VPN will be part of the mix, but so will privacy-oriented operating systems (running from LiveCD or a Virtual Machine).
Since you mentioned location: client-side geolocation features would also be a threat. For example, geolocation allowed while browsing on a device that has a WiFi adapter and is within range of access points that are in the geolocation provider's database. Even vanilla Javascript can make use of the feature. Test site: http://www.w3schools.com/html/tryit.asp?filename=tryhtml5_geolocation To disable geolocation in Mozilla based browsers: in about:config set geo.enabled to false, then test to confirm
Running a VPN tunnel in a router is safer because the IP in the client computer comes from the router and the ISP IP will simply not exist in the client computer. The whole ISP connection goes through the router tunnel and all the client computers see is the VPN IP.
Thanks for all the great replies so far, that really took the air out of so-called anonymity on the web. However, if I disable/block Flash and Javascript for selected sites (if it all possible) or globally which would at least disable WebRTC would I still some level of anonymity? Setting up an VPN tunnel in the router is beyond my current capabilities...
You don't need to have a VPN running in a router. You just need to prevent leaks that bypass the VPN tunnel, and avoid using your ISP's DNS server(s). The simplest approach would be to install VirtualBox, and to run a Linux VM without Network Manager (which complicates preventing leaks). I like Ubuntu 14.04 Server, with no desktop included. Once you've created the VM, and updated packages and done dist-upgrade, you just install a minimal Lubuntu desktop: Code: $ sudo apt-get install lubuntu-core --no-install-recommends https://duraturk.wordpress.com/2014/05/12/ubuntu-server-with-gui/ Then install openvpn. Code: $ sudo apt-get install openvpn Now download configuration files for Linux from your VPN service, and setup following their instructions for using the terminal (not Network Manager). Once the VPN is connecting, get adrelanos' VPN-Firewall from https://github.com/adrelanos/VPN-Firewall and configure the usr/bin/vpnfirewall script for your VPN (that is, allow outgoing connections to the VPN server). Once the VPN is connecting, with VPN-Firewall loaded, install iptables-persistent. Code: $ sudo apt-get install iptables-persistent That will save your current iptables and ip6tables rulesets in /etc/iptables. The IPv4 ruleset will be based on VPN-Firewall. To make sure that all IPv6 is blocked, open /etc/iptables/rules.v6, edit as needed, and load. Code: $ sudo nano /etc/iptables/rules.v6 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] COMMIT $ sudo iptables-restore < /etc/iptables/rules.v6 That should do it.
WebRTC is a browser specific threat. It can be prevented by specific remedies for Firefox and Chrome. There are problems with the Chrome fix and no way to completely disable it so, if you want anonymity, Chrome is complete no go. That should be obvious even without WebRTC just due to where Chrome comes from. Setting up a VPNed router is really not that difficult and some VPN providers sell preconfigured routers for their service. Even without one, most of the VPN client software I've tested has not leaked and simply by using a bit of segregation and setting up a separate machine or virtual machine for VM use, you can avoid most of the dangers. Obviously, you don't want Flash or Chrome on the system that uses the VPN and using Firefox with noscript and WebRTC disabled would be a good starting point. I also recommend testing the VPN tunnel before you use it. I do that with both the router tunnel and any client tunnels I have. I usually do a minimal test at the start of each session with dnsleaks.com and browserleaks.com. If it is a new client or service I'm trying, I will do a more extensive round of tests once and then the minimal tests at the start of each VPN session.
I think you might be better off starting from a privacy oriented Linux distribution as a liveCD where most of the settings will already have been done. Connecting to an openvpn service is straightforward, and you can do the checks suggested above. I don't know if you have a reluctance to use Tor.
I am a user of iVPN and have noticed that the new client they have recently employed utilizes firewall rules. @ Mirimir, you have written privacy guides for iVPN. I would be interested in hearing your opinion of their new client. Darkblade is a newb, it occures to me that iVPN might be a credible solution for a newb. Of course, I have spent probably a hundred hours back and forth with tech support so I have a high confidence and trust in iVPN.
I don't have a Windows instance to test it in So all I know is the announcement: https://www.ivpn.net/blog/
@mirimir, thank you for that detailed advice. I can probably do a dual install of Ubuntu in my Windows PC (maybe) or more likely I am due for another laptop and will use that. Meanwhile the temp fix for my occasional anon surfing is to use a VPN, Pale Moon with some extra privacy extensions and change the DNS to a public one. @deBoetie I am sure I tried the Tor Browser, I believe it also leaked WebRTC. Maybe I am mistaken, I'll check again to be sure. Thanks
TorBrowser has both geo.enabled (Geolocation) and media.peerconnection.enabled (WebRTC) disabled by default. I tried TorBrowser but noticed a very annoying system-wide 20-30 seconds freeze-up on certain websites. Using Mozilla Firefox and stripping it down and adding and customizing addons that TorBrowser uses, fortunately I don't have a shared experience.
