Can websites find my originating IP address if i use a VPN

Discussion in 'privacy technology' started by Darkblade, Mar 13, 2015.

  1. Darkblade

    Darkblade Registered Member

    Joined:
    Mar 13, 2015
    Posts:
    4
    I have been reading up on VPNs but have not found a definitive answer for this newbie question: Can website owners, lets use Wilderssecurity as an example, find out my originating IP address or other specific information about my name and location if I use a VPN service?
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  3. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    If they're clever enough, they can. As Phant0m notes, properly crafted Flash content can force connections that bypass the VPN connection and leak the ISP-assigned IP. Java webapps can also do that. The solution is to firewall non-VPN traffic and DNS lookups.

    Also, downloaded content may contain embedded hotlinks to remote content. And so when opened later, when the VPN isn't connected, it may "phone home". The website could even drop malware that does that automatically. The solution is to work in machines or VMs that never see the Internet except through the VPN.
     
  5. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The sad state of affairs is, for a newbie - yes, "they" can get your IP address.

    Flash is a disaster in so many ways, but unfortunately, modern browsers have also morphed into something quite complex and way beyond their original brief (which can compromise both security and privacy).

    If you want to achieve this, then a VPN will be part of the mix, but so will privacy-oriented operating systems (running from LiveCD or a Virtual Machine).
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,089
    Since you mentioned location: client-side geolocation features would also be a threat. For example, geolocation allowed while browsing on a device that has a WiFi adapter and is within range of access points that are in the geolocation provider's database. Even vanilla Javascript can make use of the feature. Test site:

    http://www.w3schools.com/html/tryit.asp?filename=tryhtml5_geolocation

    To disable geolocation in Mozilla based browsers: in about:config set geo.enabled to false, then test to confirm
     
    Last edited: Mar 14, 2015
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Running a VPN tunnel in a router is safer because the IP in the client computer comes from the router and the ISP IP will simply not exist in the client computer. The whole ISP connection goes through the router tunnel and all the client computers see is the VPN IP.
     
  8. Darkblade

    Darkblade Registered Member

    Joined:
    Mar 13, 2015
    Posts:
    4
    Thanks for all the great replies so far, that really took the air out of so-called anonymity on the web. However, if I disable/block Flash and Javascript for selected sites (if it all possible) or globally which would at least disable WebRTC would I still some level of anonymity? Setting up an VPN tunnel in the router is beyond my current capabilities...
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    You don't need to have a VPN running in a router. You just need to prevent leaks that bypass the VPN tunnel, and avoid using your ISP's DNS server(s). The simplest approach would be to install VirtualBox, and to run a Linux VM without Network Manager (which complicates preventing leaks). I like Ubuntu 14.04 Server, with no desktop included. Once you've created the VM, and updated packages and done dist-upgrade, you just install a minimal Lubuntu desktop:
    Code:
    $ sudo apt-get install lubuntu-core --no-install-recommends
    https://duraturk.wordpress.com/2014/05/12/ubuntu-server-with-gui/

    Then install openvpn.
    Code:
    $ sudo apt-get install openvpn
    Now download configuration files for Linux from your VPN service, and setup following their instructions for using the terminal (not Network Manager). Once the VPN is connecting, get adrelanos' VPN-Firewall from https://github.com/adrelanos/VPN-Firewall and configure the usr/bin/vpnfirewall script for your VPN (that is, allow outgoing connections to the VPN server). Once the VPN is connecting, with VPN-Firewall loaded, install iptables-persistent.
    Code:
    $ sudo apt-get install iptables-persistent
    That will save your current iptables and ip6tables rulesets in /etc/iptables. The IPv4 ruleset will be based on VPN-Firewall. To make sure that all IPv6 is blocked, open /etc/iptables/rules.v6, edit as needed, and load.
    Code:
    $ sudo nano /etc/iptables/rules.v6
         *filter
         :INPUT DROP [0:0]
         :FORWARD DROP [0:0]
         :OUTPUT DROP [0:0]
         COMMIT
    $ sudo iptables-restore < /etc/iptables/rules.v6
    That should do it.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    WebRTC is a browser specific threat. It can be prevented by specific remedies for Firefox and Chrome. There are problems with the Chrome fix and no way to completely disable it so, if you want anonymity, Chrome is complete no go. That should be obvious even without WebRTC just due to where Chrome comes from.

    Setting up a VPNed router is really not that difficult and some VPN providers sell preconfigured routers for their service. Even without one, most of the VPN client software I've tested has not leaked and simply by using a bit of segregation and setting up a separate machine or virtual machine for VM use, you can avoid most of the dangers. Obviously, you don't want Flash or Chrome on the system that uses the VPN and using Firefox with noscript and WebRTC disabled would be a good starting point.

    I also recommend testing the VPN tunnel before you use it. I do that with both the router tunnel and any client tunnels I have. I usually do a minimal test at the start of each session with dnsleaks.com and browserleaks.com. If it is a new client or service I'm trying, I will do a more extensive round of tests once and then the minimal tests at the start of each VPN session.
     
    Last edited: Mar 15, 2015
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I think you might be better off starting from a privacy oriented Linux distribution as a liveCD where most of the settings will already have been done. Connecting to an openvpn service is straightforward, and you can do the checks suggested above. I don't know if you have a reluctance to use Tor.
     
  12. RollingThunder

    RollingThunder Registered Member

    Joined:
    Nov 21, 2013
    Posts:
    187
    Location:
    https://www.eff.org/issues/anonymity
    I am a user of iVPN and have noticed that the new client they have recently employed utilizes firewall rules. @ Mirimir, you have written privacy guides for iVPN. I would be interested in hearing your opinion of their new client. Darkblade is a newb, it occures to me that iVPN might be a credible solution for a newb. Of course, I have spent probably a hundred hours back and forth with tech support so I have a high confidence and trust in iVPN.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't have a Windows instance to test it in :oops: So all I know is the announcement: https://www.ivpn.net/blog/
     
  14. Darkblade

    Darkblade Registered Member

    Joined:
    Mar 13, 2015
    Posts:
    4
    @mirimir, thank you for that detailed advice. I can probably do a dual install of Ubuntu in my Windows PC (maybe) or more likely I am due for another laptop and will use that. Meanwhile the temp fix for my occasional anon surfing is to use a VPN, Pale Moon with some extra privacy extensions and change the DNS to a public one.

    @deBoetie I am sure I tried the Tor Browser, I believe it also leaked WebRTC. Maybe I am mistaken, I'll check again to be sure. Thanks
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    TorBrowser has both geo.enabled (Geolocation) and media.peerconnection.enabled (WebRTC) disabled by default.


    I tried TorBrowser but noticed a very annoying system-wide 20-30 seconds freeze-up on certain websites. Using Mozilla Firefox and stripping it down and adding and customizing addons that TorBrowser uses, fortunately I don't have a shared experience. :rolleyes:
     
Loading...