Detecting VPN leaks

Discussion in 'privacy technology' started by mirimir, Feb 5, 2016.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    So I'm working on a guide about detecting VPN leaks.

    I'm planning to discuss these leak testing sites:
    https://ip-info.org/
    https://www.iplocation.net/
    https://www.browserleaks.com/
    http://ip-check.info/?lang=en
    https://panopticlick.eff.org/
    https://www.grc.com/dns/ (DNS leaks)

    What others should I mention?

    I really liked the old Metasploit leak test. So does the FBI, it seems :eek: But I don't find anything quite like it. Or even the source, that I could host. https://www.browserleaks.com/ does come close, however.

    Also, I plan to test a VPN service that leaks, as a positive control. Can anyone recommend one? You can PM me, if you prefer.
     
  2. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    That's a nice little list. I've been using browserleaks.com nightly to test different vpn/smartdns client and router configurations to see how the deal with geolocation. Iplocation.net and grs.com are nice additions. I get a real interesting result from the grs.com spoofibility test when I run it though a VPN tunnel with integrated smartdns. I got a long list of dns servers with varied locations, pretty much what I would expect after seeing different locations or none at all in geolocation tests.

    As far as leaky VPNs, two of the usual suspects are having giveaways right now, Zenmate and OkayFreedom.

    http://www.windowsdeal.com/w/zenmate-vpn-premium-discount-coupon-code/

    http://www.mostiwant.com/okayfreedom-vpn-free-premium-code/

    I haven't taken either this year. I remember how leaky Zenmate was as a browser plugin so I don't have confidence in it as a full fledged VPN. OkayFreedom had pretty bad client software last year that didn't play well with other VPN clients so it would be a good candidate. There were some posts about some clever users reverse engineering .ovpn files that worked with it a while back.
     
  3. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Great list! I'm having trouble spoofing my user agent with FF 44. I have tried a number of add-on's but my true user agent leaks through in some way or another. Is there a solution in "about:config?"
     
  4. Impet

    Impet Registered Member

    Joined:
    May 5, 2013
    Posts:
    898
    Very nice, thank you. I read that OkayFreedom has DNS leaks as well, am I safe when I use Google DNS? :doubt:
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Basically, the GRS test keeps doing lookups until it's not seeing responses from any new DNS servers. So right, if you're using a randomizing DNS proxy, you'll see many servers. How many, by the way? And how many test blocks did it run? Maybe you're hitting GRC's limit ;)
    Thanks :)
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Sorry, I don't know much about user agent spoofing. I just compartmentalize, and use multiple Whonix instances for more sensitive stuff.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    It's not unusual for inexpensive VPN services to use Google DNS. It's very fast, and not censored. But then, it is Google :eek: I generally switch to one of the European servers on https://www.wikileaks.org/wiki/Alternative_DNS
     
  8. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    In a brief rerun, 36 total servers with smart dns VPN location Minniapolis, 18 with a VPN without smart dns in the first run with one vpn server that used OpenDNS. I switched to another from the same provider that used Google DNS and only got 3. I did a second test with a different smartDNS VPN location, New York, and got a total of 92 servers. The New York location gives me interesting geolocation results as well with different tests. Google will give me the the home page for the United Arab Emirates while DNSleaktest.com gives me New York as a location with DNS servers in New York and New Jerser. The browserleaks.com geolocation test that uses the google maps api gives Dubai as my location. Needless to say, I am not physically in any of these places.

    With a VPN using smart DNS, the dns servers are all over the place in Europe and the US, without it they are in 1 or 2 locations in the US. I had 7 test rounds without smart DNS and 8 with smart dns in the first run and 3 without smart DNS and 7 with in the second run.

    I had one deep leak that Grs found with the server using OpenDNS and none with the other server from the same provider using Google DNS so it looks like not all servers and locations are equal even from the same VPN provider.

    I should mention that the smartdns/vpn provider I'm using provides both VPN servers with integrated smartdns and smartdns DNS servers that can be configured without a VPN or on top of one. I am testing different combinations of these right now but I generally get the best results with the integrated smartdns. Layering smart DNS over a vpn tunnel hasn't given me the same results but I have a list of DNS servers and I've only tested the first two so far.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    @MisterB -- Very interesting! I typically just use some decent DNS server, and make sure that it's getting hit through the VPN tunnel. In nested VPN chains, only the DNS server(s) for the innermost tunnel get(s) used by my workstation VM. The ones for the other tunnels are just there for the pfSense VMs to resolve timeservers etc, and for upgrading packages on VMs that I use for managing the pfSense VMs. I ought to check out smartdns.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Another good DNS leak test is https://dnsleaktest.com/

    It seems to hit almost as hard as the GRC site does, and is much faster. It doesn't provide the analytic results that GRC does, but that's less relevant in this context.
     
  11. funkymonkeyboy

    funkymonkeyboy Registered Member

    Joined:
    Mar 29, 2005
    Posts:
    73
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    You can change the DNS servers that your router pushes. It's good to change them from the default for your ISP. Then, if you make mistakes with VPN setup, at least you won't be hitting an ISP-associated DNS server through the VPN.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I generally don't use OpenDNS. But they're OK, I think. As long as you're hitting a DNS server through a VPN, and it's not associated with your ISP, you're safe enough. And if you chain VPNs, you want to be using different DNS servers at each level in the chain. To avoid associations among levels.
    That's odd. Maybe you mistyped? Or maybe it's an error. Or scam.
    There are many private DNS servers. But finding one that accepts connections is not so easy. And then there's the trust issue. They might be pointing you at honeypots ;)

    Most of the high-end VPN services run their own DNS servers.
     
  14. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    I need to do a bit of research on "honey pots." Not familiar :eek: lol

    To be honest I don't even fully understand Dns and what can even be compromised by it!!
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I've changed the order of your post to simplify a reply :)
    In your browser etc, let's say that you type in "www.wilderssecurity.com". But that's not an IP address that Internet routers understand. So your computer queries a DNS server, learns that 104.236.97.180 is the IP address, and connects. You can visit http://104.236.97.180 instead of https://www.wilderssecurity.com if you like. But you can't visit https://104.236.97.180, because the Wilders certificate is only valid for the hostname www.wilderssecurity.com, and not for the IP address.

    Let's say that you're using a VPN service to access Wilders. And that you don't want your ISP, or anyone who might be watching your ISP connection, to know that you use Wilders. If you're using a DNS server that's operated by your ISP, or that shares logs with your ISP or other adversaries, they could use traffic analysis to determine that activity on your connection to the VPN server was associated with lookup requests for www.wilderssecurity.com that were coming from the VPN exit. That would tell them what VPN exit you were using, and what you were connecting to.
    OK, so you want to visit www.wilderssecurity.com. But say you're using an evil DNS server that translates that to the IP address of an evil server that's running a clone of Wilders. If you're just using HTTP, you might enter your username and password to login. Then the adversary could login to the real Wilders as you, and change your password. If you use HTTPS, that wouldn't work, unless the adversary had stolen Wilders' certificate. But if Wilders were using a commercial certificate, the adversary could instead have a stolen certificate that your browser trusts, and which OKs the fake Wilders certificate.
     
  16. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Oh I see. Thanks that was helpful because I've actually been researching that area & similar types of vulnerabilities and the solutions to them, but hadn't thought about how DNS relates. My FF browsers usually says my connection is not secure and that data is not encrypted etc when I click on the globe in the address bar. Even right now on this it says not secure? I do have HTTPS Everywhere but you know how it works so it only helps with some sites. Is this normal or is there a solution to securing all my connections no matter what site?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Are you connecting to https://www.wilderssecurity.com ? If so, you should see a lock icon in the address bar. Have you created an exception for Wilders?
     
  18. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    ****, no. My address bar just says www.wilders..... and where the lock icon should be there is a grey globe that says the site doesn't supply identity info. If I click the globe is says the site is not secure. I just copies and pasted my url and it pasted like this showing HTTP?? https://www.wilderssecurity.com/threads/detecting-vpn-leaks.383636/#post-2563638
     
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I don't use HTTPS Everywhere. But here's the description:
    The key bits may be "on sites that are known to support it". The HTTPS Everywhere Atlas entry for Wilders has an error warning:
    Code:
    <!-- Cert doesn't match !www. -->
    
        <rule from="^http://(?:www\.)?wilderssecurity\.com/" to="https://www.wilderssecurity.com/"/>
    https://www.eff.org/https-everywhere/atlas/domains/wilderssecurity.com.html

    Maybe that prevents HTTPS Everywhere from enforcing HTTPS for Wilders.
     
  20. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    @Brosephine @mirimir
    that's because wilderssecurity.com uses a self-signed security certificate. so your browser can't verify the issuer of the certificate and treats it as if it's an insecure connection.
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    That doesn't make sense to me. I'm using Firefox, and I see both https://www.wilderssecurity.com/ and the lock in the address bar. And without adding a certificate exception, Firefox won't even connect to https://www.wilderssecurity.com/.
     
  22. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    that's exactly my point in my previous post. what part of that doesn't make sense to you?
    ff won't connect to https://www.wilderssecurity.com unless you add an exception to its certificate db.
    do you mind if i ask you to share a screenshot where you can connect to wilders through ssl with the lock icon in the address bar?
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Sure:
    url.png
     
  24. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    758
    @mirimir
    thanks for the ss.
    it turns out that the lock icon appears only after you add an exception to ff's certificate db. otherwise it won't let you connect through ssl.
    so, like i thought, it appears @Brosephine tried to connect to wilders.com through ssl but didn't want to add an exception for it.
     
  25. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    @imdb Aren't you experiencing the same thing? So am I less secure right now than I should be? I'm looking into how to add an exception.
     
Loading...