So I'm working on a guide about detecting VPN leaks. I'm planning to discuss these leak testing sites: https://ip-info.org/ https://www.iplocation.net/ https://www.browserleaks.com/ http://ip-check.info/?lang=en https://panopticlick.eff.org/ https://www.grc.com/dns/ (DNS leaks) What others should I mention? I really liked the old Metasploit leak test. So does the FBI, it seems But I don't find anything quite like it. Or even the source, that I could host. https://www.browserleaks.com/ does come close, however. Also, I plan to test a VPN service that leaks, as a positive control. Can anyone recommend one? You can PM me, if you prefer.
That's a nice little list. I've been using browserleaks.com nightly to test different vpn/smartdns client and router configurations to see how the deal with geolocation. Iplocation.net and grs.com are nice additions. I get a real interesting result from the grs.com spoofibility test when I run it though a VPN tunnel with integrated smartdns. I got a long list of dns servers with varied locations, pretty much what I would expect after seeing different locations or none at all in geolocation tests. As far as leaky VPNs, two of the usual suspects are having giveaways right now, Zenmate and OkayFreedom. http://www.windowsdeal.com/w/zenmate-vpn-premium-discount-coupon-code/ http://www.mostiwant.com/okayfreedom-vpn-free-premium-code/ I haven't taken either this year. I remember how leaky Zenmate was as a browser plugin so I don't have confidence in it as a full fledged VPN. OkayFreedom had pretty bad client software last year that didn't play well with other VPN clients so it would be a good candidate. There were some posts about some clever users reverse engineering .ovpn files that worked with it a while back.
Great list! I'm having trouble spoofing my user agent with FF 44. I have tried a number of add-on's but my true user agent leaks through in some way or another. Is there a solution in "about:config?"
Very nice, thank you. I read that OkayFreedom has DNS leaks as well, am I safe when I use Google DNS?
Basically, the GRS test keeps doing lookups until it's not seeing responses from any new DNS servers. So right, if you're using a randomizing DNS proxy, you'll see many servers. How many, by the way? And how many test blocks did it run? Maybe you're hitting GRC's limit Thanks
Sorry, I don't know much about user agent spoofing. I just compartmentalize, and use multiple Whonix instances for more sensitive stuff.
It's not unusual for inexpensive VPN services to use Google DNS. It's very fast, and not censored. But then, it is Google I generally switch to one of the European servers on https://www.wikileaks.org/wiki/Alternative_DNS
In a brief rerun, 36 total servers with smart dns VPN location Minniapolis, 18 with a VPN without smart dns in the first run with one vpn server that used OpenDNS. I switched to another from the same provider that used Google DNS and only got 3. I did a second test with a different smartDNS VPN location, New York, and got a total of 92 servers. The New York location gives me interesting geolocation results as well with different tests. Google will give me the the home page for the United Arab Emirates while DNSleaktest.com gives me New York as a location with DNS servers in New York and New Jerser. The browserleaks.com geolocation test that uses the google maps api gives Dubai as my location. Needless to say, I am not physically in any of these places. With a VPN using smart DNS, the dns servers are all over the place in Europe and the US, without it they are in 1 or 2 locations in the US. I had 7 test rounds without smart DNS and 8 with smart dns in the first run and 3 without smart DNS and 7 with in the second run. I had one deep leak that Grs found with the server using OpenDNS and none with the other server from the same provider using Google DNS so it looks like not all servers and locations are equal even from the same VPN provider. I should mention that the smartdns/vpn provider I'm using provides both VPN servers with integrated smartdns and smartdns DNS servers that can be configured without a VPN or on top of one. I am testing different combinations of these right now but I generally get the best results with the integrated smartdns. Layering smart DNS over a vpn tunnel hasn't given me the same results but I have a list of DNS servers and I've only tested the first two so far.
@MisterB -- Very interesting! I typically just use some decent DNS server, and make sure that it's getting hit through the VPN tunnel. In nested VPN chains, only the DNS server(s) for the innermost tunnel get(s) used by my workstation VM. The ones for the other tunnels are just there for the pfSense VMs to resolve timeservers etc, and for upgrading packages on VMs that I use for managing the pfSense VMs. I ought to check out smartdns.
Another good DNS leak test is https://dnsleaktest.com/ It seems to hit almost as hard as the GRC site does, and is much faster. It doesn't provide the analytic results that GRC does, but that's less relevant in this context.
You can change the DNS servers that your router pushes. It's good to change them from the default for your ISP. Then, if you make mistakes with VPN setup, at least you won't be hitting an ISP-associated DNS server through the VPN.
I generally don't use OpenDNS. But they're OK, I think. As long as you're hitting a DNS server through a VPN, and it's not associated with your ISP, you're safe enough. And if you chain VPNs, you want to be using different DNS servers at each level in the chain. To avoid associations among levels. That's odd. Maybe you mistyped? Or maybe it's an error. Or scam. There are many private DNS servers. But finding one that accepts connections is not so easy. And then there's the trust issue. They might be pointing you at honeypots Most of the high-end VPN services run their own DNS servers.
I need to do a bit of research on "honey pots." Not familiar lol To be honest I don't even fully understand Dns and what can even be compromised by it!!
I've changed the order of your post to simplify a reply In your browser etc, let's say that you type in "www.wilderssecurity.com". But that's not an IP address that Internet routers understand. So your computer queries a DNS server, learns that 104.236.97.180 is the IP address, and connects. You can visit http://104.236.97.180 instead of https://www.wilderssecurity.com if you like. But you can't visit https://104.236.97.180, because the Wilders certificate is only valid for the hostname www.wilderssecurity.com, and not for the IP address. Let's say that you're using a VPN service to access Wilders. And that you don't want your ISP, or anyone who might be watching your ISP connection, to know that you use Wilders. If you're using a DNS server that's operated by your ISP, or that shares logs with your ISP or other adversaries, they could use traffic analysis to determine that activity on your connection to the VPN server was associated with lookup requests for www.wilderssecurity.com that were coming from the VPN exit. That would tell them what VPN exit you were using, and what you were connecting to. OK, so you want to visit www.wilderssecurity.com. But say you're using an evil DNS server that translates that to the IP address of an evil server that's running a clone of Wilders. If you're just using HTTP, you might enter your username and password to login. Then the adversary could login to the real Wilders as you, and change your password. If you use HTTPS, that wouldn't work, unless the adversary had stolen Wilders' certificate. But if Wilders were using a commercial certificate, the adversary could instead have a stolen certificate that your browser trusts, and which OKs the fake Wilders certificate.
Oh I see. Thanks that was helpful because I've actually been researching that area & similar types of vulnerabilities and the solutions to them, but hadn't thought about how DNS relates. My FF browsers usually says my connection is not secure and that data is not encrypted etc when I click on the globe in the address bar. Even right now on this it says not secure? I do have HTTPS Everywhere but you know how it works so it only helps with some sites. Is this normal or is there a solution to securing all my connections no matter what site?
Are you connecting to https://www.wilderssecurity.com ? If so, you should see a lock icon in the address bar. Have you created an exception for Wilders?
****, no. My address bar just says www.wilders..... and where the lock icon should be there is a grey globe that says the site doesn't supply identity info. If I click the globe is says the site is not secure. I just copies and pasted my url and it pasted like this showing HTTP?? https://www.wilderssecurity.com/threads/detecting-vpn-leaks.383636/#post-2563638
I don't use HTTPS Everywhere. But here's the description: The key bits may be "on sites that are known to support it". The HTTPS Everywhere Atlas entry for Wilders has an error warning: Code: <!-- Cert doesn't match !www. --> <rule from="^http://(?:www\.)?wilderssecurity\.com/" to="https://www.wilderssecurity.com/"/> https://www.eff.org/https-everywhere/atlas/domains/wilderssecurity.com.html Maybe that prevents HTTPS Everywhere from enforcing HTTPS for Wilders.
@Brosephine @mirimir that's because wilderssecurity.com uses a self-signed security certificate. so your browser can't verify the issuer of the certificate and treats it as if it's an insecure connection.
That doesn't make sense to me. I'm using Firefox, and I see both https://www.wilderssecurity.com/ and the lock in the address bar. And without adding a certificate exception, Firefox won't even connect to https://www.wilderssecurity.com/.
that's exactly my point in my previous post. what part of that doesn't make sense to you? ff won't connect to https://www.wilderssecurity.com unless you add an exception to its certificate db. do you mind if i ask you to share a screenshot where you can connect to wilders through ssl with the lock icon in the address bar?
@mirimir thanks for the ss. it turns out that the lock icon appears only after you add an exception to ff's certificate db. otherwise it won't let you connect through ssl. so, like i thought, it appears @Brosephine tried to connect to wilders.com through ssl but didn't want to add an exception for it.
@imdb Aren't you experiencing the same thing? So am I less secure right now than I should be? I'm looking into how to add an exception.