A Macintosh Resource Site
for the Milwaukee Metro Area


Other Important Technical Concerns in Choosing a VPN

First published: April 2019. Latest revision: November 2019.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.

Beyond the secrecy and privacy-enabling techniques that a VPN implements via tunneling/encryption protocols, there are other technical issues that a trustworthy VPN needs to attend to in order to provide its users with security and privacy. This article discusses these other issues. (There is a fair amount of technical information in this article, but I think it will be worthwhile reading it if you want to make the most out of your choice of a secure and private VPN service.)

DNS (Domain Name System) leak protection

DNS servers are a bit like the phone books of the Internet: You can type in “thewirecutter.com,” for instance, and one of the many DNS servers behind the scenes can point you to the IP address of a server hosting the site. Most of the time, your DNS requests automatically route through your ISP (Internet Service Provider), giving the ISP an easy way to monitor your traffic. Some VPN services rely on third-party DNS servers, but the best ones keep DNS servers in-house to prevent your browsing history, or your IP address, from getting out.

(from a previous version of the web page https://thewirecutter.com/reviews/best-vpn-service/)
(bold emphasis added by me)

A DNS “leak” occurs when the VPN does not prevent an unencrypted DNS query or request from being sent by your device to a system outside of the VPN tunnel, thereby exposing your browsing intentions, allowing anyone who is “snooping” on your Internet session to see exactly what websites you are accessing.

There are several websites that provide DNS leak tests. I have found https://ipleak.net to be one of the best.

As noted in the above quotation, it is better if your VPN hosts its own (in-house) DNS server. However, many VPNs do not do so: only about one-third of VPNs provide their own DNS servers, according to the list on of about 190 VPNs on the “Detailed Comparison Chart” at https://thatoneprivacysite.net/vpn-comparison-chart/.

Kill switch system

A “kill switch” goes by many names, but the term describes VPN software that shuts off all network traffic in and out of your computer if the encrypted connection fails. A hiccup in your Wi-Fi or even with your ISP can cause a VPN to disconnect, and if you then maintain an unsecure connection—especially if the VPN software doesn’t alert you that it’s no longer protecting your traffic—that wipes out all the benefits of your VPN.

((from a previous version of the web page https://thewirecutter.com/reviews/best-vpn-service/)
(bold emphasis added by me)

This is a very important safety feature of a VPN, as you may well not know that the secure connection has been discontinued.

It seems as if most VPNs currently include a kill switch, but you should double-check on a VPN’s website for information documenting that a kill switch is available and furthermore check if you need to enable it or if it is automatically on.

However, the VPN’s kill switch may not offer absolute protection.

Kill Switches are implemented very differently and will never be secure due to their design. The only 100% effective and secure configuration to accomplish prevention of leaks is a properly configured firewall.

(from https://thatoneprivacysite.net/choosing-the-best-vpn-for-you/)
(bold emphasis added by me)

A “perfect” kill switch would react to the situation of a dropped VPN connection and stop the transmission of outgoing data immediately. However, although real world kill switches act very quickly, there could be a leak of data during the few microseconds that it takes for the kill switch to activate. As noted in the above quote, a firewall can solve this problem. (We will not discuss in this article the details of setting up a firewall on your device.) Use of a proxy, as noted in the next section, can also address this issue.

Combining a proxy and a VPN

Despite the above quote regarding firewalls, there is another option to help ensure privacy if a kill switch should fail. This is the use of a “proxy server” in conjunction with your VPN.

Proxy servers basically hide your internal network from the Internet. It works as a firewall in the sense that it blocks your network from being exposed to the Internet by redirecting Web requests when necessary.

(from https://www.quora.com/What-is-the-difference-between-a-firewall-and-a-proxy/)

…by disabling the firewall, usually the LAN would have full Internet access, but if you disable the proxy server, there is no way to connect to the Internet.

(from https://www.differencebetween.com/difference-between-firewall-and-vs-proxy-server/)
(bold emphasis added by me)

So the “trick” is to use a VPN that not only offers a proxy server but also lets you use it when using the tunneling/encryption of the VPN.

Using both in tandem usually results in increased privacy, if it’s supported by your VPN provider. …the advantage comes as a safety net. If your VPN cuts out and the Kill-Switch fails, you still have some protection from SOCKS5 VPN proxy, and vice versa.

(from http://www.firewall.cx/vpn/vpn-guides-articles/1191-best-socks5-proxy-guide-torrenting-free-proxy-list.html)
(bold emphasis added by me)

Without appropriate directions, setting up a combined SOCKS5 proxy and a VPN may be less than completely straightforward. If you are interested in implementing a proxy with your VPN, be sure to research how to do so (and how to check that it is working) in the documentation that the VPN service provides.

IPv6 (Internet Protocol version 6) support

When using the internet, you connect to IP addresses. Traditionally, IPv4 is used to accomplish this (you may have seen numbers in the past like 8.8.8.8 or 216.58.217.206, etc). There is another standard that will some day be more prevalent, called IPv6, but that is being used now during the time it transitions into normal configurations (vastly more IPv6 numbers exist than IPv4). When you connect and use the internet (unless you have specifically taken steps to disable it), you are sending and receiving IPv6 data.

Again, normally, this data is sent and resolved through your ISP and their DNS servers, but unless properly configured, this information might not be securely passing through the VPN tunnel and could be leaking to the open internet. Given such routed global IPv6 addresses, it’s easy for remote sites to identify user ISPs. And with requisite authority, account information could be obtained from those ISPs.

Choose a VPN service that either blocks or provides new VPN-specific IPv6 address and provides an IPv6 DNS server that’s reachable only through the VPN tunnel – then TEST IT TO MAKE SURE.

(from https://thatoneprivacysite.net/choosing-the-best-vpn-for-you/)
(bold emphasis in the second paragraph added by me)

IPv6 is the new version of the Internet Protocol (IP) that is the basis for the identification and location of computers and other devices on the Internet. It is supplanting the older version, IPv4. Since we are still in the transition period from IPv4 to IPv6, networks and services that do not fully support IPv6 can “get away with it” and can still be functional. However, the transition period will not last forever…

A VPN service that supports IPv6 is to be preferred. If a VPN service does not support IPv6, it should at least block IPv6 traffic because not doing so is a security risk. Unfortunately, it seems as if the majority of VPN services neither block IPv6 traffic nor support IPv6 traffic: a quick count of the 190 VPN listed on the “Detailed Comparison Chart” at https://thatoneprivacysite.net/vpn-comparison-chart/ reveals that less than 40 (only about 20%) of the VPNs address this ever-more-critical situation of managing IPv6 data traffic.

The test site https://test-ipv6.com can be used to test how your ISP handles IPv6 connectivity (when the VPN is off) as well as how your VPN handles IPv6.

Perfect forward secrecy (PFS)

Perfect Forward Secrecy (PFS), or just ‘Forward Secrecy’, is a security feature embedded in the way encryption works. Unlike weaker encryption protocols that use the same encryption key over and over, PFS generates a new, completely unique encryption key at the start of every session. This session key must be randomly generated and not derived from any previous sessions, keeping the user’s browsing history private.

Without Perfect Forward Secrecy any momentary system breach, like malware or hacking, could reveal all personal data transferred by the user using that encryption key. This includes everything from both the past and future.

Any VPN that claims to take your privacy seriously should implement this must-have feature in privacy technology. One that does would ensure that your VPN session remains completely anonymous keeping your internet activity safe, and secure.

(from https://www.safervpn.com/blog/perfect-forward-secrecy-encryption-keys/)
(bold emphasis added by me)

You’ll have to do a bit of digging on a VPN’s website to see if the VPN supports perfect forward secrecy. (I’ve not been able to find an all-inclusive listing of VPNs that support PFS.)

Multi-hopping

A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting onto the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.

(from https://restoreprivacy.com/multi-hop-vpn/)

Thus, with VPN multi-hopping, your data traffic is initially sent out from your device as per usual over a VPN, i.e., through an encrypted tunnel. Once the data reaches the VPN server, it is re-encrypted and sent out via a secure tunnel to another of the VPN’s servers. Only then does the data exit the VPN to its destination on the Internet.

The disadvantage of multi-hopping is that the added hop (or hops) that your data traffic goes through usually results in slower performance. Hence multi-hopping is generally not used unless extremely high security/privacy is needed. Multi-hopping is not commonly supported: only 22 of 190 VPNs listed on the the “Detailed Comparison Chart” at https://thatoneprivacysite.net/vpn-comparison-chart/ support multi-hopping. Nevertheless, it’s reassuring to know that VPNs that invest in the effort to implement multi-hopping are likely genuinely interested in providing high levels of security/privacy to their customers.

Split tunnelling

This capability allows you to “split” your Internet data connection into one part that communicates via the VPN and another part that connects to the Internet via your ISP without using the VPN. Why would you not want to use the VPN? One example would be when you actually want your geo-location to be available to a website, such as when you use online shopping for companies that have local outlets.

Setting up split tunneling with your VPN may require more than a basic level of expertise.

Summary

While all of the above VPN technical issues are important, the final two (i.e. Multi-hopping and Split Tunneling) are probably not critical for an average VPN user. However, I would recommend that you pay careful attention to the other issues. After all, you are interested in the security and privacy that a VPN service can offer to you, so you should follow through with some online investigations of what the VPN service claims to offer and also run tests of the VPN service to verify that it is indeed providing the security and privacy you desire.

The “Detailed Comparison Chart” at https://thatoneprivacysite.net/vpn-comparison-chart/ can be used to check on the status of VPNs regarding:

  • hosting of their own DNS servers
  • IPv6 leak protection support
  • support for SOCKS proxies
  • support for multi-hop

If you are interested in a list of several different sorts of online privacy tests, check https://www.ghacks.net/2015/12/28/the-ultimate-online-privacy-test-resource-list/

In the next article of this “Choosing a Trustworthy VPN” series, titled “Other Factors to Consider in Choosing a VPN”, we’ll examine aspects of VPN services that are important to scrutinize and are somewhat less technical in their nature (as compared to the considerations of previous articles).