A Macintosh Resource Site
for the Milwaukee Metro Area


Other Important Technical Concerns in Choosing a VPN

First published: April 2019. Latest revision: March 2023.

Introduction

This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use.

Beyond the secrecy and privacy-enabling techniques that a VPN implements via tunneling/encryption protocols, there are other technical issues that a trustworthy VPN needs to attend to in order to provide its users with security and privacy. This article discusses these other issues. (There is a fair amount of technical information in this report, but I think it will be worthwhile reading it if you want to make the most of your choice of a secure and private VPN service.)

DNS (Domain Name System) leak protection

DNS servers are a bit like the phone books of the Internet: You can type in “thewirecutter.com,” for instance, and one of the many DNS servers behind the scenes can point you to the IP address of a server hosting the site.

Most of the time, your DNS requests automatically route through your ISP (Internet Service Provider), giving the ISP an easy way to monitor your traffic.

Some VPN services rely on third-party DNS servers, but the best ones keep DNS servers in-house to prevent your browsing history, or your IP address, from getting out.

(from a previous version of the web page https://thewirecutter.com/reviews/best-vpn-service/)
(I added bold emphasis and paragraph breaks.)

A DNS “leak” occurs when the VPN does not prevent an unencrypted DNS query or request from being sent by your device to a system outside of the VPN tunnel, thereby exposing your browsing intentions, allowing anyone who is “snooping” on your Internet session to see exactly what websites you are accessing.

There are several websites that provide DNS leak tests. I have found https://ipleak.net to be one of the best.

As noted in the above quotation, it is better if your VPN hosts its own (in-house) DNS server. However, many VPNs do not do so: only about one-third of VPNs provide their own DNS servers, according to the list of about 185 VPNs on the “Detailed VPN Comparison Chart,” which you can download in this series’ appendices at Simple + Detailed VPN Comparison Chart - Downloads.

Kill switch system

A “kill switch” goes by many names, but the term describes VPN software that shuts off all network traffic in and out of your computer if the encrypted connection fails.

A hiccup in your Wi-Fi or even with your ISP can cause a VPN to disconnect, and if you then maintain an unsecure connection—especially if the VPN software doesn’t alert you that it’s no longer protecting your traffic—that wipes out all the benefits of your VPN.

((from a previous version of the web page https://thewirecutter.com/reviews/best-vpn-service/)
(I added bold emphasis and paragraph breaks.)

This is a very important safety feature of a VPN, as you may well not know that your secure VPN tunnel connection has failed.

It seems as if most VPNs currently include a kill switch, but you should double-check on a VPN’s website for information documenting that a kill switch is available, and furthermore, check if it needs to be manually enabled it or if the kill switch is automatically turned on.

However, the VPN’s kill switch may not offer absolute protection.

Kill switches are implemented very differently from VPN to VPN and will never be secure due to their design. The only 100% effective and secure configuration for leak prevention is a properly configured firewall.

(from “Choosing a VPN” in VPN Comparison by That One Privacy Guy) (archived)
(bold emphasis added by me)

A “perfect” kill switch would react to the situation of a dropped VPN connection and stop the transmission of outgoing data immediately. However, although real world kill switches act very quickly, there could be a leak of data during the few milliseconds that it takes for the kill switch to activate. As noted in the above quote, a firewall can solve this problem. (We will not discuss in this article the details of setting up a firewall on your device.) Use of a proxy, as noted in the next section, can also address this issue.

Combining a proxy and a VPN

Despite the above quote regarding firewalls, there is another option to help ensure privacy if a kill switch should fail. This is the use of a “proxy server” in conjunction with your VPN.

… proxy servers basically hide your internal network from the Internet. It works as a firewall in the sense that it blocks your network from being exposed to the Internet by redirecting Web requests when necessary.

(from https://www.quora.com/What-is-the-difference-between-a-firewall-and-a-proxy/)

…by disabling the firewall, usually the LAN would have full Internet access, but if you disable the proxy server, there is no way to connect to the Internet.

(from https://www.differencebetween.com/difference-between-firewall-and-vs-proxy-server/)
(bold emphasis added by me)

So the “trick” is to use a VPN that not only offers a proxy server but also lets you use it when using the tunneling/encryption of the VPN.

Using both in tandem usually results in increased privacy, if it’s supported by your VPN provider. …the advantage comes as a safety net. If your VPN cuts out and the Kill-Switch fails, you still have some protection from SOCKS5 VPN proxy, and vice versa.

…For most users, this extra barrier is far from essential.

(from http://www.firewall.cx/vpn/vpn-guides-articles/1191-best-socks5-proxy-guide-torrenting-free-proxy-list.html)
(bold emphasis added by me)

Without appropriate directions, setting up a combined SOCKS5 proxy and a VPN may be less than completely straightforward. If you are interested in implementing a proxy with your VPN, be sure to research how to do so (and how to check that it is working) in the documentation that the VPN service provides.

IPv6 (Internet Protocol version 6) support

When using the internet, you connect to IP addresses. Traditionally, this uses IPv4. There is another standard that will someday be more prevalent called IPv6. More IPv6 numbers exist than IPv4. Most VPN services currently aren’t compatible with IPv6 data. When you use the internet (unless you have specifically taken steps to disable it), you are sending and receiving IPv6 data.

This data is usually sent and resolved through your ISP and their DNS servers. Unless properly configured, this information might not be securely passing through the VPN tunnel and could be leaking to the open internet. It’s pretty easy for remote sites to identify user ISPs based on IPv6 addresses, and even easier for authorities to demand account information from those ISPs.

Choose a VPN service that either blocks IPv6 traffic or prevents leaks by providing a new VPN-specific IPv6 address and an IPv6 DNS server that’s reachable only through the VPN tunnel, and then test it to make sure it works.

(from “Choosing a VPN” in VPN Comparison by That One Privacy Guy) (archived)
(bold emphasis added by me)

IPv6 is the new version of the Internet Protocol (IP) that is the basis for the identification and location of computers and other devices on the Internet. It is supplanting the older version, IPv4. Since we are still in the transition period from IPv4 to IPv6, networks and services that do not fully support IPv6 can “get away with it” and can still be functional. However, the transition period will not last forever…

A VPN service that supports IPv6 is to be preferred. If a VPN service does not support IPv6, it should at least block IPv6 traffic, because not doing so is a security risk.

Unfortunately, it seems as if the majority of VPN services neither block IPv6 traffic nor support IPv6 traffic. As of late 2019, a quick count of the 185 VPNs listed on the “Detailed VPN Comparison Chart,” by “That One Privacy Guy” revealed that less than 40 (only about 20%) of the VPNs were addressing this ever-more-critical situation of managing IPv6 data traffic. (You can download the “Detailed VPN Comparison Chart” in this series’ appendices at Simple + Detailed VPN Comparison Chart - Downloads.)

The test site https://test-ipv6.com can be used to test how your ISP handles IPv6 connectivity (when the VPN is off) as well as how your VPN handles IPv6.

Perfect forward secrecy (PFS)

Perfect Forward Secrecy (PFS), or just ‘Forward Secrecy’, is a security feature embedded in the way encryption works. Unlike weaker encryption protocols that use the same encryption key over and over, PFS generates a new, completely unique encryption key at the start of every session. This session key must be randomly generated and not derived from any previous sessions, keeping the user’s browsing history private.

Without Perfect Forward Secrecy any momentary system breach, like malware or hacking, could reveal all personal data transferred by the user using that encryption key. This includes everything from both the past and future.

Any VPN that claims to take your privacy seriously should implement this must-have feature in privacy technology. One that does would ensure that your VPN session remains completely anonymous keeping your internet activity safe, and secure.

(from https://www.safervpn.com/blog/perfect-forward-secrecy-encryption-keys/) (archived)
(bold emphasis added by me)

You’ll have to do a bit of digging on a VPN’s website to see if the VPN supports the important feature of perfect forward secrecy. (I’ve not been able to find an all-inclusive listing of VPNs that support PFS.)

Multi-hopping

A multi-hop VPN simply encrypts your connection across two or more servers (multiple hops) before exiting onto the regular internet. Routing your traffic through two or more servers in separate jurisdictions gives you a higher level of privacy and security – even if one server were to be compromised.

(from https://restoreprivacy.com/multi-hop-vpn/)

Thus, with VPN multi-hopping, your data traffic is initially sent out from your device as per usual over a VPN, i.e., through an encrypted tunnel. Once the data reaches the VPN server, it is re-encrypted and sent out via a secure tunnel to another of the VPN’s servers. Only then does the data exit the VPN, heading to its destination on the Internet.

The disadvantage of multi-hopping is that the added hop (or hops) that your data traffic goes through usually results in slower performance. Hence, multi-hopping is generally not used unless extremely high security/privacy is needed.

Multi-hopping is not commonly supported: only 22 of 185 VPNs listed on the Detailed VPN Comparison Chart by That One Privacy Guy” support multi-hopping. Nevertheless, it is reassuring to know that VPNs that invest in the effort to implement multi-hopping are likely genuinely interested in providing high levels of security/privacy to their customers.

Split tunneling

This capability allows you to “split” your Internet data connection into one part that communicates via the VPN and another part that connects to the Internet via your ISP without using the VPN.

Why would you want to not use the VPN? One example would be when you actually want your geolocation to be available to a website, such as when you use online shopping for companies that have local outlets.

Note that not all VPN services support split tunnelling and that setting up split tunneling with your VPN may require more than a basic level of expertise.

Summary

While all of the above VPN technical issues are important, some of them (i.e., combining a proxy and a VPN, multi-hopping and split tunneling) are probably not critical for an average VPN user. However, I would recommend that you pay careful attention to the other issues.

Remember, you are interested in the security and privacy that a VPN service can offer you, so you should follow through with some online investigations into what the VPN service claims to offer. Once you start using a VPN, you should run tests on the VPN service to verify that it is indeed providing the security and privacy you desire.

The “Detailed VPN Comparison Chart” can be used to check on the status of VPNs regarding:

  • hosting of their own DNS servers
  • IPv6 leak protection support
  • support for SOCKS proxies
  • support for multi-hop

If you are interested in a list of several different sorts of online privacy tests, check out https://www.ghacks.net/2015/12/28/the-ultimate-online-privacy-test-resource-list/.

In the next article of this “Choosing a Trustworthy VPN” series, titled “Other Factors to Consider in Choosing a VPN,” we’ll examine aspects of VPN services that are important to scrutinize and are somewhat less technical in nature (as compared to the considerations of previous articles).