Online virtual private networks (VPNs) are often used to hide internet traffic, especially for downloading torrents. The goal is that the VPN provider doesn't retain or log any information that can be linked to you, so if they're forced to comply with legal orders, they can't provide anything that can be traced back to you. Internet service providers (ISPs), on the other hand, keep logs and may forward your contact information to those who seek legal avenues against you.
Therefore, you place your trust in your VPN provider that no unencrypted information leaks outside of the tunnel. Failure to do so means your ISP or other middlemen can associate your traffic to your address. VPNs generally do a good job at this, and most don't leak data while connected.
Many VPNs advertise a kill switch that blocks all unencrypted system traffic in case it disconnects, such as if your internet drops, your computer restarts, or the VPN client crashes. However, it may not always be called a "kill switch;" some call it firewall mode or lockdown mode, for example.
In our testing, we've found that kill switches almost always fail at doing the task they're designed for. While you can take steps to mitigate the shortcomings of a kill switch, they're either inconvenient or require a more advanced networking infrastructure. Thus, for the general VPN user, the reliability of the kill switch is of utmost importance.
We subscribed to and tested 20 popular VPN services to evaluate their performance, including the robustness of their kill switch features. In the end, we found one that didn't leak: Perfect Privacy.
Test results
Almost All VPNs Leak Unencrypted Traffic During a Loss of Connection
We conduct multiple tests to monitor for leaks. The simplest one looks at the network traffic while the VPN is connected. This is the most basic responsibility of VPNs, and thankfully, our results show they're largely successful. Still, four VPNs leak in this scenario, mostly because we took a cautious stance on what we consider a leak.
For the kill switch robustness, we force a loss of connection by either ending the software task, disconnecting and reconnecting the internet cable, or rebooting the computer. The latter is the tougher challenge for most VPNs. The results are interesting, as we frequently found full-blown leaks outside the VPN tunnel.
Our methodology
We test for VPN kill switch leaks using a straightforward setup. We run the VPN on a Windows 11 computer, which is plugged into a network switch. The switch is configured to mirror all traffic from that port to another port which goes into a Linux computer. That computer runs Wireshark and monitors all the traffic, effectively capturing everything from the Windows computer.
What we consider a leak
We consider any traffic outside the tunnel a leak, even if it appears to be part of the protocol handling of the VPN. Since other VPNs manage to function without these calls outside the tunnel, it's reasonable to expect total encapsulation. Also, any unencrypted traffic that leaks can reveal information that could be collected, sold, and used for marketing purposes, such as targeted ads. If our Linux computer is able to identify where some of your traffic goes, then your router and ISP can see it as well.
A common leak is a DNS request to the API server of the VPN service. Of the four VPNs that leak under normal conditions, both Norton VPN and ExpressVPN only leaked to themselves. While these are relatively benign examples, they still reveal patterns about you. For example, a third party can conclude that you use Norton VPN because they monitor frequent calls to avast.com. Avast belongs to Gen Digital, Norton's parent company.
Norton VPN leaks to its own servers. We know this because we monitored DNS queries from our system to our ISP's DNS, something they could log. The DNS query shows that we are trying to find an IP address belonging to the Avast network.
In ExpressVPN's case, we saw a DNS query sent to a server that was most likely their own, which is expected. However, the request was not in the tunnel, so your ISP or other third parties would be able to inspect the packet and see that you're trying to connect to ExpressVPN's servers.
IPVanish and Bitdefender VPN, on the other hand, leaked DNS queries to Microsoft. This is more concerning because it demonstrates that the VPNs aren't able to contain traffic within the tunnel. We enabled any available kill switch features that aim to prevent leaks but didn't enable tracker blockers or other ad-blocking features.
Our strict testing criteria means that we consider any DNS queries outside the tunnel to be leaks. We don't capture the initial connection, so if the VPN needs to do an initial DNS query to connect, that will not fail our tests. However, since our kill switch tests do, if a VPN makes a non-tunneled DNS call to reconnect, we will consider it a leak. It would be better for VPNs to cache the server IP until the tunnel is reestablished so that it doesn't need to query its API servers on the open Internet every time to reconnect.
This seems strict, but because anyone between your device and the VPN server can inspect packets, they can see which addresses you're trying to reach and when. Interested parties can then use that information to reveal habits about your online activities. The example below shows a DNS query made to Cloudflare's DNS servers to resolve the address for api.totallycnd.com. This is almost certainly necessary for Windscribe Free to fetch the list of available servers and to verify if you've exceeded the monthly bandwidth limit. The paid version makes similar DNS queries to ensure the account is valid. Even if this is a necessary step to reconnect, interested parties can see that you're trying to reach out to "Totally a CDN."
On the subject of lighthearted server names, we noticed that Bitdefender VPN opted to have some fun with many of their DNS queries.
- Sportsballhub.com
- ipfreely.io
- toolara.net
- amandahugnkiss.org (A Man to Hug and Kiss - The Simpsons)
Diving into these queries reveals some interesting information; they all point to the same IP addresses: 104.18.22.107 and 104.18.23.107 (hosted by Cloudflare).
Looking at wlvpn.com, another site that Bitdefender VPN makes calls to, reveals something important. From the wlvpn.com webpage, it sure looks like Bitdefender VPN is buying a white label VPN service from IPVanish, their apparent competitor.
In our testing, the two VPNs performed extremely similarly in all performance and security tests. While Bitdefender VPN has fewer features, it doesn't have anything that's not included with IPVanish, supporting the evidence that they're just purchasing the white label service.
Perfect Privacy is the only VPN that did not leak at all
Most VPN kill switches leak during system reboot. Perfect Privacy was the only service that didn't leak at all in our testing.
Looking at the network traffic captured during a system reboot, we often observed full exchanges between our computer and Microsoft's servers. This occurs because Windows initializes its network interface before the VPN service has a chance to activate. This is concerning because the purpose of the kill switch is to prevent this behavior.
While the observed leaks were limited to communications with Microsoft, they reveal a race condition. This means that we can't predict if the VPN will reconnect before your downloads resume. Even if you test and confirm that the VPN reconnects before your downloads, it's risky to assume that behavior won't change in the future. Frequent and automatic software updates mean that a single update could change the startup delay of your VPN and leave you vulnerable to leaks.
We recommend that you don't solely rely on your VPN's kill switch. While you should still enable it, you should also configure your VPN client to launch at startup (even if it doesn't auto-connect) so that its kill switch can turn on as soon as possible. You can also consider using split tunneling to bind your download apps to use the VPN only to minimize the risk of leaks.
Don't Let Your Downloads Automatically Resume at Startup
Unpredictable system startup behavior and the ineffectiveness of VPN kill switches could leave your torrent downloads exposed.
If we exclude the reboot scenario, five VPNs perform as expected and don't leak data:
These are the best choices if you want to remain protected in most scenarios. They ensure all traffic remains in the encrypted tunnel, prevent leaks if you lose your connection, and block traffic if the VPN app crashes. Keep in mind that for these to fully protect you, you will have to ensure your downloads don't automatically start at startup.
What You Can Do to Ensure No VPN Leaks
The concept of a basic kill switch is straightforward: it typically involves using firewall rules to block all internet addresses to and from the physical interface (wired or Wi-Fi).
VPNs manage and actively update their server addresses in case they change or go offline. While convenient, this leads to the VPN requiring internet access and leaking your computer's DNS queries or IP address in the process. A properly implemented kill switch shouldn't require an internet connection, as that defeats their core purpose.
If you're willing to occasionally manually update the IP address of the VPN server you want to connect to, you can make a robust kill switch. It may work with the software client, but a headless setup ensures a connection to the same single server. It's challenging to create your own custom kill switch in Windows. We struggled to achieve this after two days of trying, so if you've managed to do it, let us know in the comments. That said, it's much easier to create one in Linux. There are many examples and guides online on how to do so.
We set up IPVanish on Linux (Wireguard), as this was the VPN that leaked the most on Windows. We added the above firewall rules, retested the same reboot scenario and voila—no more leaks. Turn off the VPN and your internet connection is blocked. It's simple and restrictive, but it works.
While undoing firewall rules is inconvenient, you could create a Linux virtual machine (VM) exclusively for downloads on your Windows computer, install your VPN with a custom kill switch on it, and have a very effective solution. We don't think there is a single, convenient kill switch that's also secure.
Unfortunately, a robust kill switch configuration likely means forgoing the ability to change servers easily or split tunnels based on apps. That kind of flexibility involves a more complex and dynamic kill switch. While it's figuring out the new rules to apply, it likely needs to make a DNS call, which means internet access without the VPN connected. The software can try to block the other apps, but this is only effective if the VPN software is the first one to run, and our results have shown that Windows is always first by a long shot.
There's No Correlation Between a Good Kill Switch and Privacy
A good kill switch doesn't guarantee privacy. This is a delicate subject, and sadly, we cannot confidently evaluate it with our testing.
Privacy mostly relies on the VPN provider's internal policies and how they handle their infrastructure and your data. If a provider mishandles your data or doesn't have responsible privacy policies, even the most secure and robust VPN client is pointless.
Evaluating data and infrastructure practices would require us to have access to the production environment, the physical hardware, and the software code. That level of access would pose a security risk because it would give us the ability to tamper with the connections. Most of it is beyond our technical knowledge anyway; this is why VPN providers hire specialized auditing firms.
We currently don't validate the content of the encrypted traffic. It should be possible using mitmproxy, but it would require a lot of analysis to decrypt and analyze every packet. It may be something we consider for a one-off investigation and a write-up in the future.
We don't have the information to suggest if any of these VPNs are sending unnecessary telemetry back and used to sell statistics about customer habits. Some VPNs do have telemetry options turned on by default, but they state it's only used internally.
We also found some outdated information for Bitdefender VPN, which means that reading the privacy policy or other legal documents to assess privacy is not a guaranteed way to ensure that they reflect their current practices. The OpenVPN files for Tunnelbear were also so old that the certificate expired during testing.
We wrote an article that covers privacy risks more broadly that we encourage you to read and share with those who are considering a VPN.
Conclusion
Be careful which VPN you choose to hide your activity online, as most don't provide the level of security you'd expect. Even if a VPN doesn't leak your browsing activity directly, many still leak information that can be used to identify you. Also, if your system restarts for any reason, you are left very vulnerable. If you don't want your traffic to leak, put in place your own safeguards and keep it simple, even if it appears redundant.
VPNs are intended to be one part of a layered approach to security, and you shouldn't rely on a single layer to offer complete protection. Instead, look for additional layers of security, like redundant safeguards and separate security measures. One simple but effective method is to move the VPN off your primary computer, as your PC contains sensitive personal information about you.
If you have a more advanced router (such as Unifi, pfSense, OPNsense, OpenWrt, etc.), you can configure your VPN on it instead. These routers should also allow you to set custom routes to your preferred VPN servers, acting as an effective kill switch for your whole network. This approach requires a bit more knowledge and much bigger headaches if the VPN service is down, resulting in your entire network going down. Fortunately, the risk isn't as high nowadays because you can use mobile data on your phone to check the VPN's service status or find troubleshooting advice.
Recommended Articles
