VPNs and Defensive Computing

VPNs (Last updated: November 28, 2021)

New to VPNs? See my article An introduction to six types of VPN software from 2017. I also wrote A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers in 2016 which offers an introduction to VPNs and Tor. Seeing as this is a checklist website, what follows is a very short intro.

With a VPN, software on your computing device (computer, tablet, phone, etc) makes a secure connection to a VPN server computer. Once this "tunnel" is established, all data entering and leaving the computing device is encrypted. Thus, nothing that sits between your computing device and the VPN server computer (a router or an ISP) can spy on you at all. BLocking spying by an ISP is especially important in the US, where ISPs are allowed to spy on their customers and sell that data. For details on this see, Internet Service Providers Collect, Sell Horrifying Amount of Sensitive Data, Government Study Concludes by Karl Bode (Oct. 2021).

That a VPN hides everything from a router is how people in China can interact with the rest of the world. It is also how students in a school can bypass restrictions and see websites that teachers try to block.

In addition, other computers connected to the same network (LAN) as your computing device are also blind to what you are doing online. For this reason, a VPN should always be used on a public Wi-Fi network.

Some people have argued that since a "secure" website (using HTTPS) prevents others from reading the content of web pages, there is little need for a VPN. However, others can still tell which websites you visited. In some cases, just the website name gives away too much information. And, websites are not the only thing on the Internet. With mobile apps, for example, you can not tell if data is being transmitted securely or not.

In addition, a VPN will change your public IP address, so you can pretend to be in a different physical location.

Picking a VPN provider is mind bogglingly difficult. See one attempt and another and another and another and another and another. Even agreeing on the criteria to judge them with is impossible. I have my opinions on good/trustworthy VPN providers, email me for my suggestions. The big danger in picking a VPN provider that is not trustworthy is that they can spy on you, in the exact same way that an ISP can spy on you when you are not using a VPN.

There are four sections below: (1) Is the VPN working?, (2) Choosing a VPN - Features to look for , (3) Blocking Ads and Tracking while using a VPN and (4) an FYI on Location Hiding

Things to test before and after connecting to a VPN:

Public IP address: this should change after connecting to a VPN. Many websites will display your public IP address, among them ipchicken.com, checkip.dyndns.com, www.ivpn.net and checkip.synology.com.
It is one thing for your public IP address to change, it is another to actually be connected to a server run by your VPN provider. Some VPN companies have a tester page that reports whether you are connected to their service or not. Three companies that provide this information on the home page of their website, are OVPN, IVPN and Mullvad (see screen shot). ExpressVPN offers this service on their IP Address Checker page. TunnelBear has it on their Whats My IP page. When they say your IP address is exposed or public, it simply means you are not connected to their service. ProtonVPN and Windscribe do not offer this service at all.
DNS Servers: DNS is a critical foundational technology on the Internet. DNS servers translate the name of a computer into an IP address. It is very dangerous to use unknown DNS servers. Malicious DNS servers can take victims to scam copies of websites and trick them into entering passwords. Every VPN provider offers their own DNS servers so you should see a change after connecting. Your VPN provider should be able to tell you what DNS servers they use, so you know exactly what to look for.
Detecting a change in DNS servers: The hard part about verifying a change in DNS is that a computing device can get its DNS configuration from many different places. The Operating System has an opinion, the router has one, each WiFi network can have its own opinion and so can each web browser. If you have a web browser that is not configured to use secure DNS (second generation DNS) then there are assorted online testers that display the currently in-effect DNS servers. My Router Security website has a page devoted to DNS that links to many of these tester sites. If a web browser is using secure DNS that seems to over-ride everything and you will not see a difference when connected to a VPN. On Windows and macOS, the nslookup command (for ex: nslookup cnn.com) reports on the DNS servers and runs outside a browser. Or, you can dig into the details of the WiFi connection to see what DNS servers it is using (outside of a browser). Whew.
One of the big reasons to use a VPN is to hide your true public IP address. This conflicts with the WebRTC software in most web browsers. After connecting to a VPN, you want to test that WebRTCis disabled in your web browser. Many VPN providers offer a WebRTC tester page, for example, Mullvad has a Connection check and OVPN has a WebRTC leak test. More WebRTC tester pages are on the Test your Router page of my RouterSecurity.org site. Last I checked, both Safari and Chrome do not support WebRTC on iOS. See also How to disable WebRTC in Firefox? from PrivacyTools.io.
IPv6: Personally, I have no use for IP version 6. To me, it is a potential avenue for data to leak out of your computer without going through the VPN tunnel. Some VPN client software lets you disable IPv6, some does not. You can test if IPV6 is alive and well at test-ipv6.com. Good results on this test are "No IPv6 address detected" and "You appear to be able to browse the IPv4 Internet only. You will not be able to reach IPv6-only sites.". The Microsoft tester at ipv6.msftconnecttest.com does not produce error messages, it simply fails to load. To me, this is a good result.
May be too much work: If you really care that the VPN is doing what it should, then I suggest running a program that logs all DNS requests. You should see some before the VPN connection is made and then none afterwards. Doing this all the time may be overkill, but it is worth doing the first few times you use a new VPN service or the first few times using a new version of the VPN client software. On Windows, I suggest two DNS logging programs from Nir Sofer. Both are free and portable. DNSLookupView works only on Windows 10 and 8.1 (see sample). DNSQuerySniffer works on any version of Windows (see sample). They display slightly different data as the source of the data is quite different. For example, DNSQuerySniffer shows the target DNS server (Destination address) so you can if software queries a DNS server other than the one everyone else is using (don't ask). DNSLookupView shows the process that made the DNS request.
Finally: Be aware that after making a connection to a VPN server, all communication from your computing device is unlikely to immediately use the VPN. Best to wait a minute or two to let existing sockets/connections time out. To see this for yourself requires access to the router, but then, most routers do not display the details of individual sockets. My preferred router, the Pepwave Surf SOHO does. iOS does not handle this issue well. A bug was first reported by ProtonVPN in March 2020 for iOS version 13. See VPN bypass vulnerability in Apple iOS. They say the bug is only half fixed in iOS version 14.

To the rest of the world, you judge a VPN by speed, price, logging and the number of servers. All of these criteria are wrong.

Custom DNS: Most VPN companies insist that you use their DNS services. A few let you choose, which means you can use a DNS provider, such as NextDNS which makes it easy to carve out exceptions to the blocking rules.
1. IVPN offers custom DNS
2. Mullvad introduced their custom DNS feature in April 2021. Note that it only allows you to enter an IP address and thus is not a good fit for NextDNS which lets you enter a DoH or DoT server name.
3. The August 2021 ExpressVPN writeup on this makes no sense at all
4. ProtonVPN does not support customized DNS
5. On Android, there is no need for a custom DNS feature. The Private DNS feature over-rides a VPN and gives you total control.
Avoid free VPNs. More specifically, avoid VPNs that are always free. Some commercial VPN providers offer limited accounts for free. If you can't pay, use the free service from ProtonVPN, TunnelBear or Windscribe. On iOS, there is also a free version of the Guardian Firewall + VPN app.
One downside of a VPN, compared to Tor, is that the VPN company normally knows who you are. Even Mullvad, which takes no personal information at all when creating an account, knows who you are when you pay with a credit card. To prevent that, look for a VPN provider that takes cash, Bitcoin or gift cards. Many do. Another option is to simply have someone else pay for the service with their credit card. All that said, if you connect to the service from your home, the public IP address of your home can be used to identify you, if the VPN company is either malicious or forced to do so by their government.
One consideration in choosing a VPN provider is their client software. I suggest looking for a VPN provider whose client software is Open Source, which means that anyone can review it. ProtonVPN, Mullvad and IVPN created their own software and made it open source. Many VPN companies will let you use Open Source OpenVPN software on your computing devices.
Sometimes using a VPN you may want as much privacy as possible. Other times, you may care more about speed. If so, look for VPN client software that shows you how busy a VPN server is before you connect to it. If you want privacy, pick a busy server where its easier to get lost in the crowd. The ProtonVPN client software does this, Mullvad does not. Freedome is designed to be as simple as possible, it hides all server information. Perfect Privacy provides this information on a web page.
Who owns the VPN company?
1. Kape: In September 2021, Kape Technologies purchased ExpressVPN. They already owned CyberGhost, ZenMate and Private Internet Access (PIA). See Former Malware Distributor Kape Technologies Now Owns ExpressVPN by Sven Taylor. Kape also owns VPN review websites vpnmentor.com and wizcase.com.
2. J2Global owns IPVanish, StrongVPN and PC Magazine which reviews VPNs.
3. Some VPN companies are very clear about their ownership: IVPN (March 2021): Who owns your VPN? You should find out. Mullvad (September 2021): The ownership and future of Mullvad VPN. ProtonVPN (undated): Who owns ProtonVPN and OVPN (undated): Who are the people behind OVPN?.
4. Clearly, security company F-Secure runs the Freedome VPN.
5. The About Us page for Surfshark avoids the issue of ownership.
6. The About us page for Astrill says "We are a registered Seychelles company". It does not mention anything else about the company and it says nothing about any of the people involved.
7. The About Us page for TunnelBear has just cartoon pictures of bears. As of March 2018, TunnelBear was owned by McAfee. This despite McAfee offering their own VPN. In November 2021, McAfee agreed to sell itself to a group of Private-Equity investors (Advent International, Permira Advisers, Crosspoint Capital Partners, Canada Pension Plan Investment Board, GIC Private Limited and a subsidiary of the Abu Dhabi Investment Authority).
8. Hidden VPN owners unveiled: 104 VPN products run by just 24 companies by Jan Youngren of VPN review website VPNpro (Oct 2021).
Many VPN companies rent their servers. It is more secure if the VPN provider owns their servers. Many VPN companies use a VPS (Virtual Private Server). It is more secure to not use virtualization (called a bare-metal server or a dedicated server). It is also more secure if a VPN server runs totally in RAM and never writes to the hard disk (called RAM-disk mode). Most VPN companies are mum on these points. A good survey on these two points is at Restore Privacy. It says: ProtonVPN and VPN.ac use dedicated bare-metal servers, all ExpressVPN servers use RAM-disk mode, Perfect Privacy uses bare-metal servers running in RAM-disk mode, OVPN uses dedicated bare-metal servers running in RAM disk mode, that they own. Mullvad owns some of their servers but most are rented.
As noted in the Android topic, Exodus reports on trackers and permissions of Android apps. VPNs with no trackers: ProtonVPN, Freedome, Mullvad, OVPN and IVPN (note that the number of permissions each app requests vary quite a bit). ExpressVPN has 2 trackers, Tunnelbear and Windscribe have 1 and NordVPN has 4. Last Checked October 2021.
We can make some judgments about a VPN company (not the service) from the tracking, or lack of it, on their website. In August 2019, Yegor of Windscribe discussed this: Shattering the Grand Illusion of Cookie Flavored Lies. I expanded on the topic in Nov 2019: Judging a VPN by its website. Then, in August 2021, Alfred Ng of The Markup covered this: How Private Is My VPN?. None of these articles looked at a large number of websites. That said, the winners were ProtonVPN, Mullvad, IVPN, Windscribe and AirVPN.
Kill switch. This is a feature in some VPN client software that looks for a failed VPN tunnel connection and blocks all data leaving the computer until the VPN tunnel is restored. This exists to insure your public IP address is not made available to the Internet. At home, its important, at a coffee shop, not as much. But, what if the VPN client software itself fails? Most likely, this kills the kill switch software too. Few VPN providers will go into the techie details of their kill switch. IVPN does here. The article is poorly written, however, its not clear if it only applies to Windows or not. As of May 2021, ProtonVPN on Windows has two different types of kill switches.
Access to the LAN. The focus of any VPN is on Internet access, but the LAN side is also dangerous. If the router allows it, your computing device can be attacked by other users of the same network. Local bad guys might target open TCP/IP ports on your device or take advantage of bugs in the operating system. I blogged about this in August 2021: Hiding on a Wi-Fi network. The rare feature is an option in the VPN client software that will cut you off from other devices on the Local Area Network (LAN). Bad guys can not attack a computer they can't see. Mullvad on Windows calls this "Local Network Sharing". Windscribe on Android calls it "Allow LAN traffic" (in my Windscribe tests this feature did not work). In their Android app, IPVN calls it Bypass VPN for local networks. In their Windows, macOS and Linux software IVPN calls it Allow LAN traffic when IVPN firewall is enabled. In October 2021, Sean Gallagher, writing in Ars Technica said: "I use VPNs for very specific purposes - namely, to keep the virtual machines I use for malware hunting segmented from the rest of my network ..." In September 2021 we learned of a bug in the ARRIS TG2492 router that could leak the public IP address of a computer that was connected to a VPN. The only defense (Virgin Media has not fixed the bug for 2 years) is to block LAN side access while the VPN is active. Sadly, no review of any VPN ever considers this feature. To test this, after connecting to a VPN, run a LAN scanning app such as Fing. In the best case, you will only see your device and the router.
Marketing honesty: Many VPN companies make vague promises of security, privacy and anonymity. This is stretching things. Look for a VPN company that is very clear about exactly what a VPN can and can not do.
A VPN based in the United States would be my last choice. After all, it the was the US that let ISPs spy on us in the first place. And, Snowden. Granted, this is a matter of opinion.
Installation instructions: Most of the time, you have to install software to use a VPN. The instructions provided by the VPN companies differ greatly. I have seen companies that document every step of the install and others just say run the file you downloaded. You should be able to find the installation instructions on the website of the VPN company.
Wrong criteria: Judging a VPN provider by the number of servers they have is wrong. Its like saying a Toyota is better than a Rolls Royce because there are more of them on the road. More is not better. As noted above, all VPN servers are not the same. And, companies that own their own servers will have fewer than those that just rent a VPS.
Wrong criteria: Judging a VPN by speed tests is wrong. The purpose of a VPN is privacy, and for this, we give up some speed. Judging privacy is hard, running speed tests is easy. And, speeds vary all the time, you have to live with a VPN provider for a while before you can form an opinion on their speed. Finally, we all have different speed requirements.
Wrong criteria: Logging. Pretty much all VPN companies claim not to log and it is close to impossible to prove.

As a rule, the job of blocking ads and/or trackers falls to your web browser and its extensions. But some VPNs can do this too. One advantage of VPN blocking is that it applies to the entire operating system, not just one web browser. If you connect to one of these VPNs from a router, it can block ads/tracking on any device connected to the router. The downside of any such blocking (in a browser or a VPN) is carving out exceptions to the rules.

These VPNs do blocking:

IVPN calls their tracker blocking feature AntiTracker.
ProtonVPN calls their ad/tracker blocking feature NetShield. It uses DNS filtering to protect you from malware, blocks ads, and prevent website trackers from following you around the web. It is only available to paid customers.
In April 2021, Mullvad added support for custom DNS server configuration on macOS, Windows, Linux and Android. This can be used with an assortment of DNS providers that block ads/trackers. In May 2021, they introduced ad blocking How to set up ad blocking in our app. In June 2021, ad and tracker blocking was a new feature in their iOS app (How we’re knocking down ads and tracking. They also offer ad blocking for free to anyone, not just their customers, via their secure DNS service. DNS over HTTPS and DNS over TLS (July 2021).
At Perfect Privacy, their TrackStop feature blocks ad-tracking and phishing.
The Disconnect Privacy Pro SmartVPN blocks trackers on iOS. Their Premium VPN blocks trackers on iOS, Android and macOS.
Windscribe VPN offers what they call a "One-of-a-kind customizable server-side domain blocking tool" that blocks ads and trackers. And, you can customize it. They call the feature R.O.B.E.R.T.
The Freedome VPN from F-Secure blocks trackers on iOS, Android, Windows and macOS.
The Guardian Firewall + VPN app on iOS "blocks digital trackers from secretly collecting your information." It is from the Sudo Security Group. For free, their VPN service alerts about tracking but does not block. I wrote about it in August 2019.
On Android, there are three versions of the Blokada ad-blocker. The free version that blocks ads is not allowed in the Play Store. It installs a VPN, but only to block ads by intercepting DNS requests. There was a trivial version in the Play Store that also installed a VPN but all it did was modify the DNS servers. Currently (Feb.2020) the version in the Play Store is called Blokada Slim and it combines the older DNS changer with a fairly new, real, VPN called Blokada Tunnel which costs 5 Euros/month (roughly $5.50 in US dollars). Great feature: customized white and black lists.
Coming: AdGuard VPN (Jan 2020). They are writing a new VPN protocol, which is not a good sign.
Android 9, 10 and 11: There is an interesting conflict between a VPN and the Android Private DNS feature. Each wants to be in charge of the system-wide DNS. In a test of Android 10 with three VPN providers, Private DNS won out every time. This was not a DNS leak, the DNS requests went through the VPN tunnel and the Private DNS resolver sees requests coming from the VPN server, not from the VPN client. However, in a test with Android 9, the VPN DNS won out. Beats me why. If Private DNS wins, and you use NextDNS, then any VPN can be used alongside the ad and tracker blocking from NextDNS. The best of both worlds. I tested with multiple DNS testers on my RouterSecurity.org site.

All VPNs claim to hide your physical location and/or let you appear to be somewhere else. In the old days this was sold for the anonymity it offered. Later, it was sold so that people in the US could listen to the BBC. It stems from the fact that, with a live VPN connection, all data going to/from the Internet passes through the VPN server. Your pubic IP address is that of the VPN server not your home or office.

But the claim predates smartphones, spy machines that they are. A smartphone can locate itself using GPS, Wi-Fi, cell tower location and probably even Bluetooth (not sure). I have tested Wi-Fi based locating and found it extremely accurate. So, if the phone knows where you are, who is to say whether it leaks this information to the outside world. And the outside world, on a phone or a desktop computer, is not just websites. Modifying your public IP address is not the be-all and end-all that it used to be. It is still a good thing, but it may no longer be sufficient.

If hiding your location is really important, use a device without Wi-Fi or GPS or Bluetooth. On a smartphone or tablet, disable them and hope the phone operating system honors your request. On a cellphone, airplane mode should prevent it from contacting cell towers. I say "should" because I don't know how to verify this. Even if you can not make or receive a phone call, that does not insure that the phone is not communicating with a cell tower. After disabling Wi-Fi, GPS and Bluetooth, re-boot the device to insure that it is not still using a recently detected location.

Clearly, Ethernet is your friend here. iPhones and iPads can use Ethernet with an appropriate adapter. Likewise there are USB type A and USB type C adapters for Ethernet that can be used with any computing device with a USB port.

To put this in perspective, the strongest option is preventing the operating system from knowing where it is. If this is not possible, then you need to try and prevent the operating system from giving the location to applications and to web browsers. In the case of browsers, there are probably configuration options in both the browser and the operating system for this. For more on this, see the Location Tracking topic on the main page.

Windows 10, for example, offers OS level configuration options for Location in System Settings -> Privacy -> Location. In the resulting panel, insure that everything is off. On a lower level, Windows users should probably disable the Windows Geolocation service (a.k.a. lfsvc). The description says that it "...monitors the current location of the system and manages geofences (a geographical location with associated events). If you turn off this service, applications will be unable to use or receive notifications for geolocation or geofences." There may be a down side to disabling this service, I have not tested this extensively. But, I doubt it.

As an example of browser location settings, consider the Location settings for the Chrome browser (the screen shot is from Chrome 93 on Windows). You can access the location settings directly at chrome://settings/content/location. Here is where you control whether the Chrome browser is allowed to tell websites the location of the computer/phone/tablet. The assumes that the operating system and the browser already know the location. One slip-up in configuring this and a VPN can no longer hide your location from a website.

An article on this: How does my browser know my real location when I'm on a VPN? by pcwrt (January 2021).

I have yet to see any VPN provider mention that location blocking should be configured in both the operating system and the web browser that you use. That would burst their marketing bubble.

Fighting with the operating system and the browser is complicated, error prone and, even if done right, involves some trust that the software is doing what its told. The safer approach is to insure the operating system can not learn its location in the first place. Ethernet is your friend.