A more secure VPN
Making sure your VPN service is as secure as can be, with Nathan Taylor.
Most of us who subscribe to VPN services tend to put a lot of faith in them. We’re prepared to route our data through a third party that likely has our personal information, knows our IP, and who can see all the data coming from our home network.
On top of that, VPN technology itself is not flawless. There are several kinds of leaks possible, where unencrypted data spills outside the link, allowing hackers to monitor and see your traffic.
So how do you make sure your VPN service is as safe as possible? Let’s take a look at some of the key ways.
No logs policy
You should start with the VPN provider itself. You have to take it on some faith that they are legitimate, and will do what they say they will do with your data. But you should also check their stated privacy policies.
A big one you want to look out for is a no logs policy. If your VPN provider doesn’t have one, then you should drop that VPN provider – or at least examine what logs it does keep.
Logs are metadata records of your online activities (when you connected, who you connect to), and for maximum security you want none kept anywhere. That way they can’t be hacked into, subpoenaed, or handed over to overly inquisitive government agencies.
Anonymous accounts
Another good sign the VPN provider is serious about security is that they provide anonymous account options, including sign up options that require no email or mobile phone number, and anonymous payment options like cryptocurrencies. In the last issue we did discuss some ways to pay for things anonymously online, but a good VPN provider should provide those options out of the gate.
Keep using end-to-end encryption
Even while you’re using the VPN, take the kinds of precautions you normally would, and continue to use end-to-end encryption.
It’s still a good idea to have HTTPS Everywhere ( www.eff.org/ https-everywhere) or Disconnect ( disconnect.me) running in your browser, for example. These force HTTPS connections where possible, and that will ensure that even your VPN provider cannot read your data.
Using the right protocol
A number of VPN providers let you choose your encryption protocol when you connect, and you’re likely to be hit with a barrage of scary acronyms: L2TP, IPSec, PPTP, SSTP and so on.
You don’t really need to know what they all mean, but it is useful to know which you should choose, since not all of them have the same level of security or speed. In general, OpenVPN is the gold standard for security, and should probably be most people’s first option. IPSec/ L2TP, IKEv2/IPSec and SSTP also have very strong encryption, and are generally considered secure.
The one real danger option is PPTP, which only has 128-bit encryption and vulnerable handshake protocols. It’s an older protocol that has been compromised, and while it does provide some security from low-level hackers, governments and well resourced criminal organisations will have little problem defeating it.
Enabling the kill switch
One of the big dangers when using a VPN is that the VPN connection might suddenly disconnect for some reason. Perhaps because of a brief internet outage, or some problem with your PC or on the side of the VPN provider. If that happens then your PC will automatically switch back to its regular, unsecured internet connection – and you
might not even know it, going on and continuing to do whatever you were doing, blissfully unaware that your connection is no longer private.
Enter the kill switch. Many VPN clients have a ‘kill switch’ option, which is useful to turn on. What a kill switch does is stop all internet activity if the VPN connection goes down. That way, you can’t accidentally continue to use an unsecured connection.
Some clients allow additional options as well. NordVPN and several others, for example, enable an application kill switch that will shut down specified apps if the connection goes down. For example, if you use BitTorrent over VPN, you might set it to shut down your BitTorrent client in case of VPN outage.
A similar effect can be achieved with the excellent but dated third party tool VPNetMon ( vpnetmon.50webs.com), which allows you to specify apps that will launch when you connect to a VPN and shut down when you disconnect. VPNKS ( vpnks. nswardh.com) provides similar options.
Preventing IPv6 leaks
Although most of the world’s internet traffic still uses version 4 of the Internet Protocol, there is a more recent version of IP: IPv6. IPv6 is better than IPv4 in pretty much every way, except that everybody uses IPv4 and convincing the entire world to switch over has proven impossible. Still, your PC will likely support IPv6, just in case. And that can be a problem for VPNs.
Your VPN service will only encrypt your IPv4 traffic. But if you connect to a site using an IPv6 address and therefore the IPv6 protocol, then you have a leak, since that data will not be encrypted. Attackers can subtly use this: for example, putting a link to an IPv6 address on a web page.
As a consequence most VPN providers put IPv6 leak protection into their software, and you should switch it on if it’s not on by default. This typically disables IPv6 while you’re using the VPN, routing all IPv6 data in a ‘black hole’.
As an alternative you can disable IPv6 manually. In Windows 10, go to Settings – Network & Internet and click on either Ethernet or Wi-Fi, depending on which you’re using. Click on your connection name and scroll down to IP settings. Click on the Edit button and find the IPv6 toggle and switch it to off. It probably won’t affect your internet usage one bit, at least until IPv6 finally becomes a thing.
Stopping DNS leaks
By default, when you connect to a VPN, you should also automatically use your VPN provider’s DNS servers, which will provide the same anonymity as the rest of the connection. But sometimes a PC doesn’t obey the rules, and will send a DNS request to your regular DNS server – which will be unencrypted and unsecured.
So, in a fashion similar to IPv6 protection, many providers offer DNS protection, which blocks rogue DNS requests from being made while you’re connected to the VPN. Again, this is something you should switch on by default if it’s not already. It’s just another one of those little things, those little vulnerabilities that you need to be aware of with VPNs – as always, security requires vigilance and you can never take it for granted.