• 0 Posts
  • 81 Comments
Joined 8 months ago
cake
Cake day: April 13th, 2024

help-circle

















  • Why the IP leaks or not is entirely dependent on each user’s individual opsec… how you are connecting to the VPN, potentially your firewall/routing table setup, how the browser interacts with it etc.

    You said “if I do the same with VPN, i see that my ip address isnt in that payload”, but then you said ipleak.net does leak, but that you “followed information” from thehackernews.com before using ipleak.net, which from what I read seemed to just say “connect to expressvpn and run the test”… is that actually what you were doing? Were you using expressvpn the whole time or did you switch to just that one for the ipleak.net test or something? It’s not clear to me.

    The bottom line is that the IP can only leak if you let it. Regardless of how the VPN is accessed, whether that’s via a browser configuration (extension or proxy setting) or an OS-level layer3 tunnel (managed by a separate app or the OS itself), a misconfiguration or misunderstanding of how those work could cause the leak and there’s no fool-proof way for a web page to do anything about that. If you really want no leaks, then the user must actively choose to block all internet connections to anything BUT the VPN (and regularly test/verify that it works), some call this a “kill switch” although I really dislike the term.

    As for the “enforce VPN” option… depending on your definition of “VPN” in the context of your app, IMO you simply can’t do anything reasonably useful here. There are so many ways to mask your IP that there is no definitive way for a web page to know with any certainty that the user is “connecting via a VPN”, which some might say is impossible to quantify anyways. At best you might be able to use very flawed methods like scanning known IP ranges of well-known VPN providers, which IMO does not count as “detecting a VPN”, and even worse, doesn’t help with any sort of leak. I could be tunneling through tor, a neighbor’s wifi, ssh, or remote desktop or something for all you know. Does any of that count to you?