App Support.

We're here to help.



Preventing Network and DNS Traffic Leaks

A traffic "leak" is when network traffic that should only ever travel over a VPN connection instead travels over the normal network connection, thereby potentially exposing the contents of the traffic to others. This could also potentially expose your true IP address to services you are connecting to. For the vast majority of VPN users network and DNS leaks are not a concern. This article has been written for users who connect to VPN Service Providers, with all traffic directed over the VPN connection, who are concerned about the possibility of a leak occurring.

We are currently working on adding a feature to Viscosity to easily block traffic leaks from occurring. We hope to have such a feature available in a future version of Viscosity, however please be aware that this is not something that will be available soon. In the meantime this article details how you can manually setup Viscosity to prevent traffic leaks from occurring.

Traffic Leak Introduction

Most VPN Service Providers configure their VPN setup to direct all network traffic over a VPN connection while it is active. However in some situations, or for poorly configured setups, network traffic can potentially travel over the normal network connection, even if the VPN connection is active. Traffic leaks typically fall into two categories depending on how you deal with them: network leaks and DNS leaks.

A network leak can occur due to a poorly configured VPN setup (where not all traffic is routed correctly through the VPN connection), or during periods where the VPN connection is not active (for example a dropout has occurred and the VPN connection is in the process of reconnecting). To prevent network leaks it is necessary to ensure that all traffic is correctly flowing through the VPN connection when it is active, and to block network traffic from using the normal network connection when it is not active.

A DNS leak occurs when DNS requests are made to a DNS server on the local network (instead of to a DNS server over the VPN connection) potentially exposing what sites or servers your computer is accessing. This is easily avoided by overriding your local DNS servers with DNS servers that are accessed through the VPN connection.

Checking All Traffic Is Routed Over The VPN Connection

The first step to ensuring that there are no network leaks is checking that all traffic is being directed through your VPN connection while it is connected. This can be done by examining the routing on your computer while connected:

Mac OS X

  1. Connect your VPN connection using Viscosity.
  2. Open the Terminal application. This can be easily done by entering "Terminal" into the Spotlight search field. It can also be found at "/Applications/Utilities/Terminal.app".
  3. Enter the command "route get 0/1" and press Enter. Make a note of the "interface" entry.
  4. Enter the command "route get 128.0/1" and press Enter. Make a note of the "interface" entry.
  5. If both of the interfaces returned above start with "tun" or "tap", all traffic is flowing through the VPN connection by default.

Windows

  1. Connect your VPN connection using Viscosity.
  2. Open command prompt. This can be done by pressing Windows + R, type 'cmd' into the new dialog and click OK, or go to Start, type 'cmd' into search and open Command Prompt.
  3. Enter the command "tracert 1.2.3.4" and press Enter. Let the first hop complete, and take note of the IP Address that appears on the right. You can press ctrl+c to cancel the tracert once the first hop is complete.
  4. Open the Viscosity Details window and select the active connection. If the Client IP that appears in the details window matches, or the first three octets (first three dot parts) of the IP match, all traffic is flowing through the VPN connection by default.
  5. If not, type 'route print' into command prompt and locate the IPv4 Route table. If you can locate the IP address returned by tracert under Network Destination, and the Interface value is the same as the Client IP displayed by Viscosity, all traffic is flowing through the VPN connection by default.

If you find that all network traffic isn't routed through the VPN connection you can change this behaviour like so:

  1. From the Viscosity menu select Preferences to open Viscosity's Preferences window.
  2. Select your connection from the Connections list and click the Edit button.
  3. Click on the Networking tab. Tick the "Send all traffic over VPN connection" checkbox.
  4. Click the Save button.

Preventing Network Leaks When A Drop-out/Disconnect Occurs

If a VPN connection drops, your computer may use your normal network connection until the VPN connection is re-established. In most cases this is desired behaviour, however to prevent network leaks it is recommended that all traffic is blocked when a drop-out or disconnect occurs. This can be achieved via routing or scripting. For either of these techniques to work correctly, please ensure the "Reset network interfaces on disconnect" option is disabled under Preferences -> Advanced.

Routing Technique

Please note this method does NOT work on Windows Vista and higher, and only works on some setups on Windows XP. Please test any method you implement.

The routing technique is the easiest to implement, and takes affect instantly when a drop-out occurs. However restoring your network connection afterwards can sometimes be a bit fiddly. This technique involves overriding your computer's default route so when the VPN connection disconnects it tears down the default route, leaving you with no network connectivity and no possibility of network leaks. You can implement this like so:

  1. From the Viscosity menu select Preferences to open Viscosity's Preferences window.
  2. Select your connection from the Connections list and click the Edit button.
  3. Click on the Networking tab. In the Routing area click on the small "+" button to add a new route.
  4. Enter "0.0.0.0" into the "Destination" field and "0.0.0.0" into the "Mask/Bits" field. If you are routing just single IP addresses the Mask field can be left blank.
  5. Select "VPN Gateway" from the Gateway menu.
  6. Click the Add button to add the route.
  7. Click on the Advanced tab. On a new line in the advanced commands area enter "remap-usr1 SIGTERM" (without quotes).
  8. Click the Save button.

When your VPN connection disconnects (as a drop-out or manually) all network traffic on your computer should now become disabled. To regain network access you'll need to disable and re-enable your network connection. For a Wi-Fi connection you can do this by turning it Off and On again from the Airport menu on Mac, or Disconnecting and Connecting again from the Wi-Fi menu on Windows. For a Ethernet (wired) connection you can either pull out and replug in your network cable, or make it Inactive and Active again in the Network section of System Preferences on Mac, or Disable then Enable the adapter on Windows. Alternatively this process could be automated with a Before Connect Script on Mac or Windows.

Scripting Technique

Viscosity supports running custom scripts before a VPN connection connects, when it becomes connected, and when it disconnects. This can offer a more seamless solution than the routing technique above, however it requires advanced network knowledge. Documentation for writing scripts and using Viscosity's scripting support can be found in the Running AppleScripts When Connected/Disconnected article for Mac and the Running Batch/VBS Scripts when Connected/Disconnected article for Windows.

The following is a simple example of a Disconnected script for Mac OS X. It will disable the network interface named "Ethernet" when a dropout or disconnect occurs. "Ethernet" should be replaced with the name of your normal network interface (typically "Wi-Fi" for a wireless interface and "Ethernet" for the wired interface).

do shell script "networksetup -setnetworkserviceenabled 'Ethernet' off" user name "username" password "password" with administrator privileges


The following is a simple example of a Disconnected script for Windows. "Ethernet" should be replaced with the name of your normal network interface (typically "WiFi" for a wireless interface or "Ethernet" for a wired interface). When using advanced commands like netsh in Windows, Viscosity must be run as Administrator for this command to work, or you will need to acquire a third party tool like RunAs or psexec to place the username and password to run a command as in line.

netsh interface set interface "Ethernet" admin=DISABLED


To ensure the Disconnected script runs when a VPN drop-out occurs it is necessary to do the following:

  1. From the Viscosity menu select Preferences to open Viscosity's Preferences window.
  2. Select your connection from the Connections list and click the Edit button.
  3. Click on the Advanced tab. On a new line in the advanced commands area enter "remap-usr1 SIGTERM" (without quotes).
  4. Click the Save button.

A number of users have also contributed scripts for preventing leaks to the forum, including some that make advanced use of the Mac OS X firewall.

Preventing IPv6 Network Leaks

Many modern Internet Service Providers are beginning to offer both IPv4 (IP version 4) and IPv6 (IP version 6) connectivity on their networks. However if your VPN connection is not configured to take this into account it's possible to leak IPv6 traffic.

Most users are familiar with IPv4 addresses, which are represented as a series of numbers in the format x.x.x.x. IPv4 has long been the default IP version for the Internet and local networks. However the number of available unique IPv4 addresses is limited and has almost run out. IPv6 is designed to solve this problem by offering many more unique addresses. Hence Internet Service Providers are beginning to enable IPv6 on their networks as an eventual replacement for IPv4. An IPv6 address consists of a series of letters and numbers separated by colons, for example 2001:db8:85a3::8a2e:370:7334.

However many VPN Providers have been slow to adopt IPv6 support through their VPN networks. This means that if your ISP provides IPv6, however your VPN connection only supports IPv4 traffic, IPv6 traffic will still go over your normal network connection.

VPN Providers can easily solve this problem, while also preparing for the future, by enabling support for IPv6 traffic through their networks. However if your VPN Provider only supports IPv4 it is possible to block IPv6 traffic while connected to the VPN using the instructions below (which prevents any IPv6 network leaks while the VPN is connected):

  1. Open Viscosity's Preferences window, select your connection from the Connections list, and click the Edit button.
  2. Click on the Networking tab.
  3. Click the small "+" button in the Routing section.
  4. Enter a Destination of "2000::" (without quotes), and a Mask of "4" (without quotes).
  5. Set the IP Version to "IPv6".
  6. Set the Gateway to "Custom" and enter an address of "::1" (without quotes).
  7. Click the Add button.
  8. Repeat steps 3 to 7 with a Destination of "3000::" and a Mask of "4".
  9. Repeat steps 3 to 7 with a Destination of "fc00::" and a Mask of "7".
  10. Click the Save button.

If you are unsure if your normal network connection supports IPv6 you can use an IPv6 test connectivity test such as Test IPv6.

Preventing DNS Leaks

DNS leaks can be preventing by ensuring that Viscosity's DNS support is enabled for your connection, and that a DNS server has been set. For information on how to check that it is enabled and specify DNS servers please see the Configuring DNS and WINS settings article.

Are There Any Third Party Tools For This?

Most firewall software will allow rules to be put in place to block traffic from leaking. Any such rules should block all traffic on the standard network interface with the exception of traffic for the VPN connection itself.