App Support.

We're here to help.



Preventing Network and DNS Traffic Leaks

A traffic "leak" is when network traffic that should only ever travel over a VPN connection instead travels over the normal network connection, thereby potentially exposing the contents of the traffic to others. This could also potentially expose your true IP address to services you are connecting to. For the vast majority of VPN users network and DNS leaks are not a concern. This article has been written for users who connect to VPN Service Providers, with all traffic directed over the VPN connection, who are concerned about the possibility of a leak occurring.

We are currently working on adding a feature to Viscosity to easily block traffic leaks from occurring. We hope to have such a feature available in a future version of Viscosity, however please be aware that this is not something that will be available soon. In the meantime this article details how you can manually setup Viscosity to prevent traffic leaks from occurring.

Traffic Leak Introduction

Most VPN Service Providers configure their VPN setup to direct all network traffic over a VPN connection while it is active. However in some situations, or for poorly configured setups, network traffic can potentially travel over the normal network connection, even if the VPN connection is active. Traffic leaks typically fall into two categories depending on how you deal with them: network leaks and DNS leaks.

A network leak can occur due to a poorly configured VPN setup (where not all traffic is routed correctly through the VPN connection), or during periods where the VPN connection is not active (for example a dropout has occurred and the VPN connection is in the process of reconnecting). To prevent network leaks it is necessary to ensure that all traffic is correctly flowing through the VPN connection when it is active, and to block network traffic from using the normal network connection when it is not active.

A DNS leak occurs when DNS requests are made to a DNS server on the local network (instead of to a DNS server over the VPN connection) potentially exposing what sites or servers your computer is accessing. This is easily avoided by overriding your local DNS servers with DNS servers that are accessed through the VPN connection.

Checking All Traffic Is Routed Over The VPN Connection

The first step to ensuring that there are no network leaks is checking that all traffic is being directed through your VPN connection while it is connected. This can be done by examining the routing on your computer while connected:

Mac

  1. Connect your VPN connection using Viscosity.
  2. Check the connection log for your connection and make note of the network interface being used. For example, there should be an entry like "Opened utun device utun10" or "TUN/TAP device en10 opened".
  3. Open the Terminal application. This can be easily done by entering "Terminal" into the Spotlight search field. It can also be found at "/Applications/Utilities/Terminal.app".
  4. Enter the command "route get 0/1" and press Enter. Make a note of the "interface" entry.
  5. Enter the command "route get 128.0/1" and press Enter. Make a note of the "interface" entry.
  6. If both of the interfaces returned above match the interface listed in connection log, all traffic is flowing through the VPN connection by default.

Windows

  1. Connect your VPN connection using Viscosity.
  2. Open command prompt. This can be done by pressing Windows + R, type 'cmd' into the new dialog and click OK, or go to Start, type 'cmd' into search and open Command Prompt.
  3. Enter the command "tracert 1.2.3.4" and press Enter. Let the first hop complete, and take note of the IP Address that appears on the right. You can press ctrl+c to cancel the tracert once the first hop is complete.
  4. Open the Viscosity Details window and select the active connection. If the Client IP that appears in the details window matches, or the first three octets (first three dot parts) of the IP match, all traffic is flowing through the VPN connection by default.
  5. If not, type 'route print' into command prompt and locate the IPv4 Route table. If you can locate the IP address returned by tracert under Network Destination, and the Interface value is the same as the Client IP displayed by Viscosity, all traffic is flowing through the VPN connection by default.

If you find that all network traffic isn't routed through the VPN connection you can change this behaviour like so:

  1. From the Viscosity menu select Preferences to open Viscosity's Preferences window.
  2. Select your connection from the Connections list and click the Edit button.
  3. Click on the Networking tab. Tick the "Send all traffic over VPN connection" checkbox.
  4. Click the Save button.

Preventing Network Leaks When A Drop-out/Disconnect Occurs

If a VPN connection drops, your computer may use your normal network connection until the VPN connection is re-established. In most cases this is desired behaviour, however to prevent network leaks it is recommended that all traffic is blocked when a drop-out or disconnect occurs. This can most easily be achieved by the scripting technique below. For this technique to work, please ensure the "Reset network interfaces on disconnect" option is disabled under Preferences->Advanced.

Viscosity has an option that allows you to use OpenVPN scripts without needing to enable Unsafe Commands. These scripts are run elevated which means you do not need to put your credentials into AppleScripts or run Viscosity Windows as an Administrator. For security, the scripts used by this method must be in a designated area in your file system, and must be locked down so they can only be edited by an elevated or administrative user.

Mac

To get started, you will need to enable the AllowOpenVPNScripts option in Viscosity. To enable this option run the following command in the Terminal (/Applications/Utilities/Terminal) application and enter your administrator details when prompted:

/Applications/Viscosity.app/Contents/MacOS/Viscosity -setSecureGlobalSetting YES -setting AllowOpenVPNScripts -value YES

Next, you'll need to create a script that disables the network connection when a drop-out occurs. You can write a custom shell script in any language supported by macOS, however we recommend using the example script below to get started. This script will automatically disable all active network connections, and it's not necessary to make any changes to it.

#!/usr/bin/python3
import subprocess, re
services = re.findall("\(\d+?\) (.+?)\n\(Hardware Port: (.+?), Device: (.+?)\)\n",
  subprocess.check_output(["/usr/sbin/networksetup", "-listnetworkserviceorder"]).decode())
for service in services:
  if service[1] == "Wi-Fi":
    subprocess.check_output(["/usr/sbin/networksetup", "-setairportpower", service[2], "off"])
  else:
    subprocess.check_output(["/usr/sbin/networksetup", "-setnetworkserviceenabled", service[0], "off"])

To use it copy-paste the code above into a new document in a text editor (such as TextEdit), and save it as a text file to your Desktop with the name "disablenetwork.py". If using the TextEdit application please make sure it's saved as plain text by going to the "Format" menu and selecting "Make Plain Text" before saving.

Next you will need to create the folder where the script will be stored, and then copy your script into this location. This can be achieved by running the following commands in the Terminal. Enter your administrator password when requested.

sudo mkdir "/Library/Application Support/ViscosityScripts"
sudo cp ~/Desktop/disablenetwork.py "/Library/Application Support/ViscosityScripts"
sudo chown -R root:wheel "/Library/Application Support/ViscosityScripts"
sudo chmod -R 755 "/Library/Application Support/ViscosityScripts"

Before adding the script to your VPN connection it's recommend you test it manually to ensure it works as intended. To do this run the following command in the Terminal. If it works your network connection/s should become disabled. If not it means there is a problem in the script or it has not been copied into the correct location.

sudo "/Library/Application Support/ViscosityScripts/disablenetwork.py"

Now you're ready to add it to your connection in Viscosity. To set the script, edit your connection, go to the Advanced tab, and on a new line add the following command, then click Save:

route-pre-down "/Library/Application\\ Support/ViscosityScripts/disablenetwork.py"


The "route-pre-down" command ensures our script is run before the VPN network's routing is removed to prevent packet leaks. Other commands that can be used for running scripts at different times include "up", "down", and "route-up". More information on these commands can be found in the Advanced Configuration Commands article.

And that's it. You can test what happens when your VPN connection drops out by manually disconnecting your VPN connection.

To re-enable a wired (Ethernet) connection after this script has been run simply open up System Preferences and select the "Make Service Active" option. To re-enable a Wi-Fi (Airport) connection simply go to the Wi-Fi icon in the menu bar and select "Turn Wi-Fi On".

Windows

To get started, you will need to enable the AllowOpenVPNScripts option in Viscosity. To enable this option you will require Administrator rights on your computer. Run the following from Start -> Run, or a command prompt, and click Yes to the User Account Control (UAC) prompt that appears:

"C:\Program Files\Viscosity\Viscosity.exe" SetPref AllowOpenVPNScripts true

Next, you'll need to create a script that disables the network connection when a drop-out occurs. On Windows you should use a batch (*.bat) script, however any script Windows can run natively is supported. We recommend using the script below which disables your network interface to get started:

netsh interface set interface "Ethernet" admin=DISABLED

To use this script copy-paste the code above into a new document in a text editor (we recommend using Notepad++, but Notepad is fine). You will need to replace "Ethernet" with the name of your network adapter. This could be "Wi-Fi" if you use a wireless network, or "Local Area Connection" on older versions of Windows, however on most modern PCs it is named "Ethernet" for a wired connection. To disable more than one adapter, simply copy-paste the script again onto a new line and replace "Ethernet" with the name of the second adapter.

Once you have finished making changes, save it to your Documents or Desktop as "disable-network.bat". You will need to enable the interface manually when you want to use your internet connection or reconnect to a VPN.

NOTE on ARM64: You will need to use the path C:\Program Files (x86)\Common Files\Viscosity\Scripts for the rest of this section.

Once your script is created, copy (do not move or drag/drop the script file) to the following directory. You may have to create this directory first if it does not already exist. To do this, open an Explorer window and navigate to your main disk drive, then go into Program Files, then Common Files. If the Viscosity folder does not exist, right click in empty space, select New -> Folder, click Continue when prompted to provide Administrator rights, then rename the folder 'Viscosity'. Then enter the Viscosity folder and repeat these steps to create a folder 'Scripts'.

C:\Program Files\Common Files\Viscosity\Scripts

Replace 'C:\' above and in the following steps if your main disk drive where Windows is installed has a different drive letter.

Before adding the script to your VPN connection it's recommended you test it manually to ensure it works as intended. To do this, open a Command Prompt as Administrator and run the script with the following command. If it works, your network adapter/s should become disabled and you will not longer be able to access the internet. If it does not there is a problem or the script has not been copied to the correct location.

"C:\Program Files\Common Files\Viscosity\Scripts\disable-network.bat"

Now you're ready to add it to your connection in Viscosity. To set the script, edit your connection, go to the Advanced tab and on a new line add the script command, then click Save. Ensure that the path is complete and quoted, on Windows, backslashes need to be doubled as below.

route-pre-down "C:\\Program Files\\Common Files\\Viscosity\\Scripts\\disable-network.bat"


The "route-pre-down" command ensures our script is run before the VPN network's routing is removed to prevent packet leaks. Other commands that can be used for running scripts at different times include "up", "down", and "route-up". More information on these commands can be found in the Advanced Configuration Commands article.

And that's it. You can test what happens when your VPN connection drops out by manually disconnecting your VPN connection.

To re-enable your disabled network adapter/s after this script has been run, go to Control Panel -> Network and Sharing Center -> Change adapter settings (on the left), right click your adapter and select Enable.

Preventing IPv6 Network Leaks

Many modern Internet Service Providers are beginning to offer both IPv4 (IP version 4) and IPv6 (IP version 6) connectivity on their networks. However if your VPN connection is not configured to take this into account it's possible to leak IPv6 traffic.

Most users are familiar with IPv4 addresses, which are represented as a series of numbers in the format x.x.x.x. IPv4 has long been the default IP version for the Internet and local networks. However the number of available unique IPv4 addresses is limited and has almost run out. IPv6 is designed to solve this problem by offering many more unique addresses. Hence Internet Service Providers are beginning to enable IPv6 on their networks as an eventual replacement for IPv4. An IPv6 address consists of a series of letters and numbers separated by colons, for example 2001:db8:85a3::8a2e:370:7334.

However many VPN Providers have been slow to adopt IPv6 support through their VPN networks. This means that if your ISP provides IPv6, however your VPN connection only supports IPv4 traffic, IPv6 traffic can still go over your normal network connection even while connected to a VPN.

VPN Providers can easily solve this problem, while also preparing for the future, by enabling support for IPv6 traffic through their networks. However if your VPN Provider only supports IPv4 it is possible to block IPv6 traffic while connected to the VPN.

Viscosity provides an option which blocks IPv6 traffic while you are connected to a VPN which does not support IPv6. To enable this option, open Preferences and go to the Advanced Tab, then tick "Block IPv6 traffic while connected to IPv4-only VPN connections".


 

You will need to reconnect any connections after changing this option.

If you are unsure if your normal network connection supports IPv6 you can use an IPv6 test connectivity test such as Test IPv6.

Preventing DNS Leaks

DNS leaks can be preventing by ensuring that Viscosity's DNS support is enabled for your connection, and that a DNS server has been set. For information on how to check that it is enabled and specify DNS servers please see the Configuring DNS and WINS settings article.

Windows Multi-Homed DNS

By default, Windows uses a DNS resolution technique called multi-homed DNS. A very simple explanation of this is Windows will ask every DNS server defined on the system to resolve an address, and send these requests out of ever adapter on the system, and then use the first response. This is quite bad for anonymity and effectively means all DNS lookups leak using Windows default DNS system.

Viscosity for Windows uses it's own DNS system when you are connected to a VPN to prevent this. However, some users prefer the multi-homed Windows DNS system for various reasons. For this, we have an option available in Preferences -> Advanced called "Use Windows DNS System for Full DNS". Simply tick this option before connecting to a VPN which uses Full DNS mode and the Windows DNS system will be used instead of Viscosity's.

Are There Any Third Party Tools For This?

Most firewall software will allow rules to be put in place to block traffic from leaking. Any such rules should block all traffic on the standard network interface with the exception of traffic for the VPN connection itself.