Using a personal VPN for privacy

[Grell]

Hello, I have just recently signed up for a VPN for my own privacy called Private Internet Access. They have different VPN servers in a variety of countries, right now I am using one in Switzerland. What gets me though is that I ran Wireshark on it to see if everything was really being encrypted and I still see certain packets containing plain text. The packets in question are using the protocols of ARP, ICMPv6 and DHCPv6. I would say about 99% of the traffic is indeed encrypted and using the UDP protocol, but these other packets are transmitting data in plain text. Should I be worried about this or is this just how the VPN works? I would also like to mention that the interface I am capturing packets on is my Wi-Fi interface. Thanks.

 

[ShelLuser]

Impossible to tell, it depends on how the VPN was set up and also how you're checking for this, which you're not sharing here. Do you even use IPv6 somehow using this connection?

For example: I run a VPN myself (private) powered by security/openvpn and this utilizes the tun1 interface. If I look into the packets on tun1 using tcpdump(1) then I can discover tons of easily identifiable packets. But if I then do the same using my main interface em0 this is suddenly a lot different.

 

[SirDice]

The packets in question are using the protocols of ARP, ICMPv6 and DHCPv6.

ARP is always local traffic, it's used to find other hosts on the same network. ICMPv6 and DHCPv6 might be due to IPv6 being enabled and trying to get an IP address. Similar to IPv4's DHCP. In any case, that's also local traffic.

 

[Grell]

Thank you for the replies. Yes, as far as the interfaces go, my tun0 interface has plenty of plain text DNS, TCP, HTTP, etc... packets. My actual interface connected to the Internet, though, my wireless interface wlp2s0b1 (I am using Debian at the moment), is thoroughly encrypted. I am supposing that the packets on tun0 are not reaching the outside world? What is strange though is that these plain text packets are interacting with IP addresses that are foreign to my computer, they are going to IP addresses that belong to such domains and sites like google.com. Should this be cause for concern?

Edit:
Thank you SirDice for your comment, I will try to disable IPv6 since I do not use it. I was also wondering if I could make ALL my Internet go through the VPN, for instance my VPN provider gave me a program to be used on UNIX-like systems but it is built on top of Xorg, it is just an applet that sits in my notification area in Xfce. This makes me believe that before loading Xorg, or if I don't load it at all, that my Internet will be all in plain text and not go through the VPN. Thanks again.

 

[Lamia]

Have you got a VPS on one of the VPS providers?
Get sshuttle/py27-sshuttle on your PC/client and use it to connectto the VPS via SSH.
With that, you have a VPN-via-SSH.

My Internet Service Provider blocked vpn(ipsec/openvpn/etc). None but only the vpn_via_ssh now works.

 

[ronaldlees]

It looks like you're not tunneling your DNS through your VPN. Some VPN systems don't necessarily change the default DNS for your system (so you would continue to use it). It's probably much better to run all your traffic through the VPN (including DNS requests). This might be specific to your VPN, so I'd inquire.

DNS has become a favorite tool for tracking and page fingerprinting.

Along the lines of DNS, and a reason why you should secure it: the prefetch feature of browsers that was introduced by some browser makers a few years ago is known to prefetch content at urls that haven't been clicked yet, "in anticipation". It's easy to see how this feature could be a tool to fingerprint a web visit. Your link to the site itself is not necessarily very informative, as it's encrypted. But, prefetching (may) pre-connect to every link on the page (even those you haven't clicked) - in the background. This is said to speed up the experience, as the content can be "switched in" when you do click the link. A main page with a few dozen third party connections (known because they were prefetched) - makes a sort of not-unique-but-interesting fingerprint that could very well allow interlopers to mark that visit's content in fair detail.

What people may not realize, is that by default these browsers can also prefetch the DNS entries, and keep them in cache. Again, the prefetching of all the page links to get DNS cache entries (even those you haven't clicked) - may give a pretty good horseshoes level idea of the content, especially on a public site. IIRC, one of the browsers will do a DNS prefetch even if the "content" prefetch is disabled, so you have to disable both.

 

[Grell]

Well I was able to solve the problem of DNS leaking by turning off DHCP on my ethernet card and giving it a static IP instead. Also to my resolv.conf I just deleted everything in there, including the 192.168.1.1 entries and just put in the nameservers that were given to me by the VPN company. So far everything is being encrypted now, including DNS packets.