VPN services, by default, provide excellent security and anonymity, but that doesn't mean they're uncrackable. If you want to be truly secure, there's more you can do. Here we've listed some ways to better ensure your privacy and protection.
Changing the VPN protocol
There isn't just one type of VPN. There are actually a variety of different VPN protocols in common use, and many VPN providers actually give you a choice. Sometimes that choice is available in the connection app; sometimes it's simply a configuration option for third-party VPN tools.
Most commonly, your options are PPTP (point to point tunneling protocol), L2TP/IPSec (layer 2 tunneling protocol) and OpenVPN.
Particularly if you're setting it up yourself on a mobile device or flashed VPN router, PPTP and L2TP can seem like the better option, since they're much easier to configure. In many cases, you only really need a server name, username and password.
It's absolutely worth using OpenVPN, however. PPTP has essentially been cracked – it uses weak 128-bit encryption, and the initial connection and authentication process can be intercepted and the data decrypted and compromised. On the upside, it's actually the fastest of the protocols because it has lowest encryption overhead.
L2TP is more secure. But it also adds a lot of overhead, and is the slowest of the protocols.
OpenVPN is the best of both worlds: it's fast, recovers quickly from a lost connections and is completely secure as far as we know. If you have the option, it's the way to go.
One of the issues with a VPN connection is that if the VPN connection fails – if the VPN server goes down or the connection is lost – your computer will immediately drop back to your regular internet address, potentially making you vulnerable; this is known as an IP leak. You probably won't even know it's happened.
That's where the kill switch comes in. It ensures that if you lose the VPN then either your internet connection is shut down or the apps that use it are. Essentially, if you're not connecting over the VPN, you're not connecting at all.
Some VPN connection apps actually have an integrated kill switch. We recommend that you use it, so be sure to enable it in the settings.
The alternative is a software kill switch, which can be added to any VPN. These apps, such as VPN Watcher and VPNetMon, are configured in Windows to instantly close selected apps if the VPN dies and restart them if it goes up again.
To set up VPNetMon, follow these steps:
1. Connect to your VPN.
2. Start the app and click on Opt.
3. On the left, it should show two IP addresses: your local IP address (on top), and your VPN IP address (second). In the field where it says VPN IP Start, enter the first number of your VPN IP address; for example, if it's 10.1.1.68, then type in 10. This is how it detects if you're connected.
4. Next to A1, click Browse and find an app you'd like it to control, for example utorrent.exe. If you check the Control box it will automatically shut it down if your VPN goes offline. If you check Auto, it will restart it when the VPN comes back on.
DNS, which stands for Domain Net Server, is the service that your computer uses to translate URLs such as techradar.com into an IP address, 188.8.131.52.
When you're connected to a VPN you should automatically be using the secure DNS server provided by the VPN service. Except sometimes you don't; sometimes your computer might use its regular DNS connection, bypassing the VPN. That's called a DNS leak, and it could be monitored by outside forces.
Some VPN clients have DNS leak protection built in, but if yours doesn't you can run a test here. The location it tells you should be your 'apparent' VPN location, not your actual one. If it fails, then there are suggestions on the site that provide a fix.
For most internet activity, we use the good old version 4 of the internet protocol; you know, the one with the four-number IP addresses. The thing is, there's actually a version 6 of the protocol as well, which is designed to provide a lot more internet addresses than IPv4. Internet providers are still transitioning from IPv4 to IPv6, although your computer supports both.
IPv6 operates outside of the VPN, and an attacker might use it to figure out who you are. It's not something that's done often, but it is possible, and the only real fix is to disable IPv6. Some VPN clients have the ability to do this built in, but if you want to do it manually there's a quick guide here. There's also an official Microsoft guide (with apps).
If you just want to check if your system is leaking, you can also visit this website and run a test while you're connected to the VPN.