Bulletproof Your VPN in Windows using 5 Easy Steps

Thursday March 26, 2020

Getting a VPN is a great first step towards improving your online privacy and anonymity. Still, there are many pieces of software that work against your VPN – even if that isn’t their original intention. Fortunately, you don’t need to be a tech wiz to prevent that from happening.

Before we begin, check out this VPN leak test tool from ProPrivacy to see which security flaws you need to cover (if any). It’ll save you time when you actually get to implementing the following fixes. At the very least you’ll have the ease of mind that your VPN works as intended.

Watch Out for these Windows Features

Microsoft hasn’t had a great track record for privacy the past decade. Just to give you an idea, Windows 10 still poses a $4 billion fine risk for its rampant data collection almost five years after its official release. As such, it’s no surprise that this privacy-intrusive OS would somehow mess with the security offered by your VPN.

To put things into context, we should explain what DNS is. The Domain Name System is the service that translates domain/ website names to an IP address (www.google.com to, for example.) This also works the other way around and makes it easy for devices and websites to communicate.

Two Windows features in particular will cause DNS leaks if left active, or if your VPN doesn’t have proper leak protection implemented. Namely, Teredo and the Smart Multi-Homed Name Resolution (SMHNR).

#1 Disable Teredo

Teredo is a tunneling protocol that allows IPv6 devices to communicate across an IPv4 network. Since IPv4 addresses have run out, protocols like Teredo aim to keep the compatibility between IPv4 and IPv6 while providers slowly make the transition to a majority IPv6 Internet.

The issue with Teredo is that it can supersede the VPN’s encrypted tunnel, essentially nullifying the anonymity offered by the VPN. Luckily, it’s easy enough to disable. Simply:

  • Open up a command prompt by pressing Windows + R, typing “cmd” and clicking “OK”.
  • Type the following in the command prompt, exactly as written between the quotation marks: “netsh interface teredo set state disabled”
  • Press

#2 Turn Off SMHNR

Basically, DNS leaks happen because DNS requests from your system somehow don’t go through your VPN provider’s DNS servers. If they go through your ISP’s DNS servers, they can see what you’re doing online even with a VPN active. Given that the FTC has been investigating major ISPs for selling their customers’ browsing habits and location data, you can see how that isn’t doing you any favors.

In any case, the SMHNR feature is meant to speed up DNS selection. Normally, this is useful at improving connection speeds between you and the websites you’re trying to access. However, if your VPN provider’s DNS servers don’t respond quickly, Windows 8/ 10 could send DNS requests to a different server (usually your ISP’s), causing a leak.

Here’s a guide to disable SMNHR for both operating systems.

#3 Completely Prevent IPv6 Leaks

We’ve mentioned before that IPv4 addresses have run out. Unfortunately, that did nothing to speed up the adoption of the new IPv6 standard. That applies to VPN providers as well, for the most part. IPv6 leak protection usually just blocks out IPv6 traffic completely, at least until the providers can offer full compatibility with their service.

Now, let’s say you used ProPrivacy’s tool, and it detected an IPv6 leak from your VPN. Short of switching to a different provider, the only thing you can do is to completely disable IPv6 traffic on your system. Here’s how to do it.

#4 Prevent WebRTC Leaks

Yet another useful feature that ends up harming your anonymization efforts. Web Real-Time Communication (WebRTC) allows you to perform audio and video calls right through your browser, without having to install a third-party chat program like Skype.

What it also does is give websites the ability to perform STUN requests to find out your real IP address, even behind VPN protection. As always, the solution to this is pretty simple. For Firefox and Chrome (or other Chromium-based browsers) all you need is a script-blocker like NoScript or ScriptSafe to block WebRTC requests.

If the slight learning curve of a script-blocker worries you, there are browser add-ons specifically made to block WebRTC requests and nothing else.

#5 Using a Different DNS Server

We’ve mentioned a couple of times that your DNS requests should go through your VPN provider’s DNS servers. But what if they don’t have any? It’s a rare scenario, but it can happen – especially with smaller providers that can’t afford to maintain them.

In that case, you’ll need to use an independent DNS server such as Google Public DNS or OpenDNS. Here are some easy setup guides:

Using either of those will prevent your DNS requests from going through your ISP – and you’ve already seen what happens if they do.

There you have it! These five fixes should just about cover any VPN-related security flaws. All done configuring things? Use ProPrivacy’s VPN leak test tool one more time to make sure everything works as intended.