Without proper privacy and security measures, a VPN WILL NOT provide a high level of security and identity protection out-of-the-box. There are several other factors that may expose your real identity and those are often ignored. Below are some of the most important requirements in order to reduce the risk of exposing your identity when using a VPN. Please read this short guide in full and get in touch with us if you require help/more details.
TL;DR, most important: DON'T USE FLASH PLAYER, disable WebRTC, never use your ISP's DNS (use static from 3rd parties, DNSCrypt). Check for leaks on our test site ipx.ac
Flash is notoriously bad when it comes to security and privacy. Over the years it's been one of the preferred targets for attack vectors leading to malware/spyware infections and system exploitation by just opening a website hosting malicious Flash code.
Moreover, it also leaks personal identifiable information such as your real IP address. Blocking Flash by default and allowing it to run only on trusted websites, on request, is a must. Use Flash blocking browser addons, such as Flashcontrol (Chrome) or Flashblock (Firefox) to display a place-holder instead of running the Flash content, and only allow it when you need it and you trust the website. Please note that Chrome browser has Flash support embedded and enabled by default, therefore using a plugin is - again - a must. Completely uninstalling and disabling it is even a better option to consider, eventually use it in a sandbox (virtual machine).
More details on the WebRTC browser issues, in our announcement: WebRTC browser issue and fixes.
Disable it in Firefox: type about:config in address bar and toggle media.peerconnection.enabled to false. In Chrome (desktop) it can't be disabled and you need to use this extension (in its options set it to use the proxy). uBlock Origin (adblocker) also includes support for blocking WebRTC. Enable it.
Block tracking scripts and ads
EFF's Privacy Badger is a must-have plugin that's very effective in blocking tracking tools. uBlock Origin is an excellent ad-blocker which also includes tracking and malware blocking capabilities.
Protect against DNS Leaks
DNS leaks occur because the Operating System doesn't properly assign the VPN DNS resolvers or uses the local ones at the same time. Check for DNS leaks when you are connected to the VPN, at ipx.ac. If it displays other than our Private resolvers such as your ISP's DNS, fix the DNS leak. The fix is very simple and once done correctly, there's no need to do it again. Therefore we prefer to provide instructions on how to fix it manually once and for all, instead of relying on VPN software functions which aren't always effective.
Fix DNS Leaks on Windows:
Assign a manual DNS server instead of relying on DHCP. DO NOT assign your home router or your ISP DNS.
Go to Control Panel > Network and Internet > Network Connections
Right click on the Network adapter you are using > Properties > Internet Protocol Version 4 (TCP/IPv4)
Check Use the following DNS server address
These are some of the public DNS resolvers that you can use:
Worldwide: 18.104.22.168 (CloudFlare), 22.214.171.124 (Quad9), 126.96.36.199 and 188.8.131.52 (OpenDNS), 184.108.40.206 and 220.127.116.11 (Google Public DNS), 18.104.22.168 to 22.214.171.124 (Level 3), 126.96.36.199 (Hurricane Electric)
In China use: 188.8.131.52 and 184.108.40.206 (OpenDNS)
More public resolvers available at opennicproject.org/Tier2
It's a good practice to always use a 3rd party DNS resolver than your own ISP (here is why).
On Android 9, use the "Private DNS" feature with the servers: dns.quad9.net or 1dot1dot1dot1.cloudflare-dns.com. This provides DNS over TLS (encrypted).
On Windows, use SimpleDNSCrypt.
On macOS and Linux, use Stubby.
Fix DNS Leaks on Linux (when running OpenVPN from terminal):
Setup a static DNS from a 3rd party like those above and never use DHCP or localhost as the resolver.
If you have IPv6 enabled and you don't need it, disable it from network interface properties. Disabling it also fixes potential DNS leaks if your router has DHCP support and internal IPv6 enabled (OpenWRT routers have it enabled by default).
Use firewall rules to block traffic outside of VPN tunnel
On Windows, you can use the default firewall to ensure that certain applications will only transfer data via VPN and stop once the VPN is disconnected. Here is a tutorial to setup Windows Firewall to protect against bittorrent IP leakage. it can be used for other software e.g. browsers, messaging apps.
You can also remove the default gateway (of the physical network interface) once connected to the VPN, so no traffic would leak if the VPN disconnects. Our VPN software for Windows has support for this feature.
It's unlikely that you need it, as an end-user. If you do need Java for some specific applications, we recommend to use it in a virtual machine. Just like Flash and Adobe Reader, Java is another software that had tons of security vulnerabilities and would put you in great risk.
Use a browser plugin/extension to remove cookies: Vanilla (Chrome), Self-Destructing Cookies (Firefox)
Disable Location reporting in browser
In the URL bar, type about:config
Double click on the geo.enabled preference
Location-Aware Browsing is now disabled
For more tips on Firefox, check this firefox-debloat.
Open Chrome settings > Show advanced settings > Privacy > Content settings
Scroll to Location and check "Do not allow any site to track your physical location"
Monitor your network traffic
GlassWire (for Windows / currently in BETA so may cause issues) is a great tool that you can use to see what applications are doing traffic and what are the IP addresses they connect to. It also provides network traffic statistics and some basic Firewall (block/allow all traffic per application basis).
Change the Wi-Fi router SSID if it's unique/provided by ISP
Many ISPs provide their customers with pre-configured Wi-Fi routers that will use unique, location identifiable SSIDs (Wi-Fi network names). Change the SSID to a non-unique one/generic like eg. DeskJet/Internet. You may also want to disable SSID broascast or change the SSID often.
More things to do
Ensure your OS is always up to date. The same applies to browsers and all software you use.
Don't install/keep software that you don't need. Use virtual machines to test new/cool things found on the Internet.
Do regular malware and virus scans.
Consider using separate browsers for separate online identities.
Again, please disable Flash, Java, WebRTC and don't use Adobe Reader (use alternatives for PDFs like Foxit Reader). Those things together are to blame for tens of millions of malware infections and exploitations. No anti-virus or "security suite" will protect the user completely against new/0-day vulnerabilities affecting the mentioned software. Quite often, an anti-virus provides a false sense of security and it's better to eliminate the root cause by disabling vulnerable software for good.
Last update: 09/03/2019