This tutorial was initially posted in our KB several months ago, but we're planning to make use of the blog for future howto's.
Without proper privacy measures, a VPN WILL NOT provide a high level of identity protection out-of-the-box. There are several other factors that may expose your real identity and those are often ignored. Below are some of the most important requirements in order to reduce the risk of exposing your identity when using a VPN. Please read this short guide in full and get in touch with us if you require help/more details.
Flash is notoriously bad when it comes to security and privacy. Over the years it's been one of the preferred targets for attack vectors leading to malware/spyware infections and system exploitation by just opening a website hosting malicious Flash code.
Moreover, it also leaks personal identifiable information such as your real IP address. Blocking Flash by default and allowing it to run only on trusted websites (eg. Vimeo, Youtube) on request is a must. use Flash blocking browser plugins, such as Flashcontrol (Chrome) or Flashblock (Firefox) to display a place-holder instead of running the Flash content, and only allow it when you need it and you trust the website. Please note that Chrome browser has Flash support embedded and enabled by default, therefore using a plugin is - again - a must. Completely uninstalling and disabling it is even a better option to consider, eventually use it in a sandbox (virtual machine).
WebRTC leaks important information such as all your internal IP addresses even if you are connected to the VPN! Here is a demo: https://vpn.ac/webrtc.html
More details on the WebRTC browser issues, in our announcement: WebRTC browser issue and fixes.
Disable it in Firefox: type about:config in address bar and toggle media.peerconnection.enabled to false. In Chrome (desktop) it can't be disabled and extension-based protection is problematic, as exploits can by-pass them. This extensions seems to do the trick at this moment.
Block tracking scripts and ads
EFF's Privacy Badger is a must-have plugin that's very effective in blocking tracking tools. uBlock (Chrome), Adblock (Chrome) and AdBlock Plus (Firefox) are excellent ad blockers.
Protect against DNS Leaks
DNS leaks occur because the Operating System doesn't properly assign the VPN DNS resolvers. Check for DNS leaks when you are connected to the VPN, at dnsleaktest.com (running the Extended test). If it displays other than our Private resolvers (their name is self-explanatory in the results), fix the DNS leak. The fix is very simple and once done correctly, there's no need to do it again. Therefore we prefer to provide instructions on how to fix it manually once and for all, instead of relying on VPN software functions which aren't always effective.
Fix DNS Leaks on Windows:
Assign a manual DNS server instead of relying on DHCP. DO NOT assign your home router or your ISP DNS.
Go to Control Panel > Network and Internet > Network Connections Right click on the Network adapter you are using > Properties > Internet Protocol Version 4 (TCP/IPv4) Check Use the following DNS server address
These are some of the public DNS resolvers that you can use:
Worldwide: 18.104.22.168 and 22.214.171.124 (Google Public DNS), 126.96.36.199 to 188.8.131.52 (Level 3), 184.108.40.206 (Hurricane Electric) In China use: 220.127.116.11 and 18.104.22.168 (try also 22.214.171.124) More public resolvers available at opennicproject.org/Tier2
Our own public resolvers will be available in the very near future.
It's a good practice to always use a 3rd party DNS resolver than your own ISP.
Fix DNS Leaks on Linux (when running OpenVPN from terminal):
You will need to run a script when OpenVPN is connecting. Here is a tutorial.
If you have IPv6 enabled and you don't need it, disable it from network interface properties. Disabling it also fixes potential DNS leaks if your router has DHCP support and internal IPv6 enabled (OpenWRT routers have it enabled by default).
Use firewall rules to block traffic outside of VPN tunnel
On Windows, you can use the default firewall to ensure that certain applications will only transfer data via VPN and stop once the VPN is disconnected. Here is a tutorial to setup Windows Firewall to protect against bittorrent IP leakage. it can be used for other software e.g. browsers, messaging apps. You can also remove the default gateway (of the physical network interface) once connected to the VPN, so no traffic would leak if the VPN disconnects. Our VPN software for Windows has support for this feature.
It's unlikely that you need it, as an end-user. If you do need Java for some specific applications, we recommend to use it in a virtual machine. Just like Flash and Adobe Reader, Java is another software that had tons of security vulnerabilities and would put you in great risk.
Use a browser plugin/extension to remove cookies: Vanilla (Chrome), Self-Destructing Cookies (Firefox)
Disable Location reporting in browser
In Firefox: In the URL bar, type about:config Type geo.enabled Double click on the geo.enabled preference Location-Aware Browsing is now disabled For more tips on Firefox, check firefox-debloat.
In Chrome: Open Chrome settings > Show advanced settings > Privacy > Content settings Scroll to Location and check "Do not allow any site to track your physical location"
Monitor your network traffic
GlassWire (for Windows / currently in BETA so may cause issues) is a great tool that you can use to see what applications are doing traffic and what are the IP addresses they connect to. It also provides network traffic statistics and some basic Firewall (block/allow all traffic per application basis).
Change the Wi-Fi router SSID if it's unique/provided by ISP
Many ISPs provide their customers with pre-configured Wi-Fi routers that will use unique, location identifiable SSIDs (Wi-Fi network names). Change the SSID to a non-unique one/generic like eg. DeskJet/Internet. You may also want to disable SSID broascast or change the SSID often.
More things to do
Ensure your OS is always up to date. The same applies to browsers and all software you use. Don't install/keep software that you don't need. Use virtual machines to test new/cool things found on the Internet. Do regular malware and virus scans. Consider using separate browsers for separate online identities. Again, please disable Flash, Java, WebRTC and don't use Adobe Reader (use alternatives for PDFs like Foxit Reader). Those things together are to blame for tens of millions of malware infections and exploitation. No anti-virus or "security suite" will protect the user completely against new/0-day vulnerabilities affecting the mentioned software. Quite often, an anti-virus provides a false sense of security and it's better to eliminate the root cause by disabling vulnerable software for good.
More tools & measures will be added to this article so you may want to revisit it in the future.