Killswitch does not work with all network interfaces.
Can you be tested using following command
curl --interface <physical interface> https://ipinfo.io
Suggestion
add an additional note aimed at Linux users in next section
https://www.privacyguides.org/en/vpn/#additional-notes
This was alread discussed in another thread. I don’t know if it should be included. Does it have real world impact?
I don’t know about real world impacts.
However, it is public information that hypothetically puts real users at risk of exposure if an exploration with sole intent to deanomize takes advantage of this to discover its real IP.
And as user I would like to know this information before purchasing Proton annual plan. Transparency is important to build trust.
This is an issue since 2022.
Is there more to this? I feel like if torrent users were leaking their IP through proton, we would have heard about many getting in trouble…
It depends. There are countries and internet providers that don’t mind their users torrenting movies, TV shows, and games.
Also, not every VPN user uses it for torrenting.
Finally, there is a small number of Linux desktop users, which is fragmented into people who don’t use VPN, people who use other VPN providers, and finally Proton users.
It may happen that the IP address leaks, but the person does not find out because their internet provider does not care about torrenting, or because they were the target of some exploitation - the latter option is a hypothesis that I do not rule out, although I do not know of anyone who has been targeted.
In any case, it is a known public flaw in Proton killswitch.
Granted I’m not too technical, and not denying this may be an issue, but does the curl command not force the connection outside the VPN tunnel, thereby creating a leak?
For people reading, if you want to absolutely guarantee no VPN leak on desktop Linux, it is best to set it up with Wireguard via CLI where you can edit the config VPN file with a few lines of code to enable to killswitch.
This way, all your traffic is routed through the encrypted tunnel even before your desktop Linux GUI loads up thereby guaranteeing zero leaks from the get go.
If anyone is interested, I’d be happy to share more on how to do it.
Or if the user doesn’t need to switch VPN location frequently, apply a network wide VPN from router is also a good option.
May be. If the user is using their laptop or their smartphone, they are going to use it outside their home. Such a set up then is not useful.
In a hypothetical scenario, a bug or program could exploit this to obtain your real IP address.
Since Proton was informed about this three years ago, I personally consider it useful to inform readers of the website’s Recommendations.
Perhaps a post on the Wiki? It would certainly be appreciated.
Unfortunately, this is not an option for a considerable number of people. I include myself in that situation.
I agree.
A year or two ago, I remember experiencing leaks after waking up my computer while using ProtonVPN. That’s what motivated me to look for another provider.
At this point, that has been resolved, and it seems that the only leak is the one mentioned above (personal opinion, take it with a grain of salt; I use Fedora, and the problem with Killswitch and the computer waking up may occur in other distros and scenarios that I am unaware of).
—
Thank you all for your responses, and have a great week.
Workarounds were discussed here, but this thread is specifically about debating whether a change to the site should be added. I think that discussion is worth having.
I agree.
@JG do u know if Fedora’s default vpn settings can leak? Ive been setting up wireguadd configs using fedora’s default graphical UI in the settings.
Wait. So I am unclear how this leak works. Are you saying that this leak works by having a program bind to the physical interface and start communicating before the VPN daemon starts? So, the leak is not present after the daemon runs? How would this work with server switching, since the daemon is already running?
Any VPN experts wanna weigh in?
The way I am describing is VPN use via Wireguard set up via the terminal. To answer your question, there is no program as such nor a GUI VPN app in how and what I mean.
Hold tight, I am writing up a guide on what I mean and will share the info soon for anyone to understand and learn the best way to set up a VPN on desktop Linux.
I’m writing up a guide. Will share it soon and it should answer your question.
It’s also often recommended to bind your torrent client to the VPN interface to prevent leaks like this.
Here is a new post I just made that should answer your question.
cc: @anon36227541
This would potentially involve a compromised application. I don’t say this shouldn’t be mentionned, but any application that is unsandboxed and compromised could do worst things.
Things to determine is:
1- Can all apps run ifconfig (to get interface name) and then curl? What about Flatpaks apps?
2- Are the two other recommended VPNs impacted (Mullvad and IVPN)?
3-Is this limited to Linux or macOS as well?
Just tested mullvad using the curl command and it does not appear to be affected
I appreciate what you say, and once again, stressing my lack of technical knowledge - but is this not akin to opening a drain valve on a piping system and saying “look - a leak!”