VPNalyzer: Crowdsourced Investigation into Commercial VPNs

VPNalyzer is an interdisciplinary research project from the University of Michigan that aims to analyze the VPN ecosystem

Pioneering research into investigating commercial VPN services

Three parallel tracks:

• Quantitative and qualitative user studies
• Cross-platform one-click install desktop tool for users
• Qualitative studies surveying VPN providers

Our tool consists of a measurement test suite that contains 14 measurements including tests for quality of service, confirming geolocation, tests for misconfigurations, leakages, and support for good security and privacy practices.

With our limited release, VPNalyzer found several notable issues in VPN products. We found DNS and IPv6 leaks whereby users' queries and traffic were leaked to their Internet service providers (ISP) which poses security and privacy risks for the users. We found a VPN product with insecure default configurations that only tunnelled browser traffic by default and caused traffic from other apps on the user's machine to be exposed to their ISP. We also discovered that many VPN providers in their default configurations allowed the users' traffic to be leaked to their ISP and did not protect them in case of tunnel failure. The feature that mitigates this leak is commonly known as the kill switch feature, which we discovered is not enabled by default in these providers. More details on the alpha release to follow soon.

If you are interested in testing a future beta version of our tool, please fill this form to join our mailing list.

We are a group of computer science researchers at the University of Michigan who design and deploy scalable techniques and systems to protect users’ Internet experience.

We conduct systematic, data-driven studies to investigate security, and privacy issues in the VPN ecosystem and aim to bridge the gap between its various stakeholders.

For questions about our work, reach out to the team at vpnresearch@umich.edu