Virtual Private Networks (VPNs) are an essential tool for anyone wanting to protect their anonymity online. These days, VPN providers offer a staggering amount of choice when it comes to servers, protocols, client features and settings, and it can be difficult to know how best to configure your connection. Often, VPNs are not used to their full potential, and that’s why in this guide, we will explain how to optimise your VPN connection to improve security, performance and speed.
Tips for improving your VPN connection
Choose the fastest server
To ensure that your VPN connection is working at optimal speed, choose a server as close to your geographic location as possible.
If you’re using the net for, say, video streaming or gaming, you will be using a lot of bandwidth and would naturally be aiming to reduce download time or latency, respectively. The greater your physical distance from the server, the slower the response time. Therefore, aim to pick a server with high throughput and one that is in the same or nearby local region to your own location.
For further reference, have a look at our guide to the fastest VPN services – based on speed tests through local/closeby nodes.
Choose an effective encryption protocol
Choosing an encryption protocol to suit your needs is crucial if you are to get the most out of your VPN.
The most common protocols are: PPTP, L2TP/IPsec, OpenVPN and SSTP. If you’re only interested in streaming and unblocking geo-restricted content, and you’re not overly concerned about protecting your privacy, then PPTP is a viable option – providing minimum encryption and, consequently, not demanding much in terms of overheads.
L2TP/IPsec, although slightly slower than PPTP, is still a pretty good option for users wishing to maintain good speeds without compromising much in security.
OpenVPN is the most versatile and widely adopted protocol which can be used with 128-bit or 256-bit encryption keys. With a connection to a nearby server, and with 128-bit encryption keys, OpenVPN can still maintain good speeds, though this can still depend on the speed of the actual server. OpenVPN with 256-bit keys will likely result in significantly slower speeds, however the trade-off would be in favour of ‘military-grade’ security.
For more details on the different types of encryption, have a look at our VPN protocol comparison guide.
Protect your privacy if your VPN connection fails
Your VPN connection can sometimes drop without warning and without a clear reason why. Often, your connection will be restored in a short space of time but this still leaves your real IP address and traffic exposed to monitoring, if only for a moment.
Manual safeguards against this include the application of specific Firewall rules as mentioned on the Ubuntu open-source forum and the reconfiguration of your TCP/IP routes.
Manual adjustments can be confusing, however, and things can easily go wrong if not done properly. Luckily, there are two free software programs that can do the job for you. VPNetMon (Windows) continuously monitors the IP address used by your VPN account and if the IP is no longer detected, the software instantly shuts down pre-specified programmes.
VPNCheck (Windows) works slightly differently by monitoring changes in your VPN network adapter. If your VPN connection drops, the software disconnects your main network connection (or pre-selected programmes). Note that the free version of VPNCheck is only compatible with PPTP or L2TP and there are several features only available with the Pro version.
Many VPN services also offer a client-integrated internet ‘kill switch’, which stops all inbound and outbound traffic should your connection drop. Look out for this feature when deciding which provider to choose.
Prevent DNS leaks
Even when using a VPN, it can occur that rather than using the provider’s DNS servers, the user’s standard (ISP’s) DNS servers are used. This is known as a DNS leak and can occur whenever a DNS query bypasses the routing table and gateway of the VPN connection.
Sometimes it occurs when using browser-based plugins such as Java, Flash and WebX. A leak might even occur if there is a small delay in the response from the VPN DNS server, or if the server fails to recognise a name.
Check for DNS leaks using dnsleaktest.com.
For those using the pro version of VPNCheck, these features are built-in.
We also recommend the Whoer Extended IP Test as a more thorough DNS leak test. Once the page has loaded you will see the IP address your computer is broadcasting, your computer’s host name and any blacklist details. Again, the IP address here should refer to the VPN server you’re using, not your actual IP address.
Scroll down to the section titled ‘Interactive detection‘ and check that the IP address seen here is your VPN IP. Next, check that the address in the ‘DNS‘ section is not the domain name server of your ISP.
Now look at the ‘Location‘ section, checking that the location mentioned here is the one affiliated with your chosen VPN server.
Finally, check at the ‘Time‘ section, which will display the time at which your system is set. For users wanting 100% anonymity, it’s worth changing your system time manually to match the time of your VPN server. Some websites check the time your system shows against your IP location though this practice is rare.
Prevent WebRTC leaks
A vulnerability in the open network framework WebRTC can expose a user’s real IP address to malicious third parties. To test if the problem affects you, connect to your VPN and run the following WebRTC test.
If the public IP address field shows your real IP address, and not your VPN’s, your browser’s unique identifier is exposed and you need to repair the leak.
How to fix a WebRTC leak
The most effective way to fix the leak is to disable WebRTC in the browser, though this isn’t always an option. Our tutorial on fixing WebRTC leak vulnerability shows how to prevent the issue
Another way to fix WebRTC leaks is by running your VPN through a router, since traffic will then be tunneled through your local network connection.
Once you are connected, make sure to delete the default gateway associated with your Local Network interface. It is still recommended that you disable WebRTC in your browser if possible.
Use a provider that offers split-tunneling
If you are looking for an additional level of security, choose a VPN provider that offers split-tunneling, which means that your data is routed through two encrypted tunnels simultaneously.
Use Tor with VPN
Another way to add an additional layer of security is to use Tor in combination with a VPN, but remember that Tor should not be used for file-sharing, as its network’s exit nodes are, by default, configured to block file-sharing traffic.
There are a few, though not many, services that offer VPN+Tor as part of their service. Like Privatoria, for instance.
Likewise, it is possible to manually configure Tor (alongside your VPN). For reference on how to do this, check out this post.
Check the MTU of your VPN
MTU stand for Maximum Transmission Unit and relates to the maximum amount of data that can be transferred in one go across a Transmission Control Protocol (TCP) connection. Typically, this is set at 1500 bytes. If the MUT is too large it can cause fragmentation, which slows down your connection.
Reduce connection time
Certain software clients, including OpenVPN, Viscosity and Tunnelblick, will establish a connection faster if a smaller authentication key size is used, which differs from the encryption key. This is not always possible, however, since some client’s do not allow you to change these settings.
Fix the PPTP/IPV6 security flaw
There have been reports that those using the PPTP/IPV6 protocols in Windows and Ubuntu are vulnerable to a security flaw that could leak a user’s real IP address.
For Windows users (Vista and above), the following steps are recommended: open the Command Prompt (Win+R) and type: netsh interface teredo set state disabled.
For Ubuntu (10+): copy and paste the four following lines into a terminal:
echo “#disable ipv6” | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.all.disable_ipv6 = 1” | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.default.disable_ipv6 = 1” | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.lo.disable_ipv6 = 1” | sudo tee -a /etc/sysctl.conf
Pay anonymously for your VPN
There are many ways to pay for your VPN subscription using a cryptocurrency or another, anonymous method. The majority of providers accept Bitcoin, with other popular choices including Litecoin, Darkcoin and non-cryptocurrency options such as PaySafeCard.
Find a secure VPN provider
One of the key recommendations we can offer is to look for a VPN provider that takes your privacy seriously by not logging any of your connection or traffic data. Have a look at our dedicated guide for the 6 Best No-Log VPN Services.