network transition case studies

Leak case study 3: Leaks when switching networks

Users commonly switch network connections, such as when they unplug an Ethernet cable and let their computer automatically connect to Wi-Fi. Their VPN may appear to remain connected, but these types of network transitions may result in leaks of their internet activity data.

This case study from our Digital Security Lab describes what leaks can occur as a result of network transitions, and how to test for them using the ExpressVPN Leak Testing Tools.

Network transitions overview

Network transitions happen on a regular basis and come in many forms, such as:

  • Switching between Wi-Fi and Ethernet
  • Switching between Wi-Fi networks
  • Switching from Wi-Fi to mobile data

These transitions often appear seamless to the user. However, under the hood the device and the operating system will generally see these things differently.

The transitions cause changes in the network configuration of the device, which in turn can cause disruption to the VPN application. These disruptions can have critical effects on the integrity of a VPN connection and thus lead to leaks.

Network transition leaks

Network transition leaks all begin in the same way:

  • A network transition occurs on the device
  • The VPN’s integrity is destabilized
  • Leaks begin to occur, with traffic no longer being routed through and encrypted by the VPN tunnel

What happens after this determines the category and severity of the leak. Broadly, the categories are as follows.

Temporary leaks

These are leaks which occur during a temporary window of time. Generally they take the following form:

  • VPN application detects an issue
  • VPN application tries to correct the issue
  • Integrity of VPN connection is restored

While these leaks are only temporary, and thus the least severe, they are still problematic for a user’s privacy. These leaks aren’t uncommon and, over time, enable ISPs and other third parties to gather a profile of a user. Moreover, the time it takes for a VPN application to detect these issues can vary from a few seconds to many minutes.

Persistent visible leaks

These occur when the VPN application detects an underlying issue but fails to correct it. Sometimes this is because the application can’t correct the issue; other times it’s because the application hasn’t been designed to fix the issue.

The usual behaviour is that the VPN application disconnects and leaves the user in an unprotected state.

The severity of these leaks can vary and primarily depends on whether the user is present when the network transition occurs. If the user is using the device and witnesses the issue, then they can potentially correct the problem relatively quickly. However, if the user is away from the device, the issue could go uncorrected for long periods of time.

Note that some VPN applications offer “kill switch” or “network lock” functionality which is designed to shut down the user’s internet connection when issues like this occur. Even with such protection, often these VPNs leak for a small period of time before the “kill switch” takes effect. These types of leak fall into the previous category of ”temporary leaks.”

Persistent invisible leaks

These are the most severe form of network disruption leaks—ones that go undetected by both the VPN application and the user. The effect is that the online activity and data may be exposed for long periods of times, e.g. hours or even days.

Testing for leaks

There are many possible scenarios in which we can test for leaks when it comes to network transitions. For the purpose of this case study we focus just on one particular test case to keep discussions brief. We recommend the reader uses the ExpressVPN Leak Testing Tools for the insights that a wider range of tests can provide.

The test we will focus on targets a leak in the most severe category, i.e. a “persistent invisible leak.”

To run this test you will need a device with two network adapters available. The canonical setup would be a device with both Wi-Fi and Ethernet connections. You will also need to ensure that at least one of those network adapters is using a DNS server on a local IP address.

Manual testing

We give reproduction steps only for macOS, as our research has found leaks are most likely to occur on this platform. We recommend using the ExpressVPN Leak Testing Tools to test on other platforms.

Checking prerequisites

  • Open System Preferences and go to Network
  • You should see at least two network services listed with green dots next to them.
    • If you do not have at least two network services, you won’t be able to run the test
  • Your primary network is the top one—make a note of it
  • Click on your primary network
  • Click Advanced
  • Look under DNS
  • Ensure that the IPs listed there are local, i.e. in one of the ranges,,
    • If it is not, then you won’t be able to run the test

If you’re not sure whether your IP is local then you can try a tool like MxToolbox:

  • Enter the IP in the tool
  • Click “Reverse Lookup”
  • If the output is of the form “X.X.X.X is a private IP address,” then your IP is local

Repro steps

  • Disable your primary network
    • Open System Preferences and go to Network
    • Select your primary network
    • Click the cog below and select Make service inactive
    • Click Apply (to the right)
  • Connect with your VPN application
  • Open the DNS Leak Test page:
  • Make a note of the DNS servers listed
  • Re-enable your primary network
    • Open System Preferences and go to Network
    • Select your primary network (which will be grayed out)
    • Click the cog below and select Make service active
    • Click Apply (to the right)
    • Wait for the service to turn green
  • Refresh the DNS leak page. If you’re leaking DNS, then you’ll now see a different list of DNS servers

Testing using the ExpressVPN Leak Testing Tools

The ExpressVPN Leak Testing Tools are an extensible suite of open-source Python tools designed for both manual and automated leak testing of VPN applications. Please see our introduction to the tools for instructions on downloading and setting up the tools.

Once you’ve set up the tools, ensure you are in the tools root directory and execute:

./ -c configs/case_studies/

These tests will check that you have the required prerequisites before running. They will then perform the above repro steps and check for DNS leaks using various methods.