Hacker News

PureVPN IPv6 Leak

2025-09-1710:1017688anagogistis.com

In late August 2025, I submitted two security reports to PureVPN under their VDP. Three weeks later, I’ve received no response, so I decided to publish the findings to inform other users. The issues…

In late August 2025, I submitted two security reports to PureVPN under their VDP. Three weeks later, I’ve received no response, so I decided to publish the findings to inform other users.

The issues affect both their GUI (v2.10.0) and CLI (v2.0.1) clients on Linux (tested on Ubuntu 24.04.3 LTS, kernel 6.8.0, iptables-nft backend). Here’s what I found.

1. IPv6 Leaks Off-Tunnel

After toggling Wi-Fi or resuming from suspend, the PureVPN client fails to restore IPv6 protections:

  • CLI (IKS enabled): The client auto-reconnects and reports status as “connected”, yet the system regains a default IPv6 route via Router Advertisements (fe80::1). Since ip6tables OUTPUT remains ACCEPT (default), egress resumes off-tunnel.

  • GUI (IKS enabled): When the GUI detects a disconnection, it blocks IPv4 and displays the “VPN session disconnected” dialog. However, IPv6 remains functional until the user explicitly clicks Reconnect.

Real-world effect: I was able to browse IPv6-preferred sites and send/receive email (Thunderbird) with my ISP’s IPv6 address while the client UI claimed I was protected.

2. Host Firewall Reset and Not Restored

At connect time, PureVPN wipes the user’s iptables configuration:

  • INPUT is set to ACCEPT
  • All -A rules are flushed (UFW, Docker jumps, user rules, etc.)
  • After disconnect, these changes are not reverted

Result: the system remains more exposed after using the VPN than before. This defeats the point of using UFW or a local deny policy and contradicts user expectations.

Example:

# Baseline protections
$ sudo iptables -P INPUT DROP
$ sudo iptables -I INPUT -p icmp -j DROP

# Connect to VPN
$ purevpn-cli -c US
$ sudo iptables -S | head -3
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
$ sudo iptables -S | grep icmp
# (no output — rule was wiped)

# Disconnect
$ purevpn-cli -d
$ sudo iptables -S | head -3
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
# All wiped. INPUT = ACCEPT

TL;DR

PureVPN:

  • Does not properly implement an IPv6 kill-switch
  • Leaves IPv6 egress open after reconnects or IKS events
  • Wipes your firewall state (iptables) and does not restore it
  • Applies broad ACCEPT policies to make things work

Both issues have real-world impact. Privacy claims are undermined when your real IPv6 leaks and your firewall state is lost.

I submitted full technical reports and screencasts to security@purevpn.com. No acknowledgment to date.

Use with caution.


Read the original article

todsacerdoti

Karma: 214280
...
 @Hacker__News
@hacker._news

Comments

  • By IlikeKitties 2025-09-1712:252 reply

    I strongly suggest that you use something like Network Namespaces through Vopono[0] or Gluetun[1] if you use a commercial VPN for "privacy" or "security" aka torrenting and shitposting. Relying on these clients is always a gamble and if your software (Browser, Torrentclient, etc.) cannot know you public IP only the internal IP of the VPN you are also safe against some exploits and misconfigurations a desktop client won't protect you against.

    [0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun

    • By Varelion 2025-09-1713:063 reply

      Wouldn't blocking IPv6 and using a kill-switch prevent leaking?

      • By Denatonium 2025-09-1714:54

        In the case of PureVPN, the only way of preventing leaks is by switching to a different provider. There is definitive proof that they keep logs despite their claims to the contrary. I have linked to a federal criminal complaint where the FBI requested logs after the offense and was given them by PureVPN. The relevant portion is on page 22.

        https://www.justice.gov/archives/opa/press-release/file/1001...

      • By fulafel 2025-09-1715:17

        Block IPv4 as well and you're pretty solid.

      • By IlikeKitties 2025-09-1713:211 reply

        No, not in all cases. Imagine your Browser gets 0-dayed and just send all IPs it sees to an endpoint.

        • By Varelion 2025-09-1721:231 reply

          Noob here. If this happened, wouldn't any type of layering of network solutions ultimately result in this leaking all the same though?

          • By IlikeKitties 2025-09-1721:31

            No. The Browser or torrent prozess is sandboxed and can only see the VPN Network interface. The other interfaces are hidden.

    • By nikanj 2025-09-1713:053 reply

      I strongly suggest you disable ipv6, as nothing will break by disabling it but many things break with it enabled.

      • By lxgr 2025-09-1714:00

        That's not true anymore.

        IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.

        As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.

        Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.

      • By indigo945 2025-09-1713:062 reply

        Alternatively, disable ipv4. The same statement holds true.

        • By ZiiS 2025-09-1713:101 reply

          Unfortunately this is not true, loads of cool techy stuff (Sentry, GitHub) etc still don't work properly on IPv6, less techy stuff really didn't care at all.

        • By ta1243 2025-09-1713:292 reply

          Lots of things will break if you disable ipv4, including my work provided zscaler windows laptop (and not break in the good way where it fails open when you block traffic to zscaler nodes on your router)

          Very little will break if you disable ipv6

          • By denkmoon 2025-09-1714:49

            Enterprise malware not doing v6 properly hardly counts, it’s a good day for them when they don’t just bsod your entire network.

          • By mrweasel 2025-09-1715:331 reply

            A lot of stuff breaks when you run Zscaler.

            • By ta1243 2025-09-1717:42

              Absolutely, yet it's a requirement for many people.

      • By mrweasel 2025-09-1715:321 reply

        That's not really true anymore. I've used a connection with both IPv4 and 6 for the past two years. There's a number of times where my stuff magically works, whiles others have issues, because my traffic is mostly over IPv6. Not once have I had an issue because my setup is dual stacked.

        • By patrakov 2025-09-1716:101 reply

          This is still true for ISPs that don't monitor their IPv6 connectivity. I was forced to disable IPv6 recently because of this: https://www.reddit.com/r/ipv6/comments/1nf3ytq/how_do_i_comp...

          And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.

          • By mrweasel 2025-09-1717:27

            That's not really an IPv6 issue, but an ISP issue. My old ISP didn't monitor anything and relies on customers to call them up and explain that their connection is down. Sometimes tell them that their connection to entire towns are down, because they don't know.

            I'm fairly fortunate that my ISP not only offers IPv6, but also knows how to run their network. Denmark has plenty of ISP that doesn't provide IPv6, don't know how to run a network or some many cases both.

  • By pshirshov 2025-09-1714:327 reply

    I donwt know any single VPN provider apart from Mullvad with proper v6 implementation.

    • By sitzkrieg 2025-09-1717:262 reply

      mullvad is the only normie vpn worth using. worth every penny

      • By IlikeKitties 2025-09-189:191 reply

        I've yet to see any reason why mullvad is supposed to be particularly trustworthy compared to the alternatives. They aren't doing anything wrong in particular but there's nothing that stands out to me as particularly making them trustworthy

        • By sitzkrieg 2025-09-1820:52

          ram only servers, accepting cash, probably other things.

          its the only vpn provider (of a handful of not yt sponsor garbo tier) ive tried that saturates my down and uplink completely (1gbit symmetrical!)

      • By hsuduebc2 2025-09-1721:11

        Thanks for the tip!

    • By Dagger2 2025-09-1720:422 reply

      Even Mullvad give out ULA addresses. You can hardly call that a proper implementation :(

      • By IlikeKitties 2025-09-189:111 reply

        In Context of a VPN Provider like Mullvad a ULA is required. One of the rare cases where ipv6 nat is a thing.

        • By Dagger2 2025-09-1815:111 reply

          NAT might be a thing in Mullvad's case, but there's no link between that and needing ULA.

          • By IlikeKitties 2025-09-1817:151 reply

            Explain because as far as i can tell, to make it impossible for i.e. google to tell me apart from another mullvad user, me and that other user must share the same IP adress.

            • By Dagger2 2025-09-1912:16

              You don't need to use ULA addresses to use NAT. You can use any GUA prefix too (preferably one you own or are assigned in some way, rather than squatting on one, to avoid the risk of clashing with someone else).

      • By privacyking 2025-09-187:061 reply

        Well it's more private. Also there's only one proper IPv6 implementation (using GUAs) and most people.cant get one

        • By Dagger2 2025-09-1815:14

          It's exactly as private as doing the same service with a GUA prefix. Just get a PI block and pick a /64 from it to use instead of whatever ULA prefix they picked at the moment.

    • By lxgr 2025-09-1716:052 reply

      Do you know if it's supported using OS-native VPN client implementations as well (i.e. Wirecard, IKEv2, or maybe OpenVPN), or only using their official client?

      • By aryan14 2025-09-1716:42

        You could run wireguard thru CLI directly instead of jumping through the mullvad app itself

      • By sva_ 2025-09-1716:071 reply

        You can download the WireGuard/OpenVPN config files all at once in their web interface.

        • By lxgr 2025-09-1716:111 reply

          I've seen that, but I just wasn't sure if that also works for IPv6.

          According to their own docs, it seems to work for at least OpenVPN:

          > Those not using the Mullvad client program can just add the directive "tun-ipv6" to their OpenVPN configuration file.

          • By sva_ 2025-09-1716:15

            Yas. When you download the config files you can choose between IPv4 and IPv6

    • By prism56 2025-09-1720:43

      Pretty sure i've had ipv6 on Proton. How do I check if it's "proper"?

    • By ramon156 2025-09-1715:151 reply

      Solid dev + OSS ecosystem + Flat rates

      I'm satisfied!

      • By ffsm8 2025-09-1715:323 reply

        $5/month vs eg $2/month with a long running sub with e.g. PIA (Chinese owners) though... I wish mullvad provided long running subs with better prices then what they currently provide.

        • By bitxbitxbitcoin 2025-09-1715:362 reply

          Would love a source for Chinese owners of PIA. Last I knew, it was Israeli owners.

          -source, former employee.

        • By baobun 2025-09-1715:51

          "sub" as in subsidized by your data eh?

        • By joecool1029 2025-09-1717:02

          Buy a year voucher off Amazon, comes to $4.75/mo. Or be lucky like me and buy the 6 month for $29 from them and receive a 12 month voucher instead when they grab the wrong one.

    • By patrakov 2025-09-1715:561 reply

      SwissVPN provides a /64.

    • By IlikeKitties 2025-09-1720:30

      [dead]

  • By anagogistis 2025-09-1715:27

    Hi, I'm the author of the blog post and just wanted to say thanks for the discussion.

    I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.

HackerNews

About