Purevpn Ipv6 Leak
Posted4 months agoActive3 months ago
anagogistis.comTechstoryHigh profile
heatednegative
Debate
80/100
VPN SecurityIpv6 LeakOnline Privacy
Key topics
VPN Security
Ipv6 Leak
Online Privacy
A security researcher discovered an IPv6 leak in PureVPN, sparking a discussion about the risks and limitations of commercial VPNs and the importance of proper implementation and configuration.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
2h
Peak period
72
0-12h
Avg / period
17.6
Comment distribution88 data points
Loading chart...
Based on 88 loaded comments
Key moments
- 01Story posted
Sep 17, 2025 at 6:10 AM EDT
4 months ago
Step 01 - 02First comment
Sep 17, 2025 at 7:49 AM EDT
2h after posting
Step 02 - 03Peak activity
72 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 21, 2025 at 11:12 PM EDT
3 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45273897Type: storyLast synced: 11/20/2025, 5:51:32 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
https://blog.thea.codes/nordvpn-wireguard-namespaces/
[0] https://github.com/jamesmcm/vopono [1] https://github.com/qdm12/gluetun
Very little will break if you disable ipv6
And before you say "change the ISP": Globe is the only one that does not refuse to provide services to foreigners and does not lock you up into a 24-month non-cancellable contract, which is longer than any available non-resident visa.
I'm fairly fortunate that my ISP not only offers IPv6, but also knows how to run their network. Denmark has plenty of ISP that doesn't provide IPv6, don't know how to run a network or some many cases both.
IPv6 allows for more direct connections for services like VoIP or Tailscale, since UDP hole punching between two firewalled public IPv6 addresses usually just works, but doesn't between two clients both behind a "port-restricted cone" or "symmetric" NAT.
As a result, connections have to be relayed, which increases latency and is just outright infeasible for some non-profit services that don't have a budget for relaying everyone's traffic.
Anecdotally, I've also heard that you can get better routing via IPv6 on IPv4-via-NAT-only providers these days, as the provider's CG-NAT might be topologically farther away than the IPv6 server you're connecting to.
https://www.justice.gov/archives/opa/press-release/file/1001...
[1] https://www.makeuseof.com/worst-vpns-you-shouldnt-trust/
It still does the trick for accessing bank and other websites from abroad (that somehow consider a VPN IP more trustworthy than a residential ISP in a Western European country, but that's a different story), but I wouldn't use it for anything sensitive.
I also definitely wouldn't run their client locally, and their Wireguard configurations are annoyingly only valid for 15 minutes after creation. (Weirdly, there doesn't seem to be any limitation on IKEv2.)
When it comes to that, I trust VPN providers about as much as ISPs (i.e. absolutely not).
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
[2] I work for VP.NET and can answer any questions regarding the technology as well!
From a defense in depth standpoint, the more layered and isolated securities, the better.
[1] https://sgx.fail
[2] https://github.com/vpdotnet/vpnetd-sgx
I'm satisfied!
-source, former employee.
https://en.m.wikipedia.org/wiki/Teddy_Sagi#Kape_Technologies
And I feel quite illiterate right now. I somehow managed to misread both your comments twice
https://mronline.org/2024/09/13/exposed-how-israeli-spies-co...
According to their own docs, it seems to work for at least OpenVPN:
> Those not using the Mullvad client program can just add the directive "tun-ipv6" to their OpenVPN configuration file.
its the only vpn provider (of a handful of not yt sponsor garbo tier) ive tried that saturates my down and uplink completely (1gbit symmetrical!)
[1] https://cyberinsider.com/vpn-logs-lies/
That could come in handy for hosting things behind double NAT.
Two other VPNs working for this purpose are OVPN (+1 for them using WireGuard, but their Singapore node is slow) and SwissVPN (limited to only 30 Mbps by contract, but they do provide these contracted 30 Mbps).
Trustworthy to break some actual laws behind? Absolutely not.
Both of them really advertise too much (IMHO) to be trusted. They rely on introductory pricing and hoping people don't realize and get billed at a much higher rate, a model I personally hate.
But ExpressVPN has an additional reason: ties between it, its founder and Israel. There's a BDS argument against right there but additionally, there are accusations that ExpressVPN traffic is or can be monitored by Israeli intelligence.
That last one is a risk of many VPNs, which is why you have to be careful about who the owners are and where the company is incorporated. I personally prefer VPNs that are located in more privacy-focused jurisdictions (eg Iceland, Switzerland).
Mullvad is a popular option on HN. I'm also relatively positive on PrivadoVPN (located in Switzerland). Some Redditors question the quality of the service. So far it's been fine for me.
As soon as you use a service in another country, it greatly complicates anyone trying to pierce that veil. A US shield can be pierced by John Doe warrants, FISA warratns, pen registers and so on. Some of these options are open to average citizens who may want to dox you or simply report your activity to government agencies, which is more relevant now than it has been in many years.
We've seen several websites pop up to dox people who don't show sufficient deference to Charlie Kirk's murder. We have an administration who now seeks to deport people, deny entry to visa holders and deny visas to people who criticize Israel.
For so many people in the US, citizens and otherwise, an extra level of privacy has become essentially mandatory.
The US ISP market is dominated by regional monopolies where you have no other option. ISPs monitor your traffic, not only to sell your data to data brokers but to decide if you're doing anything "inappropraite" like using a file-sharing service. How long before that extends to the content of your speech?
I'm glad people are doing things like xposing IPv6 leaks (as in this post) and other weaknesses. Some here will taken this as further evidence that VPNs are of little or no value. I don't. I want to know who the good providers are.
Even vp.net which says they use SGX to verify the code that is running on a box... yea you are verifying a box, somewhere, not necessarily the one forwarding your packets. And those packets can still be monitored/modified outside the system at some other part of the network anyways.
And even if you could verify all that, eBPF swoops in and lets you modify code at runtime with no evidence trails.
This is definitely true insofar that you better be able to see client code. That said, since you cannot see what the server is running, even if they release their code, you will still end up with a trust actor or two (vpn operator or sometimes multiple vpn operators in double hop cases).
That’s exactly the reason we introduced deterministic and verifiable VPN technology on https://VP.NET which allows you to actually see the code the VPN servers are running. Instead of trust in a non deterministic human actor you can now trust deterministic and verifiable code.
It is the end of privacy theater!
[1] I am a co-founder of VP.NET
Here's a good privacy proxy (VPN) setup: Set up a second wifi router, enable the "Internet kill switch", and connect it with Wireguard to a reputable VPN service. I recommend GL.iNet routers and Mullvad.
With this setup, one can move individual devices between the privacy wifi and identity-broadcasting wifi.
I agree that relying solely on desktop VPN clients (especially closed-source ones) is risky... The network namespaces approach is new to me, but it looks like a solid way to isolate traffic and avoid these kinds of leaks entirely. Thanks for the suggestions.