IP Addresses of PureVPN Users Exposed Due to Wi-Fi Toggle, IPv6 Revealed
In a concerning development for privacy-conscious Linux users, the PureVPN Linux client has been found to have critical flaws in its kill-switch and firewall handling modules. These issues, if left unaddressed, may compromise user privacy and system security.
The PureVPN Linux clients, both the Graphical User Interface (GUI) version (v2.10.0) and the Command Line Interface (CLI) version (v2.0.1), have been identified with problems regarding IPv6 kill-switch protections. Due to the OUTPUT policy of ip6tables retaining its default ACCEPT setting, IPv6 traffic resumes off-tunnel in the PureVPN Linux clients. Upon disconnect, changes made by PureVPN are not reverted, leaving the INPUT and OUTPUT chains set to ACCEPT.
During testing on Ubuntu 24.04.3 LTS with kernel 6.8.0 and iptables-nft backend, the PureVPN clients demonstrated an inability to reapply IPv6 kill-switch protections. This means that upon disconnection, users may experience IPv6 leaks during Wi-Fi reconnections or system resumes.
The PureVPN Linux client's behaviour contradicts the expected deny-by-default approach to network traffic filtering. In GUI mode, for instance, the disconnect dialog blocks IPv4 but neglects IPv6, allowing leaks until the user manually clicks Reconnect. Furthermore, the client wipes existing iptables configurations at VPN connection, resetting default chain policies to ACCEPT.
As a result, all custom and UFW chains, such as Docker jumps or user-defined rules, are flushed during VPN connection. In real-world scenarios, IPv6-preferred websites load with the ISP-assigned address, and email clients like Thunderbird continue sending SMTP traffic outside the VPN tunnel, despite the interface indicating full protection.
Users are advised to exercise caution and consider disabling IPv6 at the OS level, manually managing firewall rules, or switching to clients with verified kill-switch reliability until PureVPN addresses these flaws. It is essential to maintain a secure and private connection, and these issues underscore the need for vigilance and careful consideration when choosing a VPN service.
