Netsplice release 0.26.0

Dear Netsplice users,

we have uploaded the latest release 0.26.0 to the project website.

This release adds an update mechanism for Netsplice. As part of the update process Netsplice automates checking the integrity of the update path and downloaded software packages. In the default configuration Netsplice will ask you before running the next update check. If you decide that now is not the right time you can defer the check and no network requests will be made. If you do not care when the check runs enable the fully automatic update check mode like most applications have. Netsplice will check for a new version after it starts.

To simplify the verification of the binaries we have streamlined the process within the update check. First the update process verifies the remote TLS fingerprint from the update server. When the TLS fingerprint matches, the latest binaries can be downloaded.


GUI changes

New icons were added to the main window tool bar. The icons can be used to manage accounts in the list:

  • Create or delete accounts
  • Connect or disconnect accounts or chains of them
  • Access account settings

The dialogue texts of all GUI windows have been reviewed. The wording was improved and various typos were squashed. Thanks to all the people who reported issues.



DNS launcher macOS / Linux

A couple of issues have been addressed that improve the use of DNS launcher rules on macOS and Network Manager based Linux distributions.

Documentation updates

Inline links to the hosted documentation have been fixed. The source code documentation was reviewed and improved.


OpenSSL in version 1.0.2n and OpenVPN version 2.4.4 / 2.3.18 are bundled. Fedora 27 is now a supported package and Ubuntu 17.04 was dropped as a binary package target.

Netsplice release 0.24.1

Dear Netsplice users,

we have uploaded the latest release 0.24.1 to the project website.

For this release we focused on cleaning up the connection handling mechanisms of Netsplice. The user interface now allows you to configure more complex connection chains. Start connection A first, then start connection B, and so on. Account types can be mixed, too. First you can start OpenVPN and then once OpenVPN is up and running you can start a SSH tunnel or a Tor instance. Compared to the groups feature in the previous version chains allow you to define dependencies that are automatically connected, re- and disconnected.


The documentation contains a complete section about chain examples and how to use them.

As part of the UI cleanup we rewrote the way Netsplice internally handles connections. The connection handlers now use state machines and the plugins have been adapted to that change. This should help to debug complex connection issues and dependency resolution in case of connection errors.

While there we added more events to the different states a connection can have. This is used for example by the process manager plugin. The plugin events are filtered with a whitelist that is configured for every plugin to allow some level of access control. Plugins can subscribe to event queues provided by other sub-systems bringing us one step closer to implement a plugin API that can account for complex operational states a network stack / application can be in.

The picture below shows the currently implemented state transitions:


New Platforms

Support for Ubuntu 17.10 has been added.

Dependency updates

The following dependencies have been updated:

  • OpenSSL was updated to version 1.0.2n
  • LibreSSL to 2.6.3
  • Packaged OpenVPN versions are 2.4.4 / 2.3.18

Future development

The code has been modularized a bit more. Soon it should be possible to run Netsplice in a headless mode that is suitable for server and VPS deployments! If you have specific feature requests please send them to

Right now we are working on a suitable update mechanism for Netsplice. Once that work has been completed the plan is to add more functionality to the SSH and Tor interface. There are also a couple of plugins being worked on that every VPN client should have. Stay tuned!

Early adopter notice

Beware, the structure of the account configuration has changed and is incompatible to previous Netsplice versions. You can either reset your configuration (rm -rf ~/.config/Netsplice) directory or migrate your configuration. To keep existing configurations with passwords stored in the OS keystore, a manual migration of the configuration JSON files is possible:

# Add line
  + ,"sequence_wait_after_connect": 1

# Add line
  + ,"default_route": false/true

# Change lines
  "account_connected" -> "backend.connection.state.connected"
  "account_disconnected" -> "backend.connection.state.disconnected"


The IPredator team

Netsplice Development Update #1

Dear reader,

in this blog post we take a quick tour of the currently available Netsplice VPN client features. We have been working on Netsplice for a while now and implemented quite a few features since our last update. You can download the latest release 0.20.0 from

As always we are interested in your thoughts, bug reports and feature requests. Let us know via email to or by coming to our support chat at Please keep in mind that Netsplice is still alpha software.

Cross platform support

One of the most important goals for Netsplice is cross platform compatibility. The 0.20.0 release supports the following platforms:

  • Windows 7 - 10
  • MacOS 10.11 - 10.12
  • Archlinux
  • Debian 8, 9
  • Fedora 25
  • Ubuntu 16.04, 17.04

If you need support for a particular operating system or distribution please tell us and we will look into it.


Our second goal was to decouple the user interface from the VPN client functionality. This ensures that we can always replace the GUI interface in case the framework gets deprecated. Too many applications bite the dust because their GUI framework is not maintained anymore. In the future we might be able to support a headless client that you can deploy on servers. To that end the communication between the GUI frontend and the actual VPN client software is already secured with SSL client certificates.

Internally Netsplice is separated into different processes that take care of various required functions. While this adds a bit of overhead it allows Netsplice to separate execution of required tasks like starting a VPN, running a shell script, etc.


Multi-connection support

One of the major drawbacks many clients have is that they only support one active tunnel connection. This works fine for basic setups but if you need to open more than one VPN tunnel at the same time you are out of luck.


Another drawback many VPN clients have is that they are married to a particular VPN protocol implementation. As you can see in the screenshot we already implemented basic support for OpenSSH and Tor. While the support is still pretty basic we plan to add more features. Plugins for shadowsocks, wireguard and tinc are already present on our todo list.


At the moment you can configure Netsplice for two or more OpenVPN, OpenSSH proxies and Tor connection profiles. We are still working out some UI details to simplify sorting multiple connections. For example:

  • Connect 1st OpenVPN with default route
  • Connect 2nd OpenVPN without a default route
  • Start multiple Tor instances

In this particular use case if the 1st OpenVPN goes down it will pause/halt/make sure all connections that depend on it will go down (and stay down) as well. By combining the management of multiple tunnel technologies in a single interface more advanced setups can be created. The goal here is to make it easier to dis-aggregate your traffic footprints on the internet.


Computers are complex beasts and of course a lot can go wrong when working with the various tunnel software/protocols. Based on our experience of handling your support cases we designed the log viewer of Netsplice with a few custom features that go beyond showing black text on a white window:

If you do not spend your days reading log files, finding errors in log output can be a tedious task. To remedy that situation Netsplice annotates log messages with colors based on their severity. Filtering events by type eg. debug, info or, warnings is possible too. In case you know what you are looking for a find as you type style entry field exists as well. We hope that this interface is easy to use for you. Please share your experience with us!

Another drawback many other clients have is that they spew log files all over your machine. In the age of parallel construction we should try to minimize the amount of traces something like a VPN client leaves on your machine. In the default setup Netsplice does not store any logs on your disk. Of course there is an export function in case you need logs.


Multi binary, SSL library, and XOR support

Netsplice comes with multiple versions of OpenVPN. This makes it easy to switch between the bundled releases in case you hit a corner case bug or just want to test the latest development snapshots.

As you can see in the screenshot below OpenVPN comes in two SSL library flavors. Each OpenVPN binary bundled by Netsplice is available with LibreSSL as well as OpenSSL. The default is to use LibreSSL on all platforms.

Due to popular demand Netsplice also ships an OpenVPN version that includes the XOR patch set. The XOR functionality allows you to hide the fact that you are using OpenVPN from deep packet inspection devices by adding additional scrambling on top of the encryption layers.


The About view of Netsplice contains detailed information about build flags that are useful for debugging. It also includes a list of all activated plugins that Netsplice is running with.


OpenVPN setup

Netsplice allows users to create new VPN connections from a set of pre-configured profiles. Custom VPN connections can be imported via OpenVPN config files - e.g. from your work place. By enabling the auto-start toggle you can instruct Netsplice to start a particular connection.


Preferences for each connection can be changed using the included editor which displays the values of an OpenVPN config file in a table or a plain text view. For simple changes you can use the table view which also provides a short help for each particular entry if you hover the mouse over it. More complex configuration changes can be accomplished by using the text view editor.


The current releases of Netsplice does not come with a dedicated password store. Getting the password store right is a particularly sensitive topic. For the time being Netsplice tries to use the native password store provided by the operating system. Alternatively you can also decide to never store any passwords or keep them for the current session. Please note that your password is stored in plaintext in your computers memory if you use the session storage feature.


Process manager

There are a number of situations where you need to start / stop a program on your computer or run a custom script based on the run-time state of a tunnel connection. Netsplice provides a Process Manager that helps you do just that. After a connection was successfully established you can start your favorite P2P program automatically.


To simplify the handling of DNS leaks a couple of actions are predefined. You simply select the desired action and add it to the start or stop execution lists. After you setup a connection it is a good idea to check for DNS leaks. The actions provided are not enabled by default since they are highly system dependent.


Future developments

Right now we are working on getting the UI part for sorting connections fully workable. Once that work has been completed the plan is to add more functionality to SSH and the Tor interface. There are also a couple of plugins being worked on that every VPN client should have. Stay tuned and please provide us with feedback!


The IPredator team

Maintenance status 19/07/2017

Dear users,

all systems should be back online. We are sorry that it took a while longer than the anticipated 2 hours. You can thank Murphy for the extended downtime.

There is one more network issue we need to fix tomorrow around 15:00 UTC which will cause another downtime. Once that is resolved the service will be back to the usual availability. We will try really hard to keep it as short as possible. Feel free to contact the support to grab a bit of free time as a small compensation for the service unavailability.

Thank you!

The IPredator staff

Outage 21/05/2016 11:20

Dear users,

there was an issue with the OpenVPN authentication backend the last 1,5 hours. If you were logged in things were fine but if you tried to log in the system would deny it. The issue was buried in one of the databases where a duplicate table entry was made. Because there are no logs it took us a moment to figure out where exactly things went wrong. Once we removed the duplicate record the database was happy again and the error resolved.

The IPredator team

Privacy vs. politics

Dear users,

some nice people working for another VPN provider thought it might be a good idea to trick us into terminating an account for spreading right wing material. What the article does not mention is that we asked for verification which was provided in the form of screenshots (see below). It also fails to mention that while we terminated the account we did not disclose any data about the user (earlier versions of the article on claimed otherwise but were proven to be FUD). The article on as it is right now has already been changed heavily after people started to ask for facts to the claims made there. Maybe the author could be so nice and also publish a diff of all of the changes as well.

The answer to the verification request we lodged along with the screenshots you do not get to see on

Subject: Re: User Batman12121 is spreading rasism
To: IPredator Support 
References: <> <>
From: chloe 
Message-ID: <>
Date: Sat, 14 May 2016 20:51:24 +0200
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/mixed;

This is a multi-part message in MIME format.
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Hello again,

"unfortunately" I've deleted all the post he has made on my forum
because they were very racist. I do have screenshot from earlier when he
said some really racist things on my IRC.

I've attached these horrible words by him. I really want him gone. Why
are your service allowing this sort of behavior?





The ToS clearly states that we will not protect users spreading right wing material. The author of the aforementioned article states that in his personal opinion a VPN service should be neutral. We see this differently. If a user spreads right wing propaganda then he/she/it is on the wrong side of history. We are not going to tolerate that our work is used to further the agenda of people who think that:

  • just because your skin has a different color,
  • you have a different religion,
  • you have a different sexuality,
  • or a disability

that those people are lesser humans and have no place on this earth (killing blacks is mentioned above) or within our society. We are not going to look the other way just to earn some money to provide a platform for right wing people.

If other VPN providers employees need to stoop down to the new low of exploiting and tricking us with false accusations to improve their advertising ... so be it. Have fun spreading FUD while you are at it.


The IPredator team

Dear users,

due to a hardware defect we need to shut down some essential parts of the VPN infrastructure. The maintenance should last for about 1 hour until the defect has been repaired. We are sorry for the inconvenience and give our best to bring the systems back online as soon as possible.

UPDATE: The maintenance is over. The broken device has been replaced without causing any widespread service disruptions.


The IPredator team

Website update - request for testing

Dear users,

We have been working on a website update for some time now and it is ready to be tested by you. To make sure that we do not limit the usage of the service we have deployed the updated website to our beta instance.

The new website has a slew of new features and improvements (some small bugs were also squashed in the process). To make testing easier we have only activated some of them for the time being. Once we are sure things work fine we will update the main page and unlock more features.

You might notice that the beta page asks you to migrate your account. Since we migrated to a new database schema to support the new features some things only take effect once the system knows that your account has been "migrated".

Here is a short list of changes that are already enabled.


All of our guides have been updated to the latest versions and now include Windows 10 as well as the latest versions for OS X. The Linux section was also overhauled, updated and extended to include LTS versions e.g. from Ubuntu. Additionally a new router section is now available with guides for TomatoUSB and pfSense.

Mail notifications

One feature many of you asked for was the ability to receive mail notifications. You can now configure the system to send you mails when your account is about to expire, when there are failed logins to your account (on the website) and when there are news like new blog posts, comics etc.

Mail notifications are disabled by default and you need to opt-in if you want to receive them. Account expiration mails are sent once, 24h before your account expires.


Nuke your account

Another feature that was requested is the ability to delete your user account in the system. While we have always deleted inactive accounts after 3 months you can now speed up that process by explicitly marking your account to be nuked on the next run of the cleanup batch job. Right now the batch job runs at the beginning of each month leaving you some time to reconsider. :)


PGP public key

Our privacy conscious users asked us to implement a way for them to add their PGP public key to the system. This way they do not need to upload their keys to the public key servers and its easier for the staff to check your current public key. If you are not yet using PGP to talk to the support via mail please do so. We even gift you with a free month of VPN in return for doing so!


Content Security Policy

We started to enable the Content Security Policy feature that (most) modern browsers support. If you hit any issues please let us know since it still might require some fine tuning. If the page behaves strangely please check the debug console of your browser.

Up and coming changes

We are well aware that just having a VPN is not the golden bullet to privacy. To support you in achieving more privacy we started working on a checklist of sorts. Please check out the work in progress version here. It is not fully done yet but we are happy about any feedback you can give us. If you know a particular tool or technique that should be included in the list please write us a mail and we will include it.

Once we are happy with the current changes and made sure that there are no big bugs lurking in the code we will auto migrate all of your accounts to the new database. After that change a few more features are going to be available. For starters we have added a commission feature for you. It is against our principles to pay advertising networks to track you just to be able to "advertise" on the internet. And on the other hand we know that quite a few of you have monetary constraints. Therefore we thought that giving you the commission for acquiring new users is the way to go. Another feature that we added is a special form of a rebate system along with the ability to have more VPN sessions based on how long you have been with us.

So if you want those features test ... test ... test and you will get them. :)

Mail service

One of the most asked questions is which trusted mail service we can recommend. Based on Trust but Verify we would either recommend or a few others.

Now we are pleased to be able to provide you with access to a mail system that is hosted by yours truly.

The system is completely separated from the VPN user interface since we do not want anyone to be able to correlate accounts between the VPN and mail system (this also means you can only access the mail system from within the VPN). Each mail user gets 1GB of mail storage which should make it suitable for receiving a number of mailing lists etc. If you need more space just ask us. To prevent spammers from abusing the mail system we have limited the outbound mail rate to 23 per hour. If you have valid use cases that require you to send more mails ... ask.

Right now the mail system requires you to fetch your mails via IMAP. If you can convince us we might be swayed into setting up a webmail frontend as well.

The mail system defaults to having accounts on but there are a few alias domains that you can use as well:


We will add more domains if we come up with nice domain names. :)

We still consider the mail system to be in the beta stage. In order to get access to it please contact the support staff via mail or on the IRC server. Installation guides are being worked on and will be released soon.

VPN client

When looking at the state of open source VPN clients we noticed that there are quite a few but none are really cross platform, are bogged down by dependencies or focus on other functionality like being a mail client at the same time. We started to work on a VPN client and have reached our first milestone which is to have a build chain for Windows, OS X, Linux and BSD. Our next goal is to reach the same functionality that the native VPN GUI offers. Besides all of the obvious features like DNS leak protection etc. we would like to ask you to provide us with feedback in terms of functionality you would like to have in a client that you miss in other clients. We would also like to know what you dislike in other clients. Your feedback will help us to decide which features we should work on and which of them should be dropped or deferred for later development.

The IPredator team

DNS issues

Dear users,

there were some DNS issues today because the DNS load balancer failed in a spectacular (and unanticipated) way which caused the domains serving the VPN to expire. It took us some time to debug the issue and roll back the git and redeploy all affected zones. All DNS servers should be back and operational again. If you are still having issues try to clear your DNS cache.

We are sorry for the inconvenience this might has caused.

The IPredator team

Staying anonymous online is like running a marathon through a mine field. We have various government agencies breaking into systems to steal our data, or Internet Service Providers like AT&T that mess with user traffic and inject ads to earn some extra bucks by exploiting their customers for advertising. Besides organizations that make online privacy harder for the general population, technology itself is not easy to deal with either.

There are many pitfalls when using VPNs like:

With all those issues present it is already difficult for the average user to attain even a basic level of privacy or anonymity without spending a lot of time researching how to fix things.

To make matters worse there seems to be a recent trend to splash names on vulnerabilities and then send them rather into the "news on security" circus than doing something about educating users more thoroughly. Portfail comes to mind as the most prominent example. Delivering news in that style sends unsuspecting users into a frenzy because it is hard to filter out what is hype, what are real issues and how do they affect the service(s) used in question. While we agree that identified security issues should be addressed and fixed, there are a number of problems that are rarely spoken about.

Many people are concerned about anonymity but the hard questions are rarely asked or answered for that matter. We have been making this experience with every single VPN provider ranking in the last years that we were asked to participate in. Everybody seems only to be concerned about "the logging question" which cannot be validated at all and which also -- obvious as it is -- is only one question among many others that never get asked at all. To the best of our knowledge there is neither a procedure nor an established entity, that can provide you as a user, with a trustworthy explanation or report based on a real world audit of VPN provider infrastructure. Trust but verify.

So what should users be concerned about? Without any proactive transparency on the VPN provider part, a potential VPN user should look at least for the following things:

Website security

Lets start with the VPN providers website. Its the first line of defense when you need to interact with your VPN provider since you need to make an account, log in, pay for your VPN, etc.

Does the website enforce HTTPS and is it actually properly configured? Use to check the sites SSL configuration and to check for HTTP header best practices. Does the website use mixed HTTP/HTTPS content? Imagine the following scenario:

  • HTTPS VPN provider website relies on resources fetched via HTTP
  • VPN provider has servers overseas and the website hosted outside the VPN network
  • You log into the website using the VPN but website access is not routed internally but instead uses the normal internet

In the best case you just face a loss of anonymity by partially exposing communications that reveal things about you. In the worst case you open yourself up to injection attack from the spooks via Quantum Inserts.

Web trackers and affiliate programs

Next on the list is the topic of web trackers. Install NoScript + EFF privacy badger + something like Disconnect. Are there any web-analytics trackers on the website? External resources like JavaScript, social media "buttons", etc? They are all used to track your footprints on the internet.

If the VPN service you are looking at is using ad networks, ask yourself how can you trust someone who is spending money on advertising networks that track you. Are they not supposed to protect you from this exact industry? Many (not all) affiliate programs fall into the same category. How do you pay your affiliates if you do not properly track where your users come from?

Mail system

Next on the checklist is the mail infrastructure. If you have a problem you are likely going to write an email to your provider, so it's a good idea to actually check what they are using.

The rule of thumb here is self hosted == good, externally hosted == bad.

To check the MX record enter the provider domain there. If the result turns out to be Google mail, Hotmail, Yahoo, etc., congrats all your support requests are leaked to a 3rd party. Do not forget that mails contain user identifying information as well. Got something to hide? Read this interesting article and this piece.

Ticket system

The next item on the list when interacting with your VPN provider is to check for a ticket system. While it is nice that they wont "lose" your support requests a ticket systems primary purpose is to NOT forget any customer interaction. Many businesses rely on a ticket system to define Key Performance Indicators (KPI) and consider them essential. If there is a ticket system ask how often old data is deleted.

User data retention

Part of providing a privacy service is that your provider should care about the data you leave in their system. So it's a good idea to check if they have some kind of data retention policy. There are many more places where user identifiable data piles up other than just the VPN itself.

  • Do they delete old user accounts?
  • What about your emails or the ticket system?
  • How many payment records are kept in the system and for how long?
  • Payment logs?
  • Web and mail server logs?
  • DNS server logs?
  • Firewall and IDS logs?

Data a provider does not have cannot be lost. As a small exercise comb through your mail folders or password store and check which of the VPN providers you do not use anymore have deleted your account.

DNS servers

Check if the DNS servers assigned by the VPN are actually located within the VPN itself. Once DNS requests pass network boundaries they are open to manipulation. Quantum insert to the rescue, yet again. The whole issue can be worked around by forcing your system to use DNSCrypt by default.


So far all checks have been more or less technical now it's time to look at the organizational aspects of a VPN provider.

The basic question is "What is the primary jurisdiction the VPN provider operates from?". This question is relevant because companies operating from the US or the UK (for example) can be forced to spy on users without having any legal way to disclose that fact to their users. If you are really unlucky the entity operating the VPN service got slapped with a gag order which cannot be violated without risking severe legal consequences.

Some providers try to work around that issue by setting up a warrant canary. A canary is a text file which states that no National Security Letter (NSL) or gag order has been installed by the government. A list of websites having installed warrant canaries can be found at While a canary is a good idea, operating a VPN provider in a jurisdiction that does not offer the legal instruments of a gag order and/or forcefully installed network taps is the better way to go.

Server locations

Besides the "We are the most secure VPN in the world" advertising mantra there is the "We are the fastest VPN in the world" motto that gets advertised. Armed with the knowledge from above about jurisdictions you have to ask yourself what counts more. Speed or anonymity? Check where the servers you are connecting to are located network wise by making a whois lookup on the IP addresses. Does the VPN provider actually OWN those machines or are they rented from a 3rd party located in a 3rd (or even 4th) party network?

There is no point in promising you nothing is logged while the network where the VPN server is located in has to be considered hostile. Every infrastructure component a VPN provider hands off to a 3rd party extends the trust relationship you assume to that 3rd party as well. In most cases it lowers the amount of trust you can put into a system rather than increasing it.

In an ideal setting your VPN provider owns all of the hardware AND the network it operates.

What prevents a random 3rd party hoster from actually installing a Management Engine rootkit malware on offered servers for cryptographic key material recovery? Or a network tap for that matter.

The point is that most VPN providers are primarily businesses. The primary objective of most businesses is to drive costs down. In return one of the easiest ways to infiltrate and exploit VPN infrastructure is simply to offer cheap server hosting (do not worry the taxpayer will cover the bills). You might think that this is no big issue, but being on the receiving end there is a never ending stream of hosting offers specifically "tailored for our needs".

Applying the "Trust but verify" principle is really hard considering the environment for 3rd party hosting services.

Below are just two recent examples:

To whom this may concern,

XXX works with many major VPN clients around the globe; so, I wanted
to inquire as to whether IPredator would also have a need for our
extensive US / international server network and vast IP portfolio? 

I am happy to send over additional information at your request.

Many thanks, 

My name is XXX and I represent  I was visiting today and I couldn't tell where you host your VPN nodes.  I wanted to know if you were interested in replacing any of your current US vendors or if you're interested in expanding to a new vendor to diversify where you source your servers.

We have recently begun to specialize in VPN/Proxy company hosting, so we know the nuances of the industry, making the experience pre and post sales efficient and easy for you.  We're happy to announce your IPs or provide our own.  Our servers are covered by a 100% uptime SLA on power and network and a 4 hour hardware replacement SLA.  We have a full featured control panel, SWIP, rDNS, and more.  We make the IP justification process fast and easy.  Our friendly support team is standing by 24/7 365 to assist if the need every arises.

Here are some example quotes, we're happy to tailor these to your needs:

Intel Xeon E3-1230v3
16gb RAM
20TB bandwidth
1000mbit port

Intel Xeon E3-1230v3
16gb RAM
/24 IP space
20TB bandwidth
1000mbit port

We offer services out of our Tier 3 compliant facilities in Dallas, Miami, Chicago, and Los Angeles.  If you're getting better pricing in any of the cities we operate in, we want to see it and beat it!

Thank you for your time and have a wonderful day.

There is another question in that same category: how many of the VPN providers out there are running there services on virtual machines hosted by third parties? Do you think VPN providers can easily offer exit machines in two dozen countries by deploying hardware they own and operate in datacenters they can trust? Honest to good, poke around and just for the fun of it ask some of them.

TLS certificate authentication

Last but not least you should check how your provider authenticates you as a user to their system. Many providers use TLS certificate authentication where a client certificate is issued for your user account. This certificate is then presented to the server infrastructure and used to allow or deny a login to the VPN system. So far so good, but there is a teeny-weeny issue when a TLS certificate is used.

When the TLS protocol suites were designed, anonymity was not seen as important as confidentiality or integrity of the connection. So in reality when you use a certificate to authenticate to OpenVPN for example it will leak the client certificate name and fingerprint in plaintext when negotiating the TLS handshake. This problem has been identified and documented as far back as 2012 but has not been fixed so far (scheduled fix is in TLS 1.3). You might ask whats the big deal here. Assume the following:

  • You create a new VPN account which uses a TLS client certificate
  • You connect from your home IP

Now at that point the information about the association of your client certificate and home IP will have been entered into systems like XKEYSCORE from the NSA, the GCHQ or whatever spook agency which happen to sniff the whole internet just because they can. You go to your best friends house / your spouse / lover / company and connect from there the spooks will know it's you because of the client cert leak. Good bye anonymity ...

Below is an excerpt taken from a raw packet trace that a VPN client sent to its server in a test setup. The name of the client certificate in this test was As you can see this name is also transmitted in plaintext over the wire. This is only a problem in cases where there is a 1:1 relationship between the client certificate and the user. Some providers do not offer any certificate authentication, others use shared client certs, but the general use case for a client certificate is to hand out unique ones.

        0x0110:  0253 4531 1230 1006 0355 0408 1309 4272  .SE1.0...U....Br
        0x0120:  7967 676c 616e 6431 0f30 0d06 0355 0407  yggland1.0...U..
        0x0130:  1306 4f65 6c64 616c 3124 3022 0603 5504  ..Oeldal1$0"..U.
        0x0140:  0a13 1b52 6f79 616c 2053 7765 6469 7368  ...Royal.Swedish
        0x0150:  2042 6565 7220 5371 7561 6472 6f6e 3112  .Beer.Squadron1.
        0x0160:  3010 0603 5504 0b13 0949 6e74 6572 6e65  0...U....Interne
        0x0170:  747a 3127  3025 0603 5504 0313 1e52 6f79  tz1'0%..U....Roy
        0x0180:  616c 2053 7765 6469 7368 2042 6565 7220  al.Swedish.Beer.
        0x0190:  5371 7561 6472 6f6e 2043 4131 2630 2406  Squadron.CA1&0$.
        0x01a0:  092a 8648 86f7 0d01 0901 1617 686f 7374  .*
        0x01b0:  6d61 7374 6572 4069 7072 6564 6174 6f72  master@ipredator
        0x01c0:  2e73 6530 1e17 0d31 3430 3132 3730 3934  .se0...140127094
        0x01d0:  3234 345a 170d 3234 3031 3235 3039 3432  244Z..2401250942
        0x01e0:  3434 5a30 81a8 310b 3009 0603 5504 0613  44Z0..1.0...U...
        0x01f0:  0253 4531 1230 1006 0355 0408 1309 4272  .SE1.0...U....Br
        0x0200:  7967 676c 616e 6431 0f30 0d06 0355 0407  yggland1.0...U..
        0x0210:  1306 4f65 6c64 616c 3124 3022 0603 5504  ..Oeldal1$0"..U.
        0x0220:  0a13 1b52 6f79 616c 2053 7765 6469 7368  ...Royal.Swedish
        0x0230:  2042 6565 7220 5371 7561 6472 6f6e 3126  .Beer.Squadron1&
        0x0240:  3024 0603 5504 0313 1d66 6168 7762 6570  0$..U....fbhwaep
        0x0250:  6875 6273 682e 7670 6e2e 6970 7265 6461  hubsh.vpn.ipreda
        0x0260:  746f 722e 7365 3126 3024 0609 2a86 4886  tor.se1&0$..*.H.
        0x0270:  f70d 0109 0116 1768 6f73 746d 6173 7465  .......hostmaste
        0x0280:  7240 6970 7265 6461 746f 722e 7365 3082  r@ipredator.se0.


Never forget: Trust but verify. And if in doubt research.