Recent analyses have uncovered significant security flaws in PureVPN’s Linux client, particularly concerning the handling of IPv6 traffic and firewall configurations. These vulnerabilities pose serious risks to user privacy and system security, especially during network transitions such as Wi-Fi reconnections or system resumes.
IPv6 Address Leakage During Network Transitions
Security researcher Anagogistis conducted tests on Ubuntu 24.04.3 LTS with kernel 6.8.0 and the iptables-nft backend, focusing on both the graphical user interface (GUI) version 2.10.0 and command-line interface (CLI) version 2.0.1 of PureVPN’s Linux client. The findings revealed that the client fails to reapply IPv6 kill-switch protections after events like toggling Wi-Fi or resuming from suspend mode.
When the IPv6 kill-switch (IKS) feature is enabled, the CLI client automatically reconnects and indicates a connected status. However, the system reinstates a default IPv6 route via Router Advertisements (fe80::1) before the client can reestablish ip6tables rules. Since the ip6tables OUTPUT chain retains its default ACCEPT policy, IPv6 traffic resumes outside the VPN tunnel.
In the GUI mode, the disconnect dialog effectively blocks IPv4 traffic but neglects IPv6, allowing leaks until the user manually clicks Reconnect. This oversight means that IPv6-preferred websites may load using the ISP-assigned address, and applications like Thunderbird could continue sending SMTP traffic outside the VPN tunnel, despite the interface indicating full protection.
Firewall Rule Mismanagement
Another critical issue lies in the client’s handling of host firewall rules. Upon establishing a VPN connection, PureVPN’s client wipes existing iptables configurations: default chain policies are reset to ACCEPT, and all custom and UFW (Uncomplicated Firewall) chains, including Docker jumps or user-defined rules, are flushed.
Upon disconnecting, these changes are not reverted, leaving the INPUT and OUTPUT chains set to ACCEPT. This behavior contradicts user expectations and undermines local deny-by-default strategies, effectively exposing services and enabling unwanted inbound connections.
Implications for Privacy-Conscious Users
These vulnerabilities have significant consequences for privacy-conscious Linux users relying on PureVPN for secure connectivity. The IPv6 address leakage and firewall mismanagement undermine the fundamental purpose of using a VPN: to maintain privacy and secure network communications.
Until PureVPN addresses these flaws, users are advised to exercise caution. Consider disabling IPv6 at the operating system level and manually managing firewall rules to ensure they are not inadvertently altered. Alternatively, switching to VPN clients with verified kill-switch reliability may provide a more secure solution.
