VPN & Public IP Exposure on a Local Network

TL;DR

Yes, a PC without a VPN can expose the public IP address of another PC using a VPN on the same local network. This happens because traffic from both PCs often shares the same internet connection and router. While the VPN hides the second PC’s IP directly, other activities can reveal it.

Understanding the Problem

When you use a VPN, it creates an encrypted tunnel for your internet traffic, masking your real IP address with one from the VPN server. However, this protection is limited to traffic routed through the VPN. Other PCs on the same network can still see each other’s local IPs and potentially expose information about the VPN user.

How Exposure Happens

1. Shared Internet Connection: Both PCs typically use the same router to connect to the internet. The router has a single public IP address (unless you have a static IP or specific configuration).
2. Port Forwarding: If port forwarding is enabled on the router for services running on the VPN-protected PC, that service becomes accessible from the outside world using the router’s public IP. This bypasses the VPN.
3. Direct Connections (P2P): Some applications (like torrent clients) might attempt direct connections between peers, bypassing the VPN altogether and revealing the VPN user’s real IP address.
4. Local Network Discovery: Other PCs on the network can use tools to discover services running on the VPN-protected PC, potentially exposing its local IP which is linked to the router’s public IP.
5. DNS Leaks: Even with a VPN, your DNS requests might sometimes be sent through your ISP’s servers instead of the VPN’s, revealing your location and potentially linking it back to your real IP.

Steps to Prevent Exposure

1. Disable Port Forwarding: Check your router’s settings and disable any port forwarding rules that point to services on the VPN-protected PC.
   • Access your router’s configuration page (usually via a web browser, e.g., 192.168.1.1 or 192.168.0.1 – check your router’s manual).
   • Look for sections like “Port Forwarding,” “Virtual Server,” or “NAT.”
   • Remove any rules that forward ports to the VPN-protected PC’s local IP address.
2. Configure Firewall: Enable and properly configure the firewall on both PCs.
   • Windows Firewall: Search for “Firewall” in the Start menu, then select “Windows Defender Firewall.” Ensure it’s enabled and configured to block incoming connections unless specifically allowed.
   • macOS Firewall: Go to System Preferences > Security & Privacy > Firewall. Enable it and configure rules as needed.
3. Disable Local Network Discovery: Turn off features that allow other PCs to discover your PC on the network.
   • Windows: Search for “Network and Sharing Center” in the Start menu, then click “Change advanced sharing settings.” Turn off network discovery and file and printer sharing.
   • macOS: Go to System Preferences > Sharing and uncheck any services you don’t need (e.g., File Sharing, Screen Sharing).
4. Use a Kill Switch: Most reputable VPN providers offer a kill switch feature. This automatically disconnects your internet connection if the VPN connection drops, preventing data from being sent through your regular ISP.
5. Check for DNS Leaks: Use online tools to test for DNS leaks after connecting to the VPN.
   • Example tool: DNSLeakTest
6. Application-Specific Settings: Configure applications (like torrent clients) to only use the VPN connection and prevent direct connections.
   • In your torrent client, bind it to the VPN interface or force all traffic through a SOCKS5 proxy provided by your VPN.
7. Router-Level VPN: Consider setting up a VPN directly on your router. This protects all devices connected to the network without needing individual configuration.

Important Note

Even with these precautions, complete security is never guaranteed. Regularly review your settings and be mindful of the applications you use and their potential impact on your privacy.