Surfshark is a popular vpn service provider that works natively on windows, macos and linux with a gui client app, and also has browser extensions for chrome and firefox.
In this article we take a look at how the browser extensions of Surfshark vpn (and similar vpn providers) work under the hood.
With the native gui client app Surfshark establishes a full vpn connection on the system using protocols like WireGuard, OpenVPN, and IKEv2 to encrypt and tunnel all outgoing traffic.
It does so by creating a virtual network interface and changing the ip routing tables to capture all IP traffic and then redirects it to the vpn server for secure transmission.
What protocol is used by browser extension
However with the browser extensions the story is different. Browsers do not support any kind of vpn based proxy mechanism.
According to this document chrome supports the following proxy schemes:
- DIRECT
- HTTP
- HTTPS
- SOCKSv4
- SOCKSv5
- QUIC
Other browsers like firefox also support similar protocols. But none has vpn technology inbuilt. Then how do browser extensions of vpn providers work ?
The answer is: HTTPS proxy.
Yes, under the hood, Surfshark vpn browser extension uses the HTTPS proxy mechanism to connect to the vpn server and uses it as a proxy server. For the end user the results are the same that is privacy, but the underlying mechanisms are very different.
If you want to check the proxy settings in Chrome for example, follow the steps:
1. Go to Extensions, or open the url chrome://extensions/.
2. Turn on Developer Mode on top right.
3. In the box of "Surfshark VPN Extension" you would see "Inspect views: background page". Click it.
4. Run the following code:
chrome.proxy.settings.get( {'incognito': false}, function(config) { console.log(JSON.stringify(config)); });
The output should be something like this:
{ "levelOfControl": "controlled_by_this_extension", "value": { "mode": "fixed_servers", "rules": { "bypassList": [ "10.0.0.0/8", "127.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "::1/128", ".local", "localhost", "*.localhost", "localhost.localdomain", "*.localhost.localdomain" ], "singleProxy": { "host": "us-hou.prod.surfshark.com", "port": 443, "scheme": "https" } } } }
In the above example we are connected to the surfshark vpn server "us-hou.prod.surfshark.com" on port 443 with the https protocol.
How are DNS queries protected
For protecting DNS queries, the browser performs the dns queries over https proxy using the DNS over HTTPS protocol.
All browsers including chrome, firefox, edge, opera support dns over https. This ensures there is no dns leak.
When using surfshark extension in chrome, the dns over https worked pretty well and when tested with ipleak.net, there were no dns leaks.
When using the chrome extensions all dns queries went through the surfshark server securely. However there was 1 particular dns query that was transmitted directly.
This could be captured with tshark. The command format is:
sudo tshark -i enp0s3 -f "udp port 53"
1975 7599.862992073 192.168.1.92 → 8.8.8.8 DNS 96 Standard query 0x5a31 A us-atl.prod.surfshark.com OPT 1976 7599.863624356 192.168.1.92 → 8.8.8.8 DNS 96 Standard query 0x6b8f AAAA us-atl.prod.surfshark.com OPT 1977 7599.905199813 8.8.8.8 → 192.168.1.92 DNS 180 Standard query response 0x6b8f AAAA us-atl.prod.surfshark.com SOA ns-1652.awsdns-14.co.uk OPT 1978 7599.942691937 8.8.8.8 → 192.168.1.92 DNS 128 Standard query response 0x5a31 A us-atl.prod.surfshark.com A 92.119.19.56 A 138.199.2.135 OPT 1979 7644.712753634 192.168.1.92 → 8.8.8.8 DNS 98 Standard query 0x4950 A safebrowsing.googleapis.com OPT 1980 7644.713009071 192.168.1.92 → 8.8.8.8 DNS 98 Standard query 0xfb01 AAAA safebrowsing.googleapis.com OPT 1981 7644.767876821 8.8.8.8 → 192.168.1.92 DNS 126 Standard query response 0xfb01 AAAA safebrowsing.googleapis.com AAAA 2404:6800:4007:816::200a OPT 1982 7644.780525556 8.8.8.8 → 192.168.1.92 DNS 114 Standard query response 0x4950 A safebrowsing.googleapis.com A 142.250.196.170 OPT 1983 7660.100121329 192.168.1.92 → 8.8.8.8 DNS 96 Standard query 0xe927 A us-atl.prod.surfshark.com OPT 1984 7660.100278295 192.168.1.92 → 8.8.8.8 DNS 96 Standard query 0x503b AAAA us-atl.prod.surfshark.com OPT 1985 7660.162336596 8.8.8.8 → 192.168.1.92 DNS 180 Standard query response 0x503b AAAA us-atl.prod.surfshark.com SOA ns-1652.awsdns-14.co.uk OPT 1986 7660.170755925 8.8.8.8 → 192.168.1.92 DNS 128 Standard query response 0xe927 A us-atl.prod.surfshark.com A 92.119.19.50 A 92.119.19.66 OPT
The dns query to resolve the surfshark vpn servers were sent directly to the system configured dns servers (8.8.8.8 on my system). This is not much of a security or privacy concern though.
Direct dns queries are also made when the browser is launched for the first time and the extension has not been initialised yet.
So if you want full protection and tunnel all the internet traffic on your system, use a vpn client like OpenVPN or the gui client provided by Surfshark.
Conclusion
Most vpn browser extensions work pretty much the same way under the hood. There are pros and cons of using the browser extensions. With browser extensions you can quickly switch to a vpn proxy if you want to use it for just some specific site and not for every site. Lets say you want to access some geo restricted content on a particular site, then using the chrome extension will be a quick and easy way to change your geo ip.
However if you need full privacy protection on all of your internet activities, then you must use the vpn application to encrypt and route all your internet traffic and in such cases the browser extensions should not be used. Also when you are using the vpn app, you should disable the browser extension as it will apply double vpn routing and make internet speed slow.