Privacy Tools Guide

When you connect to a VPN, you expect all your internet traffic to be encrypted and protected from eavesdropping. But how can you actually verify that the encryption is working? The standard tool for network packet analysis, tcpdump, lets you inspect network traffic directly and confirm that your VPN tunnel is properly encrypting your data. This guide walks through practical tcpdump commands and techniques to verify VPN encryption is active and functioning correctly.

Why Verify VPN Encryption?

Even when using a reputable VPN service, several issues can cause encryption to fail or degrade:

By capturing and analyzing packets with tcpdump, you can confirm that:

  1. Traffic is actually flowing through the VPN interface
  2. Packet contents are encrypted (unreadable payload)
  3. No unencrypted traffic is leaking outside the tunnel
  4. Proper encryption protocols are being used

Prerequisites

Before analyzing VPN traffic, ensure you have:

Capturing VPN Traffic

Step 1: Identify Your VPN Interface

First, determine which network interface your VPN is using:

# List all network interfaces
ip addr show

# Or on macOS
ifconfig

# For Wireguard interfaces specifically
ip link show | grep -i wg

Common VPN interface names include:

Step 2: Capture Packets on the VPN Interface

Start capturing on the VPN interface:

# Capture on WireGuard interface
sudo tcpdump -i wg0 -n

# Capture on OpenVPN tunnel
sudo tcpdump -i tun0 -n

# Capture with timestamp and ASCII output
sudo tcpdump -i wg0 -nn -tttt -A

Key tcpdump flags:

Step 3: Analyze Packet Contents

When VPN encryption is working properly, you should see:

Encrypted Packets (What You Want to See)

14:23:45.123456 IP 10.0.0.2.51820 > 203.0.113.1.51820: UDP, length 128

The payload is encrypted—you’ll see the packet headers but not readable content. For WireGuard, UDP port 51820 is used. For OpenVPN, you’ll typically see UDP/TCP port 1194.

What Unencrypted Traffic Looks Like

14:23:45.123456 IP 192.168.1.100.443 > 10.0.0.2.52341: Flags [P.], seq 1:100, ack 1, win 502, length 99
	0x0000:  4510 0063 7c89 4000 4006 b2d7 c0a8 0164  E..c|.@.@......d
	0x0010:  0a00 0002 c8f5 cc95 6f29 4a8e 5018 01f6  ........o)J.P..
	0x0020:  4853 5445 2f31 2e31 2032 3030 204f 4b0d  HTTP/1.1.200.OK.
	0x0030:  0a43 6f6e 7465 6e74 2d54 7970 653a 2074  .Content-Type:.t

Notice the readable “HTTP/1.1 200 OK” in the payload—this is unencrypted traffic!

Verifying Encryption with Specific Tests

Test 1: Check for Plaintext HTTP Traffic

Capture traffic and filter for port 80 (HTTP):

sudo tcpdump -i wg0 -nn port 80 -A

If you see readable HTTP requests like GET / HTTP/1.1 or POST /login, your VPN is leaking unencrypted traffic.

Test 2: Verify Only VPN Port Traffic Exists

Confirm all traffic uses the VPN’s protocol and port:

# WireGuard - UDP 51820
sudo tcpdump -i wg0 -nn not port 51820

# OpenVPN - UDP 1194 or TCP 443
sudo tcpdump -i tun0 -nn not port 1194

Any output here indicates traffic leaking outside the VPN tunnel.

Test 3: Inspect TLS/SSL Handshake

For HTTPS traffic through the VPN, verify TLS encryption:

# Look for TLS handshake packets
sudo tcpdump -i wg0 -nn -A | grep -E "TLSv1\.|TLSv1\.2|TLSv1\.3"

You should see TLS records, but the content should be encrypted (not readable).

Test 4: Compare LAN vs VPN Traffic

Compare traffic on your regular interface versus VPN:

# Your regular interface (e.g., eth0 or en0)
sudo tcpdump -i en0 -nn port 80 -c 5

# Your VPN interface
sudo tcpdump -i wg0 -nn port 80 -c 5

On the regular interface, you’ll see traffic. On the VPN interface (with encryption working), you’ll either see nothing (if HTTPS) or encrypted traffic.

Detecting Common VPN Leaks

DNS Leak Test

DNS leaks occur when your DNS queries bypass the VPN:

# Monitor DNS queries (port 53)
sudo tcpdump -i any -nn port 53 -c 10

If you see DNS queries going to your ISP’s DNS server (not through VPN), you have a DNS leak.

IPv6 Leak Test

IPv6 traffic may bypass VPN tunnels:

# Capture IPv6 traffic
sudo tcpdump -i any -nn ip6

# Filter for IPv6 only on non-VPN interface
sudo tcpdump -i en0 -nn ip6

IPv6 traffic on your regular interface indicates an IPv6 leak.

WebRTC Leak Detection

WebRTC can expose your real IP through browser APIs:

# Monitor STUN protocol (3478)
sudo tcpdump -i any -nn port 3478

STUN requests may leak outside the VPN tunnel.

Troubleshooting VPN Encryption Issues

Issue: No Traffic on VPN Interface

# Verify interface is up
ip link show wg0

# Check if VPN has an IP address
ip addr show wg0

# Verify routing
ip route

Issue: High Packet Count but No Encryption

If you see plaintext traffic, check your VPN configuration:

# For WireGuard - verify peer configuration
sudo wg show

# For OpenVPN - check configuration
sudo openvpn --config /etc/openvpn/client.conf --verb 6

Issue: Selective Traffic Not Encrypted

Check your routing table:

# View all routes including VPN routes
ip route show all

# Check for split tunneling
ip route | grep -v default

Advanced: Decrypting VPN Traffic (For Debugging)

If you’re debugging and have access to the session keys, you can decrypt traffic:

WireGuard Decryption

WireGuard doesn’t support decryption with session keys in tcpdump directly. Use Wireshark with the WireGuard protocol decoder.

OpenVPN Decryption

# Capture OpenVPN traffic to a file
sudo tcpdump -i any -nn -w openvpn-capture.pcap port 1194

# Import into Wireshark with the OpenVPN key
# Wireshark > Preferences > Protocols > OpenVPN > RSA keys

Security Best Practices

When analyzing VPN encryption:

  1. Always use root privileges — tcpdump requires elevated access
  2. Capture to file for later analysis: -w capture.pcap
  3. Use filters wisely — avoid capturing excessive data
  4. Verify in multiple locations — test from different networks
  5. Check both directions — capture both incoming and outgoing

Built by theluckystrike — More at zovo.one

Explore Our Developer Guides

© 2026 theluckystrike Developer Guides