Currently, we're working with several beta testers to nail down mis-handling of pushed DNS servers on several OS platforms. Because these kinds of "leaks" are intimately entwined with the host operating system handing the secure network connection, it's just not possible to have a "one size fits all" answer to them from the server-side of things.
Indeed, those with sharp eyes might have already noticed that there's some commented-out "stubs" in our server-side configuration that involve pushing various script-based route-setup parameters to specific client-side OS flavours. In a nutshell, we're actively testing several of these approaches... and have been for several months.
In addition to these server-side options, our network access widget works with Windows to do manual flushing & refilling of local route/route metric data during session initiation/teardown. This helps to minimise the snarled mess that can occur when Windows is trusted to self-manage its own routing reconfiguration.
But let's cut to the chase. The real solution here, on the Windows side of things, is Leakblock (equivalent versions on Linux are implemented via dynamic iptables rules). Don't tell anyone, but we're hoping to roll the first public version of Leakblock into the 0.9 version of the Windows widget itself. This is how to solve the "leaks" problem from top to bottom.
In the meantime, please report any and all leak-ish things here in this thread. There's nothing secret about this process - we're happy to discuss here in public threads, as it helps ensure we're seeing the most comprehensive sweep of events.
To that end, by far the most useful data are wireshark session analyses (or raw pcap's) - they show us exactly what's going on with secure session characteristics at the packet level. This kind of analytic work has to be done client-side, and there's just no way we can cover all the various permutations of client OS/config setups in-house. Put another way: the more testing, in more situations, we can bring to bear on secure network sessions the more confident we all can be that things are locked-down tight.
The ubiquity of leaky behaviours in supposedly secure "VPN services" is hard to overstate. We're fully dedicated to eliminating leaks, structurally and systematically, for cryptostorm members. This is a process - not a one-shot magical answer, nor a hand-waving promise that all is well when it's not.
Thanks in advance for helping us make cryptostorm the un-leaking-est darknet in the world.
- ~ cryptostorm_team