Эта запись в блоге написана более 9 лет назад, поэтому может быть неактуальной.
IP exposure via UDP ports
We have recently become aware of a newly published method for deanonymizing VPN users. For this to work, the user must be running some software that listens to and communicates via a UDP port and either be connecting directly to the internet without a NAT router or be behind a NAT router with port forwarding enabled.
You can read more about the issue and how to mitigate it.