You are connected to a VPN. The app says "Protected." You see a little lock icon. But is your real IP address actually hidden? For a surprising number of people, the answer is no.
VPN leaks happen when your real IP address, DNS queries, or WebRTC data escapes the encrypted tunnel and reaches the websites you visit. The VPN client shows you are connected, but your actual identity is exposed. This guide explains what each type of leak is, how to test for it, and how to fix it.
What Is a VPN Leak?
A VPN is supposed to route all your internet traffic through an encrypted tunnel to a server in another location. When everything works, websites see the VPN server's IP address instead of yours.
A leak happens when some traffic bypasses the tunnel. There are three main types:
| Leak Type | What Escapes | Risk Level |
|---|---|---|
| IP Leak | Your real public IP address | Critical — websites see your actual location |
| DNS Leak | Your DNS queries | High — your ISP can see every domain you visit |
| WebRTC Leak | Your local and public IP via browser APIs | High — works even with a VPN active |
IP Leaks
What it is
An IP leak occurs when your real public IP address is visible to a website even though your VPN is active. This completely defeats the purpose of using a VPN.
Common causes
- VPN disconnected silently: The connection dropped, but the app did not warn you
- Split tunneling misconfigured: Some apps are set to bypass the VPN
- IPv6 not tunneled: Your VPN handles IPv4 but leaks IPv6 traffic
- Kill switch disabled: When the VPN drops, traffic flows through your regular connection
How to test
- Connect to your VPN
- Visit our VPN Leak Test — it automatically checks your public IP
- The IP shown should be your VPN server's IP, not your home IP
- If you see your real IP or your ISP's name, you have a leak
How to fix
- Enable the kill switch in your VPN app — this blocks all internet if the VPN drops
- Disable IPv6 if your VPN does not support it: on Linux, add
net.ipv6.conf.all.disable_ipv6 = 1to/etc/sysctl.conf - Check split tunneling settings and make sure your browser is routed through the VPN
- Switch VPN protocols — WireGuard and OpenVPN are more reliable than IKEv2 for preventing leaks
DNS Leaks
What it is
When you visit a website, your device sends a DNS query to translate the domain name (like google.com) into an IP address. A DNS leak means your DNS queries are still going to your ISP or another third-party DNS server outside the VPN tunnel.
Common causes
- OS-level DNS settings override the VPN: Windows is particularly prone to this
- Smart Multi-Homed Name Resolution (Windows): Sends DNS queries to all available interfaces simultaneously
- VPN does not push its own DNS: Some cheap VPNs do not configure DNS properly
- DNS over HTTPS (DoH) in browser: Your browser might send DNS queries directly, bypassing the VPN
How to test
- Connect to your VPN
- Visit our VPN Leak Test — it checks which DNS servers your device is using
- The DNS servers should belong to your VPN provider, not your ISP
- If you see your ISP's DNS, you have a DNS leak
How to fix
- Set DNS manually to a privacy-focused provider:
1.1.1.1(Cloudflare),9.9.9.9(Quad9), or8.8.8.8(Google) - On Windows: Disable "Smart Multi-Homed Name Resolution" in Group Policy
- On Linux: Check
/etc/resolv.conf— it should point to the VPN's DNS when connected - Disable DoH in your browser if your VPN does not handle it
- Use a VPN that forces its own DNS — most reputable providers do this automatically
WebRTC Leaks
What it is
WebRTC is a browser technology used for video calls, voice chat, and peer-to-peer file sharing. WebRTC can discover your real IP address through STUN requests that bypass the VPN tunnel.
Types of WebRTC candidates
| Type | What it means |
|---|---|
| host | Your device's local/private IP (like 192.168.1.x). Low risk |
| srflx (Server Reflexive) | Your public IP as seen by the STUN server. This is the dangerous one |
| relay | A TURN relay server IP. Safe |
How to test
- Connect to your VPN
- Visit our VPN Leak Test — it automatically runs WebRTC checks
- Look at the srflx candidate — it should show your VPN's IP, not your real IP
How to fix
Firefox: Type about:config → search media.peerconnection.enabled → set to false
This disables WebRTC entirely. Google Meet and similar will not work.
Chrome/Edge: Install the "WebRTC Leak Prevent" extension
IPv6 Leaks
What it is
Many VPNs only tunnel IPv4 traffic. If your ISP provides IPv6 connectivity and the VPN does not handle it, your IPv6 address leaks outside the tunnel.
How to fix
- Disable IPv6 on your device if your VPN does not support it
- Use a VPN that supports IPv6 tunneling (WireGuard handles this natively)
- On Linux:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 - On Windows: Uncheck "Internet Protocol Version 6" in your network adapter settings
The Complete Test Checklist
- Connect to your VPN
- Open our VPN Leak Test in an incognito window
- Check your public IP — should be the VPN server, not your real IP
- Check DNS servers — should not belong to your ISP
- Check WebRTC srflx — should show VPN IP or be blocked
- Check IPv6 — should be disabled or tunneled through VPN
- Test on both WiFi and cellular — leaks can differ by connection type
VPN Protocols and Leak Resistance
| Protocol | Leak Resistance | Notes |
|---|---|---|
| WireGuard | Excellent | Modern, handles IPv6, minimal attack surface |
| OpenVPN | Very Good | Mature, well-tested, configurable DNS handling |
| IKEv2 | Good | Fast reconnection, but IPv6 handling varies |
| PPTP | Poor | Outdated, known vulnerabilities, avoid entirely |
| L2TP/IPSec | Fair | Better than PPTP but still not ideal |
Run a Full Test Now
Use our free VPN Leak Test to automatically check your public IP, DNS servers, WebRTC candidates, IPv6 connectivity, and geolocation — all tests run instantly on page load. No signup required.