You paid for a VPN. It's on. The little icon is green. Surely your real IP is now safely hidden and your ISP is seeing nothing but encrypted gibberish, right? Maybe. Unless one of three quiet leaks is silently betraying you to every site you visit — and they almost always do, unless you've verified otherwise. This guide walks through the three big VPN leaks (DNS, WebRTC, IPv6), how to actually test for them in five minutes, and how to plug the ones that are open.
Consider this the pre-flight checklist you run once when you install a new VPN, and once a month after that. It's the difference between the privacy you're paying for and the privacy you're actually getting.
TL;DR
- Three things leak around most VPNs by default: DNS queries, WebRTC peer-to-peer lookups, IPv6 traffic.
- Testing takes five minutes with free online tools plus one quick check in our IP Lookup.
- Most fixes are one toggle in the VPN app; the rest are small OS or browser settings.
Why VPN leaks happen
A VPN is supposed to route every byte of your traffic through an encrypted tunnel. In practice, some traffic is allowed to go around the tunnel because someone, at some point, thought that was a good idea. That someone was usually trying to make the VPN work more smoothly — faster DNS, better video calls, backwards compatibility — but the side effect is leakage. The three classic culprits:
- **DNS**: if your operating system keeps using the default DNS server (often your ISP's) when the VPN is on, every site you visit is logged by your ISP even if the traffic itself is encrypted.
- **WebRTC**: a browser technology that lets websites discover your real local and public IP for peer-to-peer video calls. No VPN can stop it from inside the browser.
- **IPv6**: many older VPN clients only tunnel IPv4. If your connection has IPv6 enabled (most do in 2026), half your traffic goes around the VPN unencrypted.
Before you start — know your baseline
Before you turn the VPN on, check what your network looks like naturally.
Go to our IP Lookup with the VPN OFF. Write down:
- Public IPv4 address.
- Public IPv6 address (if shown).
- City and ISP shown.
Now turn the VPN on, pick an exit in a different country, and refresh. All three of those values should change. If your IPv4 changed but IPv6 stayed the same, you already have one leak. More on that in a moment.
Test 1 — DNS leak
A DNS leak is the most common and the most damaging, because even if your encrypted traffic is invisible, the list of domains you looked up is a perfect browsing history.
How to test
With the VPN on, visit `dnsleaktest.com` and run the extended test. Or use our DNS Lookup with any random test domain — the resolver that answers tells you which DNS is being used.
What you want to see:
- All resolvers listed should belong to the VPN provider (look for ISP or organisation name matching the VPN's brand) or to a trusted public resolver like Cloudflare.
- None of them should belong to your home ISP.
- None of them should be in your real country if you wanted to hide your location.
How to fix
Turn on "use VPN DNS" or "DNS leak protection" in your VPN app. Almost every reputable VPN (NordVPN, Mullvad, ProtonVPN, ExpressVPN) has this toggle. If the toggle exists and is off by default, toggle it.
If the VPN lacks that setting, configure your OS to use a specific DNS server manually — say, Cloudflare's 1.1.1.1 — and let the VPN tunnel that traffic. Not as clean as VPN-internal DNS, but plugs the leak.
Test 2 — WebRTC leak
WebRTC is how browsers do direct peer-to-peer connections. To set up a P2P call, your browser needs to know your real IP so the other side can connect. It'll happily tell any JavaScript on any page that IP, and most sites can grab it with a few lines of code. VPN or no VPN.
How to test
With VPN on, visit `browserleaks.com/webrtc`. The page uses the same JavaScript any site could. You want to see:
- No local IP that matches your real LAN (192.168.x.x, 10.x.x.x) — some leakage here is common but harmless for most users.
- No public IP matching your real public IPv4 before you turned on the VPN.
If you see your real public IP, you have a WebRTC leak.
How to fix
- In Firefox: `about:config`, search `media.peerconnection.enabled`, set to false. Instantly stops WebRTC lookups.
- In Chrome/Edge/Brave: install the "WebRTC Network Limiter" extension and set it to "Use default public interface only", or use uBlock Origin with the "Prevent WebRTC from leaking" advanced mode.
- Many VPN browser extensions also have WebRTC blocking built in — check yours.
You'll lose WebRTC-based video calls in that browser. If you need them, use a separate browser for calls and your privacy browser for everything else.
Test 3 — IPv6 leak
IPv6 adoption is near 50% in 2026. Most ISPs now deliver both IPv4 and IPv6 to your router. Many older VPN configurations tunnel only IPv4 traffic and let IPv6 fly around the tunnel in the clear — completely defeating the VPN.
How to test
With VPN on, visit `test-ipv6.com`. You want the result to show:
- Your IPv4 score: 10/10 using VPN's address.
- Your IPv6 score: either "0/10 — no IPv6" (meaning your VPN is blocking IPv6, good) or "10/10 — via VPN".
The bad state: a 10/10 IPv6 score showing your real, ISP-assigned IPv6 address while IPv4 goes through the VPN. That's a leak, and half your traffic is naked.
How to fix
- Check your VPN app for "IPv6 leak protection" or "block IPv6". Turn it on. Most modern clients (Mullvad, ProtonVPN, Surfshark, Nord) have this as a default since 2023.
- If not, disable IPv6 on your network interface entirely while using the VPN. Windows, macOS, Linux all allow this per-interface. It's ugly but reliable.
- Best long-term: pick a VPN that tunnels IPv6 properly. A handful do (Mullvad, AzireVPN, IVPN).
Bonus test — kill switch
A kill switch blocks all traffic if the VPN drops. Without it, the moment your tunnel hiccups, your browser silently reconnects through your real ISP — and a page with a live IP check will capture your real IP before you even notice.
To test: with the VPN connected, open a long-running tool like our IP Lookup in a browser tab and hit refresh repeatedly. Then kill the VPN from the system tray (not the built-in "disconnect" button — a hard kill). The next refresh should fail, not show your real IP. If it shows your real IP, the kill switch is off or missing.
Build your five-minute ritual
Every time you install or reconfigure a VPN, run this sequence:
- Baseline IP Lookup, VPN off.
- Connect VPN to a foreign exit.
- IP Lookup — IPv4 and IPv6 both different? Good.
- dnsleaktest.com — all resolvers belong to VPN or trusted? Good.
- browserleaks.com/webrtc — no real public IP visible? Good.
- test-ipv6.com — IPv6 via VPN or disabled? Good.
- Kill switch test — site fails to load, not shows real IP? Good.
Seven checks, five minutes, and you go from "I hope" to "I know".
Red flags in VPN providers
If during testing you catch a leak and the VPN doesn't have a setting to stop it — think about why. Reputable VPNs in 2026 have all three leak protections as clear toggles with sensible defaults. A provider missing them is either small and behind (which means bugs will stay unpatched) or building on shaky infrastructure.
Other flags worth watching for:
- "Unlimited free" VPNs that turn out to resell your bandwidth as residential proxy — check the Terms of Service.
- "No logs" claims without an independent audit — three paid VPNs have been caught lying since 2020.
- VPNs incorporated in countries with broad data-sharing treaties if that's part of your threat model.
- Browser extensions marketed as VPNs — most are proxies, not VPNs, and don't cover non-browser apps.
FAQ
How often should I test for leaks?
Right after install, right after any OS update, and casually once a month. A recent Windows update in 2025 silently re-enabled IPv6 on a lot of VPN-using machines; stuff like that happens.
Do the tests work on mobile?
Mostly yes. DNS leak tests work fine. WebRTC tests apply to mobile browsers but not to apps. IPv6 tests work. For mobile, also verify that the VPN app has "always-on" mode enabled in the OS settings — without it, the VPN can die silently between app switches.
My VPN shows a different country but the geolocation on your IP Lookup is still wrong — why?
GeoIP databases lag behind VPN IP reassignments. That's noise, not a leak. As long as the IP matches the VPN's, you're covered; the shown city may be wrong.
Is the "Kill Switch" always enough?
Mostly. It protects against tunnel drops. It does not protect against DNS leaks (that's a separate setting) or against split-tunnelling misconfiguration, where you intentionally let certain apps bypass the VPN.
I use Tor through a VPN — do I still need these tests?
Yes. The VPN-then-Tor path is common, but the leaks above can still happen on the VPN hop itself. Run the tests with just the VPN, before adding Tor on top.
What if my ISP's own router has DNS set?
Your VPN client usually overrides this at the device level. If it doesn't, manually set your device's DNS to Cloudflare or your VPN's DNS, and make sure "use device DNS" is off in the router settings.
Tools on ip-checker.pro that help
→ IP Lookup — your current IPv4 + IPv6 + geolocation, before and after VPN
→ DNS Lookup — check which resolver actually answered your queries
→ Security Check — combine VPN, DNS and SSL checks