Glowing green network verification screens and circuit board diagnostics on dark background representing VPN connection testing

Most people assume that if a VPN app shows a green connected indicator, the VPN is working. That assumption is wrong — and dangerously so. A connected status means the VPN client has established a tunnel, but it tells you nothing about whether your real IP address is leaking through a secondary channel, whether your DNS queries are bypassing the encrypted tunnel, or whether your browser is broadcasting your true location through WebRTC.

A study of 74 VPN services found that roughly 22% had detectable IP, DNS, or WebRTC leaks — meaning more than one in five VPNs that showed "connected" were actively leaking identifying information. Verifying that your VPN is actually working requires running a short sequence of tests that take less than five minutes total.

Here is exactly how to do it.

The Four Tests That Confirm a VPN Is Working

A properly functioning VPN should pass all four of the following checks: an IP address test, a DNS leak test, a WebRTC leak test, and a kill switch verification. Each test catches a different category of failure. Passing one does not guarantee you pass the others.

Test 1: The IP Address Check

This is the most basic test and should be your starting point every time you connect to a VPN. It confirms that your device's publicly visible IP address has changed from your real ISP-assigned address to an address belonging to the VPN server.

How to run the IP address check

  • Step 1: Disconnect your VPN completely. Open a browser and visit whatismyip.com or search "what is my IP" in Google. Write down the IP address shown — this is your real IP.
  • Step 2: Connect your VPN and select a server location.
  • Step 3: Refresh the same IP-check page without closing your browser.
  • Step 4: Compare the two IP addresses. If the IP address has changed and the location now shows the VPN server's country or city instead of your real location, this test passes.

If the IP address is identical before and after connecting, your VPN is not routing traffic correctly. The tunnel may have failed silently without the app detecting it. Try reconnecting, switching protocols (for example, from WireGuard to OpenVPN), or selecting a different server.

What to watch for: Some ISPs use carrier-grade NAT, which means multiple customers share a single public IP. In those cases, comparing IPs may appear to show no change even when the VPN is working. The more reliable indicator is the location and ISP name — with the VPN connected, the ISP listed on the test page should be your VPN provider, not your actual internet provider.

Test 2: The DNS Leak Test

A DNS leak is one of the most common and least obvious ways a VPN can fail. Your DNS queries — the requests your device sends to translate domain names like "google.com" into IP addresses — should travel through the encrypted VPN tunnel to the VPN provider's DNS servers. If they don't, those queries go directly to your ISP's DNS servers instead, giving your ISP a complete record of every website you attempt to visit even though you believe you are protected.

DNS leaks can occur even when your IP address test passes. The VPN may correctly mask your IP while simultaneously allowing DNS traffic to slip through via a misconfigured network adapter, IPv6 routing, or a browser's built-in DNS-over-HTTPS resolver that bypasses the VPN's DNS.

How to run the DNS leak test

  • Step 1: Disconnect your VPN. Visit dnsleaktest.com and run the Standard Test. Note which DNS servers appear — these will belong to your ISP.
  • Step 2: Connect your VPN and run the Standard Test again on the same site.
  • Step 3: Compare the results. If your VPN is working correctly, the DNS servers listed after connecting should be different from your ISP's servers. They should be operated by your VPN provider or an unrelated third party — not the same provider as before.

If the DNS servers remain identical before and after connecting to the VPN, you have a DNS leak. Your VPN is encrypting your traffic but not your DNS queries, which means your ISP can still see every site you visit.

DNS leaks are fixable. Most quality VPN providers offer a DNS leak protection setting within the app that forces all DNS queries through the encrypted tunnel. Enable it, reconnect, and run the test again.

Built-in DNS protection you can actually verify

CyberFence routes all DNS queries through its Web Shield DNS layer — filtering threats and preventing DNS leaks simultaneously. AES-256-GCM encryption, kill switch protection, and a verified zero-logs policy on every plan. Start with a Free Trial.

Try CyberFence Free

Test 3: The WebRTC Leak Test

WebRTC (Web Real-Time Communication) is a browser technology that enables audio calls, video conferencing, and peer-to-peer file transfers directly in the browser. It is built into Chrome, Firefox, Edge, and Opera. To establish direct connections between devices, WebRTC needs to know each device's real IP address — and it will find that address even when a VPN is active, bypassing the VPN tunnel entirely.

This means your real IP address can be exposed to any website that uses WebRTC APIs, regardless of whether your VPN is connected. It is invisible in standard IP tests because those tests only check your primary connection IP, not what WebRTC is broadcasting separately.

How to run the WebRTC leak test

  • Step 1: Connect your VPN.
  • Step 2: Open your browser and visit browserleaks.com/webrtc or ipleak.net.
  • Step 3: Look at the IP addresses listed under the WebRTC section. If your real IP address — the one you recorded during the IP address test — appears here, your browser is leaking it through WebRTC despite the VPN being active.

If you detect a WebRTC leak, you have two options:

  • Use a VPN that handles WebRTC correctly. Quality VPN providers route WebRTC communications through the encrypted tunnel, preventing the leak without disabling the feature.
  • Disable WebRTC in your browser. In Firefox, type about:config in the address bar, search for media.peerconnection.enabled, and set it to false. In Chrome, use the WebRTC Network Limiter extension. This eliminates the leak entirely but prevents browser-based video calls.

WebRTC leaks are common enough that testing for them specifically — not just running an IP check — is worth making part of your standard verification routine when you first set up a VPN or install a new browser.

Test 4: Kill Switch Verification

A VPN kill switch is designed to block all internet traffic if the VPN tunnel drops unexpectedly, preventing any data from leaking onto your unprotected connection during reconnection. But having the kill switch enabled in settings does not guarantee it is actually functioning. It needs to be tested.

How to test your kill switch

  • Step 1: Connect your VPN and verify it is active.
  • Step 2: Open a browser tab with an IP-checking site set to auto-refresh every few seconds, or keep it open and ready to refresh manually.
  • Step 3: Temporarily disconnect your WiFi or disable your network adapter — do not close the VPN app.
  • Step 4: Wait two to three seconds, then reconnect your WiFi.
  • Step 5: Watch the IP-check page. During the brief period between disconnecting and reconnecting, the page should show no internet access (a connection timeout error). If it loads and shows your real IP address at any point during that window, the kill switch failed.

A functioning kill switch means the page is unreachable during the network interruption. Once your VPN reconnects automatically, the IP check should resume showing the VPN's IP — not your real one.

For more detail on how kill switches work and why they matter, see our full guide on what a VPN kill switch does and when you need one.

What to Do If Your VPN Fails a Test

Failing any of the four tests indicates a specific problem with a specific solution. Here is a quick-reference guide:

  • IP address unchanged after connecting: The VPN tunnel did not establish. Disconnect, reconnect, try a different server or protocol, or reinstall the app.
  • DNS servers remain your ISP's after connecting: Enable DNS leak protection in your VPN app settings. If the setting is already enabled, switch to a server in a different location and retest.
  • Real IP visible in WebRTC test: Switch to a VPN that handles WebRTC properly, or disable WebRTC in your browser settings.
  • Real IP visible during kill switch test: Enable or re-enable the kill switch in your VPN app. If the feature is enabled and still failing, contact your VPN provider — some implementations are not robust across all operating system versions.

One important note: these tests should be performed in your standard browser with all extensions enabled. Browser extensions — particularly ad blockers and privacy tools — can sometimes interfere with VPN routing and introduce their own leaks. If you see unexpected results, run the tests again in an incognito window with extensions disabled to isolate whether the VPN or an extension is responsible.

How Often Should You Test Your VPN?

You do not need to run all four tests every time you connect. A reasonable cadence for most users:

  • When you first set up a VPN: Run all four tests to establish a baseline. Know what passing looks like on your specific device and browser combination.
  • When you install a VPN update: Software updates occasionally change routing behavior or DNS settings. Run a quick IP and DNS test after every major app update.
  • When you connect on a new network: Hotel WiFi, airport networks, and co-working spaces can interfere with VPN protocols in ways your home network does not. Run the IP and DNS tests when connecting to unfamiliar networks.
  • When something seems off: Unusual speeds, connection drops, or unexpected content access restrictions are signs to retest. Understanding your VPN's effect on your internet speed can help you spot anomalies early.

Running the IP check and DNS leak test together takes under two minutes and gives you high confidence that the basics are working. Add the WebRTC test if you use browser-based video tools. Add kill switch testing quarterly or whenever you update your VPN app.

A Note on Mobile VPN Testing

Testing a VPN on a smartphone follows the same logic but with one added complication: mobile devices switch between WiFi and cellular data frequently, and each switch creates a brief window where the VPN tunnel must reestablish. This is where mobile kill switches matter most.

To test a VPN on mobile, run the same IP and DNS tests using your phone's browser. Then test the kill switch by toggling airplane mode on for three seconds and then back off while watching the IP check page. A properly functioning mobile VPN should show no IP during airplane mode and return to the VPN IP — not your cellular IP — once connectivity is restored.

If you use your VPN primarily on Android, our guide to the best VPN for Android in 2026 covers which providers handle mobile kill switches most reliably.

A VPN you can verify is actually working

CyberFence passes all four tests — IP masking, DNS leak protection via Web Shield, WebRTC containment, and a kill switch that holds through network transitions. Available on iPhone, iPad, Android, Mac, and Windows. Start with a Free Trial to verify it yourself.

Start Free Trial

The Bottom Line

A connected VPN indicator is not proof that your VPN is working. Real verification requires four checks: confirm your IP address has changed, confirm your DNS queries are going through the VPN's servers instead of your ISP's, confirm WebRTC is not broadcasting your real IP in your browser, and confirm the kill switch actually blocks traffic when the tunnel drops.

All four tests take under five minutes combined and require nothing more than a browser and three or four free online tools. Running them once when you set up your VPN — and again after any major software update or network change — is the only way to know with certainty that the privacy you think you have is the privacy you actually have.