What Is a VPN Leak and How Do You Test for One?

You are connected to your VPN. The icon is showing. The connection looks active. You feel protected.

But here is the uncomfortable reality: your VPN can be actively connected and still leaking your real IP address, your DNS requests, and your geographic location to every website you visit. This is what security professionals call a VPN leak — and it is more common than most VPN users realize.

A 2020 research analysis found that a significant portion of commercial VPN applications exposed IPv6 addresses or leaked DNS requests under routine network conditions — without ever alerting the user. The encrypted tunnel was intact. The leak happened through a separate pathway that the tunnel did not cover. This guide explains exactly how that happens, what the three primary leak types look like, and how to run a complete leak test on your VPN in under five minutes.

What Is a VPN Leak?

A VPN leak occurs when your real identifying information — your IP address, DNS queries, or browser-reported location — escapes outside the encrypted VPN tunnel and reaches third-party servers in plaintext. The VPN connection itself remains active; the leak happens through a separate channel that bypasses the tunnel entirely.

The result is that websites, advertisers, and anyone monitoring the network can see who you really are and what you are doing — even though your VPN client indicates you are fully protected. It is equivalent to speaking through a locked door but leaving the window wide open.

There are three distinct leak types that matter in practice: DNS leaks, WebRTC leaks, and IPv6 leaks. Each works through a different mechanism, requires different testing, and demands a different fix. Understanding all three is essential to actually verifying your VPN works.

DNS Leaks: When Your ISP Still Knows Every Site You Visit

When you type a web address into your browser, your device sends a DNS query — a lookup request that translates the domain name into an IP address. Without a VPN, this query goes to your ISP's DNS server. Your ISP logs the request and knows every domain you visit, even if the connection itself is encrypted over HTTPS.

A proper VPN routes those DNS queries through its own encrypted DNS servers, so your ISP only sees a connection to the VPN — not the individual domains you visit. A DNS leak happens when your operating system bypasses the VPN's DNS server and sends queries to your ISP anyway, even while the VPN tunnel is active.

This can happen in several ways:

• Network switching. Moving between WiFi networks or switching from WiFi to mobile data causes your device to request new DNS server settings via DHCP. If those settings point to your ISP's DNS server and the VPN does not reclaim control, queries start leaking immediately.
• ISP transparent proxies. Some internet providers use transparent DNS proxies that intercept DNS requests and redirect them to the ISP's own servers — even when you have manually configured alternative DNS servers. The interception happens at the network level before the VPN tunnel processes the request.
• Teredo tunneling on Windows. Windows uses a protocol called Teredo to convert IPv4 traffic to IPv6. Because Teredo is a tunneling protocol itself, it can take routing priority over your VPN's tunnel, causing DNS requests to bypass VPN controls entirely.
• Split DNS configurations. Some corporate or multi-network setups intentionally route certain DNS queries outside the VPN for internal network reasons. If a consumer VPN client is not configured to handle these scenarios, private queries escape through the split pathway.

The most dangerous aspect of a DNS leak is that your browsing content remains encrypted — so users assume everything is fine. The leak is invisible in the browser. You have to actively test for it.

WebRTC Leaks: The Browser Feature That Bypasses Your VPN

WebRTC (Web Real-Time Communication) is a browser technology that enables video calls, voice chat, and peer-to-peer file transfers directly in the browser without plugins. It is built into Chrome, Firefox, Opera, Edge, and most Chromium-based browsers, and it is enabled by default.

The problem for VPN users is this: to establish a direct communication channel between two devices, WebRTC needs to discover and share both devices' real IP addresses. It does this using a protocol called ICE (Interactive Connectivity Establishment), which queries STUN servers. Those servers return your device's actual public IP address — bypassing the VPN tunnel entirely, because WebRTC operates at the browser level rather than the network-tunnel level where the VPN operates.

A malicious website — or even a legitimate one running advertising or analytics scripts — can silently trigger a WebRTC request that forces your browser to reveal your real IP address. This happens even if your VPN is fully connected and functioning normally. The VPN tunnel encrypts your browsing traffic but does not intercept WebRTC's direct IP discovery process unless the VPN specifically includes WebRTC leak protection.

Firefox, Chrome, Opera, and Microsoft Edge are all vulnerable to WebRTC leaks by default. Safari is partially resistant because its WebRTC implementation exposes fewer IP details. But on desktop browsers, WebRTC leaks represent one of the most commonly overlooked sources of VPN privacy failures.

IPv6 Leaks: The Protocol Your VPN May Be Ignoring

Most internet traffic currently runs over IPv4, but IPv6 adoption has grown significantly and most modern operating systems and routers support both protocols simultaneously — a configuration called a dual-stack network. The issue for VPN users: many VPN providers encrypt and tunnel IPv4 traffic properly but do not handle IPv6 traffic at all.

When your device operates on a dual-stack network and your VPN does not manage IPv6, any IPv6 traffic — including DNS queries, browsing requests, and application data — travels outside the VPN tunnel in plaintext, carrying your real IPv6 address. Because IPv6 addresses are globally unique and directly tied to your device, an IPv6 leak is often more precisely identifying than an IPv4 leak.

A 2015 academic paper titled "A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients" found that nearly all commercial VPN providers at the time were ignoring IPv6 routing tables — and the problem has persisted in the years since in varying degrees across providers. The fix is either proper IPv6 tunneling or disabling IPv6 entirely while the VPN is connected.

How to Test Your VPN for Leaks — Step by Step

Testing for all three leak types takes less than five minutes and requires no technical expertise. Here is the complete procedure:

Step 1: Establish Your Baseline

Disconnect from your VPN. Open a browser and visit ipleak.net or browserleaks.com. Record the following information:

• Your public IPv4 address
• Your public IPv6 address (if shown)
• The DNS server addresses displayed
• Your geographic location as reported by the site

These are your baseline values — what should not appear in the results once you connect to your VPN.

Step 2: Connect to Your VPN and Retest

Connect to your VPN — ideally to a server in a different country so the geographic change is obvious. Then revisit the same test page without closing the browser entirely. Refresh the page. Check the results against your baseline:

• Your real IPv4 address should no longer appear. You should see the VPN server's IP address instead. If your real IP appears, you have an IP leak.
• Your real IPv6 address should not appear. If it does, you have an IPv6 leak. Your VPN is not handling IPv6 traffic.
• The DNS servers should match your VPN provider's infrastructure — not your ISP. If you see your ISP's DNS server address in the results, you have a DNS leak.
• Your reported location should reflect the VPN server location, not your actual location. If it matches your real location, your traffic is bypassing the tunnel.

Step 3: Run a Dedicated WebRTC Leak Test

IP and DNS leak tests do not always catch WebRTC leaks because WebRTC uses a different discovery mechanism. Run a separate WebRTC test at browserleaks.com/webrtc or expressvpn.com/webrtc-leak-test while connected to your VPN.

The test will show public IP addresses discovered via WebRTC's ICE protocol. If any of the addresses match your real public IP from Step 1, you have a WebRTC leak. Local IP addresses (typically in the 192.168.x.x or 10.x.x.x range) are not a privacy concern — only public IPs reveal your identity.

Step 4: Test on Public WiFi Specifically

Many leaks only appear when you change networks. If you only test on your home network, you may get false reassurance. Repeat the full test on a public WiFi network — a coffee shop, library, or airport connection. Network switching is one of the primary triggers for DNS leaks, and testing only on a stable home network misses the scenario where leaks most often occur.

What to Do If You Find a Leak

If your tests reveal any type of leak, you have several options depending on the leak type:

• DNS leak: Check your VPN client settings for a "DNS leak protection" or "use VPN DNS only" option. Enable it. If the option does not exist or does not resolve the leak, your VPN provider does not adequately handle DNS routing on your operating system configuration.
• WebRTC leak: Some VPN clients include a WebRTC blocking option — enable it if available. Alternatively, you can disable WebRTC in your browser. In Firefox, navigate to about:config and set media.peerconnection.enabled to false. In Chrome, WebRTC cannot be disabled natively — you need a browser extension or a VPN that handles it at the application layer.
• IPv6 leak: Enable IPv6 leak protection in your VPN client if the option exists. If not, disable IPv6 at the operating system level or switch to a VPN provider that explicitly handles dual-stack network environments.

If your VPN client lacks protection options for any of these leak types, that is meaningful information about the quality of the implementation. A VPN that leaks DNS queries or WebRTC IP addresses provides substantially less privacy than users typically assume.

Why Even Passing a Leak Test Is Not a Complete Guarantee

One important caveat: standard leak tests create new network connections to test servers. As one security community analysis noted, existing connections established before the VPN connected are not automatically closed when the VPN activates — they continue through the original, unprotected pathway. A leak test that opens a new connection after VPN activation will pass even if pre-existing connections are bypassing the tunnel.

This matters when applications — browsers, email clients, cloud sync services — were already running and connected before you enabled the VPN. Their active sessions may persist outside the tunnel until they are closed and reopened. For maximum protection, close all applications before connecting to your VPN, or use a VPN that includes a kill switch that forces all connections through the tunnel upon activation.

For more on this, see our guide on how a VPN kill switch prevents connection gaps and our breakdown of what a VPN cannot protect you from.

The Bottom Line

A VPN that leaks is not a VPN — it is the appearance of protection without the substance. DNS leaks, WebRTC leaks, and IPv6 leaks are not edge cases or rare failures. They occur under normal, everyday network conditions: switching between WiFi networks, using a browser with WebRTC enabled, or connecting from a dual-stack network your VPN was not designed to handle.

Testing takes five minutes. The baseline and VPN-connected comparison tells you definitively whether your provider's implementation actually holds up in practice. Run the test. Know what you have.