Even the best VPN can leak your real IP address through WebRTC, DNS queries, or IPv6 connections. This tool checks for all three types of leaks so you can verify your VPN is properly configured and your browsing activity remains private. Run the test below while connected to your VPN to see if any information is escaping the encrypted tunnel.
Connect to your VPN first, then click the button below to check for leaks.
A VPN leak occurs when data that should travel through the encrypted VPN tunnel instead bypasses it, exposing your real IP address, DNS queries, or browsing activity to your ISP, network administrator, or anyone monitoring your connection. Even if your VPN shows as connected, certain browser features and operating system configurations can send traffic outside the tunnel.
The three most common types of VPN leaks are WebRTC leaks, DNS leaks, and IPv6 leaks. Each one can independently reveal your identity even while the VPN appears to be working correctly. If you are using a VPN configured on your router, these leaks can still occur at the device level, which is why testing from each device matters.
WebRTC (Web Real-Time Communication) is a browser technology that enables peer-to-peer audio, video, and data sharing directly between browsers. To establish these connections, WebRTC uses STUN (Session Traversal Utilities for NAT) servers to discover your local and public IP addresses. The problem is that this discovery process can bypass your VPN tunnel entirely.
When a website uses JavaScript to create an RTCPeerConnection, your browser reveals the local IP addresses of your network interfaces. This means even with a VPN active, a malicious website can detect your real private IP (such as 192.168.1.x or 10.0.0.x) and potentially your real public IP.
| Browser | WebRTC Default | How to Disable |
|---|---|---|
| Firefox | Enabled | Set media.peerconnection.enabled to false in about:config |
| Chrome | Enabled | Install WebRTC Leak Prevent extension |
| Safari | Limited | Preferences > Advanced > uncheck WebRTC |
| Edge | Enabled | Use extension or group policy |
| Brave | Protected | Built-in fingerprinting protection handles WebRTC |
Every time you visit a website, your device sends a DNS query to translate the domain name into an IP address. When you use a VPN, these queries should go through the VPN tunnel to the VPN provider's DNS servers. A DNS leak happens when your device sends DNS queries to your ISP's DNS servers instead, allowing your ISP to see every website you visit despite the VPN connection.
DNS leaks commonly occur when your operating system has hardcoded DNS settings, when the VPN client fails to override system DNS, or when DNS resolution falls back to your default gateway. This is especially common on Windows, where Smart Multi-Homed Name Resolution sends DNS queries over all available interfaces simultaneously. You can mitigate this by changing DNS settings on your router to use privacy-focused resolvers or by enabling DNS over HTTPS within the VPN tunnel.
| DNS Leak Cause | Platform | Fix |
|---|---|---|
| Smart Multi-Homed Name Resolution | Windows 10/11 | Disable via Group Policy or registry |
| Hardcoded DNS in network adapter | All | Set DNS to automatic or VPN provider DNS |
| IPv6 DNS queries bypassing tunnel | All | Disable IPv6 or enable VPN IPv6 support |
| Router-level DNS override | Router | Configure DNS on router to use VPN DNS |
| Transparent DNS proxy by ISP | ISP-level | Use DNS over HTTPS/TLS |
Many VPN services only tunnel IPv4 traffic, leaving IPv6 traffic completely unprotected. If your ISP assigns you an IPv6 address and a website supports IPv6, your browser may connect using your real IPv6 address while the VPN only protects your IPv4 connection. This is one of the most overlooked VPN vulnerabilities.
The simplest fix is to disable IPv6 on your device or router if your VPN does not support it. You can also check if your VPN provider offers full IPv6 tunneling. If you have set up a VPN directly on your router, make sure IPv6 is either tunneled or disabled at the router level to protect all connected devices, including IoT devices on separate networks.
Pro Tip: The most thorough way to test for VPN leaks is to run this test before connecting your VPN (to record your real IP), then connect the VPN and run it again. If any of the same addresses appear in both tests, you have a leak. Also use our What Is My IP tool to compare your visible IP before and after connecting.
Fixing VPN leaks requires addressing each leak type individually. Start with the most common culprits and work your way down. Before making changes, ensure your router firmware is up to date and that you have changed the default admin password on your router.
| Leak Type | Quick Fix | Permanent Fix |
|---|---|---|
| WebRTC | Use browser extension to block | Disable WebRTC in browser settings |
| DNS | Manually set VPN DNS servers | Enable DNS leak protection in VPN app + use DoH |
| IPv6 | Disable IPv6 on network adapter | Use a VPN with native IPv6 support |
| Kill Switch | Enable VPN kill switch | Configure firewall rules to block non-VPN traffic |
# Disable IPv6 on Linux
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# Make persistent (add to /etc/sysctl.conf)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1For Windows users, you can disable IPv6 through the network adapter properties or by running this PowerShell command as administrator:
Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6Beyond fixing leaks, there are several practices that will maximize your VPN security. Always use WPA3 or WPA2 encryption on your WiFi network as an additional layer of protection. If your VPN disconnects, a kill switch prevents any traffic from leaving your device until the VPN reconnects, and you should always have this enabled.
Consider additional methods to hide browsing from your ISP alongside your VPN. Using DNS over HTTPS on your router ensures DNS queries stay encrypted even if the VPN tunnel drops momentarily. If you have smart home devices, placing them on a separate IoT network prevents them from bypassing your VPN configuration.
Key Takeaways
A VPN leak is when your real IP address, DNS queries, or other identifying information escapes the encrypted VPN tunnel and becomes visible to your ISP, websites, or network monitors. Leaks can occur through WebRTC, DNS, or IPv6 even while the VPN shows as connected.
Use the VPN leak test tool above. Run it without a VPN first to note your real IP, then connect your VPN and run it again. If any of the same IP addresses or DNS servers appear in both results, your VPN has a leak.
WebRTC is a browser feature for real-time communication that can reveal your local and public IP addresses by querying STUN servers. This process can bypass VPN tunnels, exposing your real IP even when the VPN is active.
Yes. If your router is configured with specific DNS servers or has IPv6 enabled while your VPN does not support it, traffic can leak outside the tunnel. Ensure your router uses the VPN's DNS servers and disable IPv6 if your VPN does not tunnel it.
A kill switch prevents traffic from leaving your device when the VPN connection drops, but it does not prevent WebRTC or DNS leaks while the VPN is active. You need to address each leak type separately for complete protection.
If your VPN does not support IPv6 tunneling, yes. Disabling IPv6 on your device or router ensures that all traffic uses IPv4 and travels through the VPN tunnel. Many VPN providers are adding IPv6 support, so check your provider's documentation.
About Tommy N.
Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.
 |
 |
 |
 |
Promotion for FREE Gifts. Moreover, Free Items here. Disable Ad Blocker to get them all.
Once done, hit any button as below
|
|
|
|