Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.
JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.
Fact-checked by Simon Migliano
VPN leaks can expose your IP address, DNS requests, and browsing activity to your ISP and anyone monitoring your internet connection. Unless you know how to check for VPN leaks, you may never realize they’re happening. In this article, we explain the different types of VPN leaks and exactly how to fix them.
Many VPN services that claim to protect your privacy are in fact leaking your IP address, DNS requests, and location without you even knowing it.
Your VPN connection may seem safe: there are no notifications or errors, your VPN service has a strict no-logging policy, and it’s headquartered in a privacy-friendly jurisdiction.
However, it’s still possible that your internet service provider (ISP), government authorities, and the websites you visit can see your IP address and browsing activity.
Our own investigation into free VPNs revealed that 25% of the most popular free Android VPN apps failed to protect users due to DNS and other leaks.
So how do you know if your VPN is leaking, and which VPNs can you actually trust to protect your data?
In this guide, we’ll explain the different types of VPN leaks, how to check for them, and how to fix them.
EXPERT TIP:
The easiest way to test for data leaks is to use our VPN leak testing tool. If you’ve tested your VPN and found IP, DNS, or WebRTC leaks, you can follow the instructions in this guide to fix them.
If you’re consistently experiencing data leaks with your current VPN provider, you should also consider subscribing to a better VPN service.
Our top recommendation for 2023 is ExpressVPN, which has never failed a leak test in over five years of testing.
A ‘VPN leak’ refers to a security flaw that allows your IP address, DNS requests, or other identifying information to be revealed to any third party monitoring your internet connection.
Four different types of VPN leaks.
VPN software is primarily designed to hide your public IP address and encrypt your web traffic by rerouting it through a secure tunnel to a remote server. When your VPN leaks, some or all of this sensitive information passes outside the encrypted tunnel.
If your real IP address or DNS requests are leaking, your ISP can still see your browsing activity and any websites you visit can see your real IP address. Your privacy is not protected, and your identity is exposed, making the VPN service useless.
To find out if your VPN is working as it should, you can run your own test at home using our VPN and torrent IP leak testing tool. It requires very little technical knowledge and takes just a matter of minutes.
You can also conduct a basic manual test for IP leaks using our What Is My IP checker tool. Simply check your IP address before and after connecting to a VPN server – if your IP address doesn’t change, your VPN isn’t working.
Here is a summary of the three main types of VPN leak:
IP address leaks occur when your VPN service fails to mask your public IP address with one of its own. This is a significant privacy risk as any websites you visit will be able to see your real identity and geographic location.
If your IP address is leaking, your VPN is simply not doing its job. Your online privacy is not protected, and streaming services will be able to detect your true location.
IPv4 leaks are rare, but IPv6 leaks are quite common – especially amongst low-quality VPN services. Only VPNs specifically developed to reroute or block IPv6 traffic will offset this problem.
Surfshark’s kill switch does not stop IP address leaks when changing servers on macOS.
Premium VPNs should include a kill switch to protect your IP address in the event of a connection loss. However, our VPN kill switch testing revealed that many top services still leak your IP address if you change VPN servers while connected.
DNS leaks occur when your DNS requests are revealed to your ISP’s DNS servers even when connected to a VPN server.
DNS requests are essentially records of the websites you visit when browsing the internet. Normally, this process is carried out by your ISP’s DNS servers, which often log the requests along with your IP address.
In our tests, SuperVPN leaked our DNS requests.
A VPN is supposed to encrypt your DNS queries and route them to its own private DNS servers. This prevents your ISP from monitoring the websites you visit. If your VPN fails to reroute your DNS requests and routes them to your ISP’s default DNS servers instead, it’s called a DNS leak.
To find out which servers your device is using, you can test your DNS servers using our tool.
WebRTC is a browser-based technology that allows audio and video communications to work inside web pages. It’s enabled by default in popular browsers such as Chrome, Firefox, and Opera.
Websites can use your browser’s WebRTC functionality to discover your true IP address, even when you’re using a VPN. If this happens and your true IP address is not blocked by your VPN, it’s known as a WebRTC leak.
We’ve reviewed over 65 VPNs and tested every individual service for IP, DNS, and WebRTC leaks.
Our testing revealed that some of the most-downloaded VPNs on the Apple and Google app stores leak some kind of user data through DNS or WebRTC. In the table below, you can see some of the most popular culprits.
For an in-depth analysis of over 150 free Android VPNs and their security tests, read our Free VPN Risk Index.
*Leaks detected during testing of Chrome extension.
Investing in a reliable and secure VPN is the simplest and most important decision you can make if you’re concerned about your privacy online.
If you’ve tested your VPN for leaks and found any issues, you can follow the instructions in this section to fix them and stop your VPN from leaking.
If you’re consistently experiencing data leaks with your current VPN service, you should also consider subscribing to a more secure VPN provider.
Fixing an IP leak will depend on the type of IP address you’ve been assigned. Generally speaking, the only way to prevent IPv4 leaks is to use a high-quality VPN. By contrast, IPv6 leaks can usually be resolved in your device’s settings.
ExpressVPN offers IPv6 Leak Protection in its Advanced Settings.
Here’s how to prevent IPv4 and IPv6 leaks:
If you’ve been assigned an IPv4 address, and you do not have an IPv6 address, you don’t need to worry about IPv6 leaks.
However, if you do have an IPv6 address that’s being leaked by your VPN, follow these steps:
Unless your VPN supports or actively blocks IPv6 traffic, your personal IPv6 address will be exposed if you’re on an IPv6-enabled network.
The majority of VPNs will have no provisions for IPv6 at all and will therefore always leak IPv6 traffic. In this case, you can fix IPv6 leaks by disabling IPv6 on your device altogether and using IPv4 instead.
You cannot disable IPv6 on iPhone, iPad, or Android devices at the system level. If your VPN app isn’t preventing IPv6 leaks on these devices, you should consider switching to a more secure VPN.
Your VPN could be leaking DNS requests for a number of reasons. Luckily, there are a few simple ways to fix the most common issues.
Firstly, if you have manually set your device’s DNS to a third-party service like Google’s, then you can ignore any DNS leaks. To double check, use our DNS server test to make sure your device is using the servers you’ve chosen.
If you haven’t manually changed your device’s DNS and your device is still using your ISP’s default servers – even when using a VPN – then your VPN is leaking your DNS requests.
The most effective way to fix these DNS leaks is to switch to a VPN service that maintains its own zero-log DNS servers.
If you don’t want to switch VPN services, you’ll need to follow the instructions below to fix your DNS leaks.
If your VPN doesn’t automatically connect to a private DNS server, you’ll have to manually connect to a third-party DNS server. To do this, you will need to change the DNS settings on your device.
We recommend choosing a third-party DNS server that does not reveal your true location, such as Google Public DNS or OpenDNS. Here’s how to do it:
Some ISPs use a transparent DNS proxy – a ‘middleman’ that captures and redirects web traffic – to make sure your requests are sent to their own servers.
Transparent DNS proxies effectively ‘force’ a DNS leak without notifying the user. Luckily, most leak detection websites and online tools will be able to identify a transparent DNS proxy in the same way as a normal DNS leak.
The latest versions of the OpenVPN protocol have a simple method to tackle this problem:
If you haven’t already, update to the latest version of OpenVPN. If your VPN service doesn’t support this or is using an older version of the protocol, it’s worth looking for a different VPN service.
Fortunately, most premium VPN services have their own solutions for tackling transparent proxies. For more details, contact your provider’s customer support service.
Teredo is a built-in feature of Windows operating systems. It’s designed to help IPv4 and IPv6 coexist by allowing IPv6 addresses to be transmitted and understood on IPv4 connections.
However, because Teredo is a tunneling protocol, it can sometimes take priority over your VPN’s encrypted tunnel, causing a DNS leak.
Here’s how to disable Teredo on Windows devices:
You might experience occasional issues with certain websites or servers when Teredo is disabled. That said, it is a much more secure choice for VPN users.
WebRTC leaks are primarily a browser issue. For that reason, fixing WebRTC leaks isn’t always as simple as just subscribing to a good VPN.
If your VPN does offer a ‘Disable WebRTC’ feature, be sure to enable it. Remember that most WebRTC blocking features are found in VPN browser extensions rather than desktop applications.
If you are detecting WebRTC leaks and your VPN doesn’t offer an option to block it, you will need to disable WebRTC in your browser settings.
Here’s how to disable WebRTC in some of the most popular web browsers:
You cannot disable WebRTC directly within Google Chrome or Microsoft Edge. In this case, we advise that you either use one of our recommended private browsers or install an extension that does it for you.
Our favorites are WebRTC Leak Prevent and uBlock Origin.
These extensions aren’t always 100% effective, so using a browser that allows you to disable WebRTC is recommended. Here’s how to do it:
If you’ve tested for leaks and your real location is still visible on the map, there are two possibilities. One is that your public IPv4 or IPv6 address is still leaking. To fix this, follow the steps outlined above.
If the problem persists, it’s likely that HTML5 geolocation is revealing your true location. This technology determines your location using techniques that can’t be protected by a VPN. For example, it can detect WiFi hotspots near you, or use cellular data to triangulate your longitude and latitude.
To fix these location leaks you need to disable HTML5 geolocation in your browser. You can also use the ExpressVPN browser extension, which has built-in HTML5 leak protection.
Here’s how to do it in the most popular web browsers. Once you’ve followed these steps, make sure you clear your browser’s cache, cookies, and history.
This won’t disable HTML5 geolocation entirely, but it will give you the choice of enabling or disabling the technology for each individual website you visit.
Flash is outdated and a security risk. It will soon be completely removed from all popular browsers. If our test has told you that Flash is still enabled in your browser, follow these steps to disable it.
If you have only recently installed the browser for the first time, then Shockwave Flash may not actually be listed as a plugin. In this case, you have nothing to worry about and can ignore steps two and three.
Flash is now disabled by default in Safari. You don’t need to do anything.
If your IP address has been identified as belonging to a data center, that almost certainly means that your VPN is running. This type of leak won’t necessarily expose your identity, but it will reveal the fact you’re using a VPN.
IP addresses can be identified by the type of connection they’re used for. Your standard home or mobile connection will be labeled as a residential IP address, as you’re a normal person using a normal amount of data.
IP addresses belonging to data centers are easy to identify due to the huge amounts of data that flow to and from them at all times of day. Most VPN IP addresses will fall into this category.
To fix this, simply turn off your VPN or proxy.
If you use a VPN while torrenting then you need to make sure that your BitTorrent client isn’t leaking your IP address. This is something that can happen even if your VPN is working as intended with other apps and web browsing.
A torrent IP leak can occur from two sources: TCP and UDP. These are the two protocols used when you download a file via torrent, and they can each be fixed in their own unique way.
One of the most common causes of IP leaks when torrenting is beginning the torrent before connecting to a VPN server. Remove any torrents, close your BitTorrent client, and connect to a VPN server. Re-add the magnet files and retake our test once the VPN is connected and running.
Some VPNs may only protect IPv4. In this instance, if you have an IPv6 address it can leak.
If your VPN has an option named something like ‘IPv6 Protection’, enable it. Similarly, if it has an option named ‘Disable IPv6’, try that. This will block all IPv6 connections, preventing any possible leaks.
If your BitTorrent client is set to proxy via another device on your local network and that machine isn’t protected by your VPN then there is a chance that your IP address could leak.
Disable the proxy and retake our test – you can usually find proxy settings within your BitTorrent client’s connection settings menu.
UDP leaks are highly uncommon, and all the solutions above for a TCP IP address torrenting leak can also be applied to fixing UDP IP address torrenting leaks.
While unlikely, there is one other scenario in which your VPN could be leaking your IP address via UDP: if your VPN does not support it. In this instance there is nothing you can do other than change to a better VPN for torrenting.
If you experience a DNS leak while torrenting using a VPN, there is an easy solution you can try to fix it.
Before you attempt this solution, make sure that your VPN is running and connected to a server before you open up your BitTorrent client and before you add any torrent magnet files. It’s possible that your client could still use your ISP’s DNS if not.
You should also check that, if it has the option, your VPN is set to use first-party DNS servers. Once you’ve done so, you can attempt to fix the leak by changing your device’s DNS settings.
By default, your device will use your ISP’s DNS servers to resolve DNS requests (even those coming from your BitTorrent client). This can result in your ISP identifying the torrent you are downloading. By switching to a public DNS server you can prevent this – we explain how further up the page.
It’s also vital that you still use your VPN while torrenting, even if you follow the above steps.
Once you’ve tested your VPN and fixed any leaks you may have found, it’s worthwhile taking some steps to minimize your chances of leaking data in the future.
To begin with, make sure that you’ve followed any relevant steps outlined above. This includes making sure your VPN blocks or supports IPv6 traffic, disabling Teredo, and if necessary, changing your settings to an independent DNS server.
Afterwards, consider the following steps to reduce your chances of VPN leaks:
Some VPN clients include a feature to automatically block any traffic traveling outside the VPN tunnel — often called IP-binding. If your provider has this option, make sure to enable it.
Alternatively, you can configure your firewall to only allow traffic sent and received via your VPN.
VPN monitoring software allows you to inspect your network traffic in real time. This means you can check for suspicious traffic and see if a DNS request is sent to the wrong server. Some variations also offer tools for automatically solving DNS leaks.
This software is rarely free, so will add an extra expense on top of your existing VPN subscription. Examples of VPN monitoring software include PRTG Network Monitor and Opsview Monitor.
The best VPNs will have IPv6 compatibility, DNS and WebRTC leak protection, the latest version of OpenVPN and the ability to bypass transparent DNS proxies.
A VPN kill-switch is another critical part of your VPN client. It will continuously monitor your network connection and make sure that your true IP address is never exposed in the event of a dropped connection.
If you’re repeatedly suffering from data leaks with your existing provider, it’s probably time to invest in a new VPN service.
How Does a VPN Work?
What Does a VPN Hide? Can VPNs Be Tracked?
Are VPNs Really Worth It?
We've been testing and reviewing VPN services since 2016. We also publish VPN research and advice to help protect your internet privacy and security.
About
Contact
Top10VPN.com is operated by PrivacyCo Ltd. | © 2016-2023. All rights reserved.
About The Author
More Stories
Local Infrastructure, Lower Costs: How Peering Is Moving the Needle on Internet Affordability
On Global Accessibility Awareness Day, An Internet for Everyone Must Include Everyone
An Open Fiber Data Standard to Make the Internet for Everyone