One of the primary reasons to use a VPN is to hide your true IP address. When using a VPN, all your internet traffic is encrypted and sent to a VPN server run by your VPN provider, before exiting to the internet.
This means that outside observers can only see the IP address of the VPN server, and not your true IP address. The only way for them to discover your true IP address, therefore, is to convince your VPN provider to hand it over to them (and good providers use robust measures, such as using shared IPs and keeping no logs, to make this as difficult as possible.)
At least this is the theory…
Unfortunately, and for various reasons discussed below, it is sometimes possible for websites to detect your true IP address, even when using the best VPN.
I have discussed all the issues listed here at length before on ProPrivacy (and will link to relevant articles where appropriate), but it is time to bring together all known causes that may answer the questions: Why is my IP leaking even though I am connected to a VPN? And how do I fix it?
How to Test For a DNS Leak or IP leak
To determine if you are suffering an IP leak, visit ipleak.net. If you are connected to a VPN and you can see your true IP address or one belonging to your ISP anywhere on this page then you have an IP leak.
The example above shows a bad case of IPv6 leaks. The IPv4 DNS result correctly shows that I am connected to a VPN server in the US, but the website can see my real UK IPv6 address via both a regular DNS leak and WebRTC. Fail!
Understanding IP Addresses
To connect to the internet you must have an internet connection. This is supplied to you by your Internet Service Provider (ISP). The connection is given a unique numerical address so that other computers can find and interact with you on the internet. This is known as your Internet Protocol address (IP address, or just IP). This IP may change, but your ISP always knows who was assigned a particular IP at any given time.
This means that your IP address can be used to trace you very easily, as it points directly to your physical address and/or internet account details. Unless using a VPN (or other proxy technology) to hide it, websites and other internet resources you interact with can see your "real" IP.
One of the main benefits of using a VPN is that it hides your real IP from websites you visit. Websites just see the IP of the VPN server which sits between you and internet, not your real IP.
Note that all individual internet-capable devices also have their own unique IP addresses, but these are only used for internal routing within your local network. As far as privacy is concerned, the only IP that matters is the one which connects directly to the intent. So for typical home networks, it is the IP assigned by your ISP that matters, not the individual IPs of your laptop, smart TV, or smart fridge.
Mobile phones use their own unique IP when accessing the internet over a mobile data connection, and your ISP-assigned one when connected to your home WiFi network.
Each website also has a unique IP address. This numerical IP is all the information that computers need to find them, but we stupid humans are very bad at remembering long numerical strings. To make the internet more usable for us, then, each website and other internet resource is also assigned more memorable web addresses. This is the Uniform Resource Locator (URL) that we are all familiar with: for example proprivacy.com.
The Domain Name System (DNS) is basically just a big telephone book or database that cross-references the easy-to-understand and remember web addresses with their “true” numerical IP addresses that computers use: for example translating the domain name proprivacy.com to its IP address of 188.8.131.52. The task of coordinating and updating these DNS databases is complex, but in essence, this is all DNS is.
Anyone with sufficient technical knowledge can set up and run their own DNS server, but DNS translation is usually handled by your ISP. This is not good for privacy as it means your ISP can see every website you visit. After all, it is translating every URL you type in or click on to its true IP address. Unless something is done to stop it, this includes when using a VPN.
Many VPNs solve this problem by running their own VPN servers. All internet traffic is routed through the VPN "tunnel" to the VPN server and is handled by your VPN provider. Some VPNs instead leverage commercial DNS services such as Google DNS and OpenDNS. This is fine as long the DNS requests are first routed through the VPN "tunnel" to the VPN sever. In this case, as far as the DNS service is concerned, the requests come from the VPN server, not you. The DNS requests are proxied by the VPN server, so there is minimal privacy risk.
Unfortunately, internet traffic does not always get sent through the VPN tunnel as it is supposed to, and is instead resolved by your ISP. This is what we call a DNS leak.
Using Unproxied DNS
We occasionally encounter VPNs that do not proxy DNS requests, instead sending then directly to a third party DNS service. As this third-party DNS service can see every website you visit and also knows your real IP address, this is very bad for privacy! Technically, this could be called a DNS leak, but as it is a leak by design rather than accident the only way to prevent it is to switch VPN providers.
There is no easy way to test whether DNS requests to third-party services are proxied (fine) or unproxied (not fine), but most services do proxy so this is not something you should worry too much about. If you are worried, either ask your VPN to confirm that it proxies DNS requests or switch to a reputable provider that either runs its own DNS servers or properly proxies requests.
IPv4 DNS leaks
Until recently, the entire internet used the Internet Protocol version 4 (IPv4) standard to define IP addresses. Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out (in fact technically speaking they have already done so), as IPv4 only supports a maximum 32-bit internet address. This translates to 2^32 IP addresses available for assignment (about 4.29 billion total). For now, however, the vast majority of internet addresses still use the IPv4 standard.
When using a VPN, your Operating System (OS) can sometimes get confused, sending IPv4 requests through to the DNS server specified in its default settings (usually run by your ISP), instead of through the VPN tunnel (as it’s supposed to.) This can occur with any OS, but Windows is notably guilty in this respect.
- Use a VPN client with built-in “DNS leak protection”. This is basically just a firewall that ensures no internet traffic can leave your computer unless it goes through the VPN. Many good providers offer this feature in their custom VPN clients (sometimes called something else), but it is not available in the generic open source OpenVPN client.
- Use VPNCheck Pro (Windows). Although primarily an “internet kill switch”, the Pro version of this tool also includes a DNS leak fix.
IPv6 DNS leaks
While various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard - IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available number web addresses to 2^128, which should keep us supplied with IP addresses for the foreseeable future.
Adoption of IPv6, however, has been slow - mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of websites do not yet bother.
This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to from an address that only supports IPv4, they will serve up an IPv4 address, but when connected from an address that supports IPv6, they will serve up an IPv6 address.
Unfortunately, most VPN software fails to direct IPv6 traffic through the VPN tunnel, so when you connect to an IPv6 enabled website, your browser will make an IPv6 DNS request outside the VPN, which is therefore handled by your ISP.
VPN providers that offer “DNS leak protection” in their clients’ usually side-step the problem by simply disabling IPv6 in the OS. This is effective at preventing IPv6 leaks, but is hardly forward looking, and we would like to see providers offer true IPv6 support in their products (Mullvad is the only provider that claims to properly route IPv6 calls. We have not tested this yet, but if true then Mullvad is very much to be commended.).
Here we can see a clear IPv6 leak. You tell the address is IPv6 because it is much longer than the IPv4 address above it (which shows no leak)
This is an interesting case. IPv6 has been blocked (not reachable), but is nevertheless leaking via WebRTC (see below). Note that IPv4 WebRTC leaks have been properly blocked here
iOS is supposedly immune to IPv6 leakage.
This result shows that IPv6 has been disabled, so IPv6 leaks are not possible. In a perfect world it should be possible to enable IPv6, while only detecting your VPN provider’s IP address (you can check who an address belongs to by entering “whois [ip address] into a search engine.)
- Use a VPN client with built-in “DNS leak protection”. This disables IPv6.
- Disable IPv6 manually. Instructions for doing so are available for Windows, OSX Mac, and Linux. The more paranoid out there may prefer to do this even if using a VPN client with “DNS leak protection”.
- The OpenVPN for Android app has the option to properly route all IPv6 traffic over the VPN. To ensure this is enabled:
Go to the specific server connection settings, then navigate to Routing
Ensure that IPv6 -> “Use default Route” is checked. Note also the IPv4 leak protection.
Smart Multi-Homed Name Resolution (mainly a Windows 10 problem)
A new “feature” in Windows 10 means that DNS requests are directed not just through your VPN tunnel, but also through your ISP and local network interface. This is because by default Windows 10 attempts to improve web performance by sending DNS requests in parallel to all available resources at once, and (at least in theory) using the fastest one.
Under Windows 7 all DNS requests were made in simple order of DNS server preference, but this changed in Windows 8 when Microsoft added “‘Smart Multi-Homed Name Resolution” by default. This sends out DNS requests to all available interfaces, but only uses non-preferred servers if the main DNS server failed to respond.
This makes Windows 8.x systems somewhat liable to DNS leaks, but Windows 10 makes the situation much worse as it simply chooses whichever DNS request responds quickest. In addition to being major security risk, there are also reports of Windows 10 users suffering slow page loading and timeouts due to this issue
- There is now an OpenVPN plugin to fix this problem. It should work with all versions of Windows, and should also work with most custom OpenVPN clients that use a standard .ovpn configuration file (i.e. most of them.)
- Anecdotally, I have never suffered DNS leaks in Windows 8.1 due to this issue, but nevertheless advise all Windows 8, Windows 8.1, and especially Windows 10 users to disable Smart Multi-Homed Name Resolution if possible*. Avast has published some great instructions on how to do this.
The WebRTC “bug”
Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into your browser.
A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on or configure any new settings.
Unfortunately for VPN users, WebRTC allows a website (or other WebRTC service) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.
Given that WebRTC is potentially useful, it is something of a shame that the only way to prevent it from leaking your true IP address is to disable WebRTC in your bowser completely (although the Statutory add-on does allow you whitelist individual websites.)
The WebRTC issue only affects the Firefox, Chrome, and Opera browsers (not Internet Explorer or Safari etc., as these do not include WebRTC functionality.) Update: newer versions of the stock Android browser appear to implement WebRTC, and so should be avoided.
1. Type ‘about:config’ into the URL bar to enter Firefox’s advanced settings, and then change the ‘media.peerconnection.enabled’ value to false.
For more information on the WebRTC “bug”, full instructions on how to disable WebRTC in Firefox, plus a more detailed look at the various browser plug-in solutions available (various browsers,) please check out my article on The WebRTC VPN “Bug” and How to Fix It.
Update: WebRTC leaks can now be blocked at both the VPN client and VPN server levels. In fact, the latest version of OpenVPN GUI includes WebRTC leak protection. We therefore now expect VPN software to include WebRTC protection. This is not always the case however (especially with IPv6 protection), so we strongly recommend that you continue to manually disable WebRTC in your browser. Just to be sure.
VPN dropouts (or why you need a “kill switch”)
Sometimes VPN connections fail. With a good VPN provider this should not happen very often, but it occasionally happens even to the best. If your computer continues to remain connected to the internet while after this happens, then your real IP will be exposed.
Although not technically an “IP leak”, as the problem occurs exactly because you don’t have a VPN connection, the effect is the same – you think that you are protected by VPN, when in fact the whole world can see your IP address.
This is particularly a problem for P2P downloaders who leave BitTorrent clients running while they are away from their computers (often for long periods of time). If the VPN connection drops, their true IP is therefore exposed to any copyright enforcers tracking a torrent they are downloading.
- Use a “VPN kill switch” (also called, somewhat more accurately, an “internet kill switch”.) These either monitor your internet connection and shut it down when they detect a VPN dropout, or use firewall rules to prevent any internet traffic leaving your computer outside of your VPN connection.
Many providers’ custom VPN clients include a built-in kill switch (sometimes called something else, such as “network lock",) or you can use third-party solutions such as VPNetMon, VPN Check, or VPN Watcher. The Viscosity OpenVPN client even supports per app kill switches (you can specify which individual apps can only access the internet using VPN.)
Interestingly, the OpenVPN for Android app can be setup to work as a kill switch. The app will automatically attempt to reconnect to your VPN in the event of a VPN dropout (which is good, as this will occur whenever you move between WiFi routers, or WiFi and a mobile connection!).
To configure the app as a kill switch, edit the specific VPN connection (see IPv6 above), and navigate to “Advanced”.
Check “Persistent Tun” and set “Connection retries” to Unlimited. Ta-da! You now have an OpenVPN kill switch for Android.
- Create your own kill switch using Firewall rules (see below.)
- Configure the Vuze BitTorrent client to only download over VPN. This is not a true solution to the problem, but can be very effective for those whose primary concern is VPN dropouts while downloading via P2P. Detailed instructions how to setup Vuze to do this are available here (where I also discuss how to configure VPNetMon and VPN Check as kill switches.)
Using Firewall Rules ( a global fix)
A unified solution to all of the above issues is to use a firewall, configuring it so that only connections to the VPN server are permitted through the firewall. Details differ by OS and firewall program, but the basic principles are:
1. Add a rule that blocks all outgoing and incoming traffic on your Local Ethernet Device.
2. Add an exception for your favorite DNS Server (to resolve the hostname of your VPN provider)
3. Add an exception for your VPN provider's IP addresses
4. Add an Rule for your tun/tap or any other VPN Device to allow all outgoing Traffic for the VPN Tunnel.*
I have a detailed guide for doing this using Comodo Firewall (Windows), and guides are also available using the Windows 7 (not 8+) built-in firewall, and Little Snitch (Mac OSX). Those familiar with iptables should have no problem doing something similar in OSX and Linux. * My thanks to reader x22 for concisely formulating these principles.
If using a good VPN client that features “DNS leak protection” and a kill switch, you should have little to worry about when it comes to accidentally exposing your real IP address when using VPN (although Windows 10 users should watch out for the Smart Multi-Homed Name Resolution issue.)
OpenVPN for Android users should be particularly chuffed that DNS leak protection and kill switch functionality are built into the generic OpenVPN app (just make sure that they are enabled.)
If your VPN software does not include these features, never fear, as there are plenty of third party solutions to fill the gaps.
It is always a good idea, however, to check ipleak.net periodically, just to make sure that nothing is amiss.