One of the primary reasons to use a VPN is to hide your true IP address. When using a VPN, your internet traffic is encrypted and sent to a VPN server run by your VPN provider, before exiting to the internet.
This means that outside observers can only see the IP address of the VPN server and not your true IP address. The only way for them to discover your true IP address, therefore, is to convince your VPN provider to hand it over to them (and good providers use robust measures such as using shared IPs and keeping no logs to make this as difficult as possible).
Unfortunately, it is sometimes possible for websites to detect your true IP address, even when using a VPN.
This article aims to answer: what is an IP leak, why is my IP leaking even though I am connected to a VPN, and how do I fix the problem?
How to Test for a DNS Leak or IP leak
To determine if you are suffering an IP leak:
1. Visit ipleak.net without a VPN running. Make a note of all the IP addresses you see (or just leave the window open), as these are your real IP addresses.
Here is what our IPv6-capable office connection looks like without a VPN running. If your connection is not IPv6-capable then you will only see IPv4 addresses. As we can see, WebRTC correctly reports our real IPv6 address. If we had no IPv6 capability then it would report our IPv4 address instead.
WebRTC also reports a Private Use (IANA Private or Special Address] address, but this does not concern us. These Private Use addresses are internal addresses which are only used by your local network only.
Even if WebRTC does return a real Private Use IP address when a VPN is running it is not a privacy risk since these cannot be used to identify you from the internet.
2. Turn on your VPN. Although not strictly necessary, connecting to a VPN server in a different country makes spotting IP leaks much easier.
3. Open a Private/Incognito window in your browser, visit ipleak.net again, and compare the results with those you obtained without the VPN running.
- If the regular IPv4 address is your real IPv4 address then the VPN is either not switched on or is simply not working.
- You can ignore Private Use IPs detected by WebRTC. As already discussed, these pose no threat to your online privacy and therefore do not count as an IP leak (in practical terms, anyway).
- If any other address on the ipleak.net web page matches your real address then the VPN is working but is leaking your IP address in some way.
Connecting to a US VPN server from the UK, below is the result we want to see.
- The IPv4 address has changed to the location of the VPN server. So the VPN is working.
- IPv6 has been disabled or blocked to prevent regular IPv6 leaks.
- WebRTC is not detecting our real IPv4 or IPv6 address. We can ignore the Private Use address as it doesn’t threaten our privacy.
- The DNS servers used do not belong to our ISP and are resolved in the correct country.
If DNS is resolved close to where the VPN server is located then it strongly suggests that the VPN service runs its own DNS server(s) there.
If you see multiple DNS addressees which only locate to a wider country or geographic area, then DNS translation is probably being performed by a third-party DNS resolver such as Google DNS.
This is not a problem as long as we assume the DNS requests are being sent through the VPN connection and are therefore being proxied by the VPN server (a fairly safe assumption, although you never know).
Unfortunately, there is usually no easy way for an end-user to know if DNS requests handled by a third party resolver are being proxied by the VPN service or sent directly to the resolver. So you just have to trust your provider on this one (or switch to a provider that definitely runs its own DNS servers).
It is worth noting that Google DNS resolves all European DNS requests using servers located in the Netherlands and Belgium. So if you are connected to a VPN server in the UK, France, or Romania, but the DNS server is located in Belgium, that’s why. And it’s not a problem (so long as we assume the DNS requests are being proxied and not sent directly to Google).
This is an example of what you don’t want to see when connecting to a VPN server in Germany from the UK.
- The IPv4 address has changed to a German one, so the VPN is working on a basic level.
- We can still see our real regular IPv6 address, however. This means we have a regular IPv6 leak (or just “IPv6 leak”).
- WebRTC is also reporting our real IPv6 address. So we have a WebRTC IPv6 leak.
- The DNS addresses aren’t in Germany, but they don’t belong to our real ISP either. So they don’t constitute a DNS leak.
Below we explain what the different kinds of IP leak are and how to fix them. In all cases, though, an often unwritten but recommended solution is to change VPN service to one which doesn’t leak.
Regular IPv6 leaks
Every internet connection has a unique numerical address called an Internet Protocol (IP) address. The IP addresses (or just “IPs”) are assigned by the Internet provider (ISP) that connects the device.
Until recently, the entire internet used the Internet Protocol version 4 (IPv4) standard to define IP addresses. This supports a maximum 32-bit internet address, which translates to 2^32 IP addresses (about 4.29 billion) available for assignment.
Unfortunately, thanks to the unprecedented rise in internet use over the last few years, IPv4 addresses are running out. In fact, technically speaking they have already done so, although workarounds mean that IPv4 is still very far from dead. At present, the vast majority of internet addresses still use the IPv4 standard.
While various mitigating strategies have been deployed to extend the shelf-life of IPv4, the real solution comes in the form of a new standard - IPv6. This utilizes 128-bit web addresses, thus expanding the maximum available number of web addresses to 2^128 (around 340 billion billion billion billion!). Which should keep us supplied with IP addresses for the foreseeable future.
Adoption of IPv6, however, has been slow - mainly due to upgrade costs, backward capability concerns, and sheer laziness. Consequently, although all modern Operating Systems support IPv6, the vast majority of ISPs and websites do not yet bother.
This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to from an address that only supports IPv4, they will serve up an IPv4 address, but when connected from an address that supports IPv6, they will serve up an IPv6 address.
This has led websites that support IPv6 to adopt to a dual-tiered approach. When connected to an address that only supports IPv4, they will serve up an IPv4 address. But when connected from an address that supports IPv6, they will serve up an IPv6 address.
Until IPv4 addresses start to run out, there is no disadvantage to using an IPv4-only connection.
IPv6 VPN leaks
Unfortunately, a great deal of VPN software has not caught up with IPv6. When you connect to an IPv6 enabled website from an IPv6 enabled internet connection the VPN client will route your IPv4 connection through the VPN interface but is completely unaware of the IPv6 connection also being made.
So the website won’t see your real IPv4 address, but it will see your IPv6 address. Which can be used to identify you.
1. Use a VPN client with IPv6 leak protection
All good VPN clients these days offer IPv6 leak protection. In most cases, this is done by disabling IPv6 at the system level to ensure IPv6 connections are simply not possible. This is something of a lazy solution, but it works well.
More technically impressive are VPN apps that properly route IPv6 connections through the VPN interface. This is a much more elegant solution and is undoubtedly the future for all VPN apps.
If your VPN provider’s custom software does not prevent regular IPv6 leaks then you can use a third-party app instead. OpenVPN GUI for Windows, Tunnelblick for macOS, OpenVPN for Android, and OpenVPN Connect for iOS (and other platforms) all provide effective IPv6 leak protection.
2. Disable IPv6 manually on your system
The most sure-fire way to prevent any possibility of IP leaks is to disable IPv6 at the system level (where possible). Please check out our guide on How to disable IPv6 on all devices for instructions on how to do this.
DNS leaks are the most well-known form of IP leak because they used to be the most common. In recent years most VPN services have stepped up to the mark, however, and in our tests, we are detecting DNS leaks much less often.
The Dynamic Name System (DNS) is used to translate the easy-to-understand and remember web addresses that we are familiar with (URLs), to their “true” numerical IP addresses. For example, translating the domain name www.proprivacy.com to its IPv4 address of 18.104.22.168. So at heart DNS is just a fancy telephone book that matches URLs to their corresponding IP addresses.
This DNS translation process is usually performed by DNS servers run by your internet provider (ISP). With larger ISPs it is likely that DNS queries will be resolved geographically close to you (for example somewhere in your city), but this is not always the case.
What is certain is that DNS quires will be resolved in the country your ISP is based (i.e. your own country). Wherever the DNS query is resolved, though, it will not be at your home IP address. But…
Your ISP can see what you get up to
It is your ISP who resolves your DNS queries, so:
- It knows the IP address they came from.
- It knows which websites you visit because it’s one translating the URLs you type into IP addresses. Most ISPs the world over keep logs of this information, which they may or may not share with your government or police forces as a matter of routine, but which they can always be compelled to share.
Now… in the normal course of things this doesn’t actually matter too much because it is your ISP which connects you directly to the IP addresses you visit. So it knows which websites you visit, anyway.
A VPN server proxies your internet connection, though, to prevent your ISP from seeing what you get up to on the internet. Unless it is still resolving your DNS queries, in which case it can still (indirectly) see which website you visit.
You can be traced
Websites can see and log the IP addresses of DNS servers which direct connections to them. They won’t know your unique IP address in this way, but they will know which ISP resolved the DNS query and routinely create a timestamp of when it happened.
If they (or the police, for example) want to identify a visitor they simply have to ask the ISP “who made a DNS request to this address at this time?”
Again, in the normal course of things, this is irrelevant, since websites can see your unique IP address anyway. But when you are hiding your IP address with a VPN it becomes an important means of “de-anonymizing” VPN users.
How DNS leaks happen
In theory, when using a VPN all DNS requests should be sent through the VPN, where they can be handled in-house by your VPN provider or proxied out to a third party who will only see that the request came from the VPN server.
Unfortunately, operating systems sometimes fail to route DNS queries through the VPN interface and instead send them to the default DNS server specified in the system settings (which will be your ISP’s DNS server unless you have manually changed your DNS settings).
1. Use a VPN client with DNS leak protection
Many VPN clients address this problem with a “DNS leak protection” feature. This uses firewall rules to ensure no DNS requests can be sent outside the VPN tunnel. Unfortunately, these measures are not always effective.
We don't understand why “DNS leak protection” is often a user-selectable feature that is not enabled by default.
2. Disable IPv6
Note that this is only a partial solution, as it in no way prevents IPv4 DNS leaks. But one of the major reasons that even VPN apps which feature DNS leak protection fail to block DNS leaks is that they only firewall DNS requests to IPv4 DNS servers.
Since most DNS servers remain IPv4-only, they can often get away with this. But ISPs which offer IPv6 connections also usually offer IPv6 DNS servers. So if a client only blocks IPv4 DNS requests outside the VPN interface then IPv6 ones can get through.
3. Change your DNS settings
Any wayward DNS queries which don’t route through the VPN interface (as they should) will instead be sent to the default DNS servers specified in your system’s settings.
Unless you have changed these already, then the DNS server addresses (IPv4 and IPv6 if available) will be obtained automatically from your ISP. But you can change it, and we have instructions for doing so here.
Note that changing your DNS settings is not really “fixing” the DNS leak issue. It’s just that you are leaking DNS requests to a third party resolver instead of your ISP.
Fortunately, there are now some very good privacy-focused DNS services that keep no logs. They also protect DNS requests with DNS over HTTPS (DoH) or DNS over TLS (DoT) DNS encryption, without which your ISP can see the DNS requests, anyway, even if it is not handling them.
For more information on this subject, plus a list of recommended free and private DNS services, please see here.
A note for Linux users
Manual VPN setup in Linux, whether using NetworkManager, the CLI OpenVPN client, strongSwan, or whatever, provides no DNS leak protection. Fortunately, there are steps you can take to fix this issue, although they complicate the VPN setup process.
You can modify resolvconf to push DNS to your VPN’s DNS servers, or you can manually configure the iptables firewall to ensure all traffic (including DNS requests) cannot leave your Linux machine outside the VPN tunnel. Please see our notes on building your own firewall later in this article for more on this.
WebRTC leaks are now the most common form of IP leak we see in our tests. Strictly speaking, WebRTC leaks are a browser issue, not a VPN issue, which has led many VPN providers to distance themselves from a problem which is not easy to fix.
In our view, this is not good enough. Indeed, neither do we think that publishing a “How to Disable WebRTC” guides hidden deep inside a provider’s help section is good enough, either.
What are WebRTC leaks?
WebRTC is an HTML5 platform that allows seamless voice and video communication inside users’ browser windows. Almost all modern browsers on almost all major platforms now support WebRTC, including Chrome, Firefox, Opera, Edge, Safari, and Brave.
An exception is in iOS, where only Safari supports WebRTC (at least without additional plugins).
In order to achieve seamless browser-to-browser communication through obstacles such as firewalls, WebRTC-enabled browsers broadcast your real IP address(es) to STUN servers which keep a list of both users’ public IP addresses and their real IP addresses.
Anyone wishing to initiate a WebRTC conversation with you (or just any nosey website) can request your real IP address and the STUN server will simply hand it over.
Usually referred to as a WebRTC leak, this problem is sometimes called the “WebRTC bug.” Which is something of a misnomer since it is an intentional and very useful feature of WebRTC. But it is a real pain for VPN users who are trying to hide their real IP address!
1. Disable WebRTC in your browser
This is the only 100% effective way to prevent a WebRTC leak when using a VPN. We recommend doing it even if your VPN client is effective at mitigating against VPN leaks.
In Firefox it is easy to disable WebRTC. Type “about:config” into the URL bar to enter Firefox’s advanced settings, search for “media.peerconnection.enabled,” and double-click on the entry to change its value to false.
Alternatively (and in other browsers), there are various browser plugins can disable WebRTC, including Disable WebRTC, uBlock, uBlock Origin and NoScript. Some VPN providers include a Disable WebRTC feature in their custom browser add-ons.
A more complete discussion on this subject can be found at What is the WebRTC VPN “Bug” and How to Fix It?
2. Use a VPN service which mitigates against WebRTC leaks
WebRTC leaks are a browser issue, so the only truly effective way to prevent this is by disabling WebRTC in the browser.
We have, however, found that some VPN services are consistently effective at preventing VPN leaks. We still recommend disabling WebRTC at the browser level even with these, though. Just to be on the safe side.
VPN dropouts and kill switches
Although not technically an “IP leak,” as the problem occurs exactly because you don’t have a VPN connection, the effect is the same – you think that you are protected by VPN, when in fact the whole world can see your IP address.
What is a VPN dropout?
Sometimes VPN connections fail, often for reasons completely outside the control of even the best VPN services. . If your computer remains connected to the internet after this happens, then your real IP will be exposed.
This is particularly a problem for P2P downloaders who leave BitTorrent clients running while they are away from their computers (often for long periods of time). If the VPN connection drops, their true IP is therefore exposed to any copyright enforcers tracking a torrent they are downloading.
It is also a problem for mobile users, as switching between WiFi and mobile networks, and switching mobile networks, can cause VPN dropouts.
1. Use a kill switch
A kill switch prevents your device from connecting to the internet when the VPN is not working. Almost all modern kill switches are actually firewalls or system-level firewall rules which block all internet connections outside the VPN interface.
So if the VPN software fails or needs to reconnect, then all access to the internet is blocked. Indeed, the same firewall rules provide effective DNS leak protection and can help mitigate against WebRTC leaks.
Kill switches are now a very common feature in desktop VPN clients, although rarer in mobile apps. Android 7+, however, includes a built-in kill switch that works with any installed VPN app.
VPN apps may use their own firewall to create a kill switch (and other leak protection) or may modify your system’s built-in firewall. We prefer the latter solution as the kill switch will survive even if the app completely crashes. But any kill switch is much better than none.
Build your own kill switch and DNS leak protection using firewall rules
As we have seen, many VPN apps use their own firewall rules or modify your system firewall rules to create a kill switch and prevent DNS leaks. It is entirely possible for you to do the same thing manually.
Details differ by OS and firewall program, but the basic principles are:
1. Add a rule that blocks all outgoing and incoming traffic on your internet connection.
2. Add an exception for your VPN provider's IP addresses.
3. Add a rule for your TUN/Tap adapter (if using OpenVPN, or for any other VPN device otherwise) to allow all outgoing traffic for the VPN tunnel.
We have a detailed guide for doing this using Comodo Firewall for Windows. Mac users can do the same using Little Snitch, while Linux users and those running a VPN client on a DD-WRT router can use iptables.