A VPN that's "connected" isn't always a VPN that's protecting you. Three quiet leaks regularly reveal your real IP — DNS, IPv6, and WebRTC. Here's each one and the fix.

DNS leaks

When you type a URL, your computer asks a DNS server to translate it to an IP. If those DNS queries go to your ISP's resolver instead of through the VPN tunnel, your ISP sees every site you visit — even though the actual page traffic is encrypted. Test at dnsleaktest.com. Every server returned should belong to the VPN, not your ISP.

Fix: enable DNS leak protection in your VPN app (it forces all DNS through the tunnel).

IPv6 leaks

Older VPNs only tunnel IPv4. If your ISP gives you IPv6 too, IPv6 traffic bypasses the VPN entirely — exposing your real IPv6 address to every site. Modern VPNs handle this; older clients sometimes don't.

Fix: enable IPv6 in the VPN app, or disable IPv6 system-wide if your VPN doesn't support it.

WebRTC leaks

Browsers can ask STUN servers "what's my IP?" via JavaScript. The answer reveals your real IP regardless of VPN. See our full WebRTC leak guide for browser-by-browser fixes.

Kill switch failures

Even with all three above plugged, if your VPN drops momentarily and the kill switch is off, traffic flows over your real connection. Enable the kill switch.

Run the full leak audit

Use our VPN-is-working checklist — it covers IP change, DNS, WebRTC, and kill switch in four steps. Run it once after install and any time you switch protocols or update your VPN client.

Try it now

Curious what your IP is showing the world right now? Check your IP address & location instantly with our free tool — no signup, nothing stored. Or trace any other IP to see its geolocation, ISP, and network details.