how to prevent IP leaks

If your real IP address is visible while connected to a VPN, you have an IP leak. There are several possible causes of this, so I’ve created this guide to identifying and resolving DNS, IPv6, and WebRTC leaks.

What's in this article?

Here’s the short version: you can fix most leaks by enabling your VPN’s leak protection tools, disabling IPv6, or using a browser extension to turn WebRTC off.

What are the most common types of IP leaks?

VPNs are designed to keep your IP address, location, and browsing habits private. However, a single misconfiguration with either your device or your VPN’s infrastructure can inadvertently reveal this information to your ISP, the websites you visit, and anyone monitoring the network you’re using.

There are three main ways your real IP address leaks out:

DNS leaks

Before you can visit a website, you first have to find that site’s IP address using a DNS server. Your VPN is supposed to ensure both your web traffic and DNS requests are encrypted, but misconfigurations can allow DNS requests to escape the tunnel. This lets your ISP see exactly which sites you’ve accessed.

To resolve a DNS leak: Disable secure DNS in your browser settings and ensure your VPN’s DNS leak protection feature is enabled.

IPv6 leaks

There are two kinds of IP addresses, IPv4 and IPv6. The problem is that most VPNs only encrypt IPv4 traffic, so if you connect to a site via IPv6, the site owner and anyone monitoring the network can see your real IP address.

To resolve an IPv6 leak: Either enable your VPN’s IPv6 leak protection and kill switch features or turn off IPv6 entirely in your device’s network settings.

WebRTC leaks

Video calling services often use a technology called WebRTC to directly connect your device to whoever you’re chatting with. Because it was designed for efficient connections, it can sometimes access networking information from outside of the VPN tunnel, revealing your real IP address to the site you’re on, the other user, or both.

To resolve a WebRTC leak: Disable WebRTC functionality, either in your browser’s settings or with the help of a browser extension.

How to check for DNS, IPv6, and WebRTC leaks

The first step is to establish whether your VPN is actually leaking in the first place.

There are several websites that can help with this, but I used BrowserLeaks.com because it’s free, reasonably straightforward, and capable of testing for WebRTC, DNS, and IPv6 leaks.

Before we begin, make sure that your VPN is disabled. 

  1. Open BrowserLeak’s IP address checker and make a note of the IP Address and IPv6 Address values. If your IPv6 address is listed as “n/a”, IPv6 is either disabled or your ISP has not assigned you an IPv6 address, meaning you’re safe from IPv6 leaks.
  2. Click the Run DNS Leak Test button and make a note of any addresses that appear.

    Screenshot showing censored DNS leak test results with no VPN active
    DNS leak test results with no VPN active
  3. Connect to a VPN server in another country. Picking a server in the same region as you makes DNS leak test results harder to interpret since local infrastructure may be used even if there’s no leak. I’m in the UK, so I chose an American server.

    Screenshot showing NordVPN connected to a server in New York
    NordVPN connected to a server in New York
  4. Refresh the page. If the IPv6 Address value matches the one you wrote down earlier, you have an IPv6 leak. Likewise, if the IP Address from earlier shows in the Public IP Address field, you have a WebRTC leak.

    Screenshot showing a side-by-side comparison of my leak test results with and without a VPN active
    Because my original IP address isn’t revealed when connected to the VPN, we can safely say that there is no IPv6 or WebRTC leak.
  5. Click the Run DNS Leak Test button again. Check whether any of the addresses you recorded earlier have shown up again. If so, you have a DNS leak.

    Screenshot showing a VPN with a DNS leak
    Because the same DNS server showed up with and without a VPN active, we can confirm that my VPN has a DNS leak.

How to prevent WebRTC leaks

Most browsers no longer allow you to disable WebRTC entirely. That’s understandable, considering it’d prevent you from using the web-based versions of Discord, Google Meet, and other VoIP apps.

Instead, the simplest solution is to install a browser extension that allows you to toggle WebRTC on and off as needed. This approach works on any modern browser, including mobile devices (provided you’re a Firefox user). Disable WebRTC and WebRTC Control are two highly-rated extensions for Firefox and Chrome, respectively, though many alternatives exist.

How to prevent IPv6 leaks

If your VPN has an IPv6 leak protection feature, make sure it’s active. I also recommend enabling the kill switch since, if properly implemented, this should block all traffic outside of the encrypted tunnel, meaning sites that refuse to fall back to IPv4 should simply become inaccessible.

Your other option is to disable IPv6 entirely in your operating system’s network settings using the steps below:

  • Windows: Press the Windows Key and type “View network connections”, then press Enter. Right-click your active internet connection and hit Properties. Now, simply uncheck Internet Protocol Version 6 (TCP/IPv6).

    Screenshot showing how to deactivate Ipv6 in Windows 11
    Be sure to disable IPv6 on both wired connections and wifi
  • MacOS: Open your network settings and click the Details… button beside your active network. Click TCP/IP and change Configure IPv6 to Off or Link-Local Only.
  • Linux: Click the network icon, then select Network Connections. Choose your active connection, then hit the gear icon. Move across to the IPv6 Settings tab and set the Method to Disabled.

    Screenshot showing how to disable IPv6 in Linux's network manager
    These steps will work on most Linux distributions, though the exact setting names may be different
  • Android (mobile data only): Open the settings app and search for “access point names”. Scroll down and set APN protocol and APN roaming protocol to IPv4.

How to prevent DNS leaks

Pinning down the exact cause of a DNS leak isn’t always easy. However, following the steps below will address the most common causes and provide valuable information that can help your VPN’s support team identify the issue if you’re still having problems.

  • Enable your VPN’s DNS leak protection feature.
  • Check if your VPN has a setting that forces the use of your provider’s DNS servers.
  • Make sure the VPN’s kill switch is active.
  • Tell your operating system to automatically acquire DNS servers.
  • Disable Use Secure DNS or DNS over HTTPS in your browser settings.
  • Flush your DNS cache to remove outdated records.

VPN disconnects & network disruptions

There are other scenarios in which your IP address may leak. If your VPN connection suddenly drops or you experience a network disruption (such as WiFi suddenly becoming inaccessible), your VPN may start leaking or disconnect altogether.

The leaks are temporary rather than persistent, because disconnect and disruption leaks are triggered by an external event. However, the cost is the same since it only takes a few seconds to compromise your privacy online.

VPN dropouts can particularly affect people who torrent over VPN and leave their computer unattended as they wait for the download(s) to finish. They can also affect mobile users who switch between WiFi and mobile data while connected to a VPN. Your VPN may disconnect during the switch, or the switch may trigger a network disruption, causing your VPN app to start leaking data.

VPN connections, like any other network connection, are susceptible to network disruptions and can fail. A properly implemented kill switch should help you in case of an outright disconnect. But your VPN connection won’t necessarily disconnect after a network disruption; it may simply end up in a misconfigured state and start leaking data – unfortunately, a kill switch won’t help you in that situation.

How to protect against VPN disconnect & network disruption leaks

A disconnect leak is easier to manage than a network disruption leak because a kill switch will help you. Choose a VPN provider that has a built-in kill switch on the device/platform app you will be using, as not all providers support kill switches in all of their apps.

There isn’t much you can do to protect against disruption leaks. The only thing I would recommend is to test your VPN connection for leaks regularly. It shouldn’t take you long to find out if your VPN provider is consistently leaking data. If that’s the case, switch to a more rigorous provider.

Conclusion

Having your real information leak out whilst connected to a VPN is more than an inconvenience; it’s a significant privacy issue that should be resolved as soon as possible. Thankfully, in most cases, this is as simple as enabling your VPN’s leak protection features and regularly running VPN leak tests to ensure your provider is up to the task.

If none of the steps above worked for you, I’d encourage you to reach out to your VPN’s customer support team. Because this is a reasonably complex problem, live chat may not provide a solution on the spot, but in my experience, most major VPN providers respond to escalated support tickets within a day or two.