What Is a VPN Leak?
A VPN leak occurs when data that your VPN is supposed to protect — your IP address, DNS requests, and location, for example — is transmitted outside of the encrypted VPN tunnel.
VPN leaks allow your ISP, government, and any other third party viewing your connection to determine your identity and activity.
Most users will download a VPN to protect their online privacy and hide their true IP address. For this reason, a leaking VPN is fundamentally useless.
Here is a summary of the four main types of VPN leak:
- IP Address leaks. IP leaks occur when your VPN fails to mask your personal IP address with one of its own. This is a significant privacy risk as your ISP and any websites you visit will be able to link your activity to your identity. For more information on IP leaks, skip to the section below.
- DNS leaks. A VPN is supposed to route your DNS requests to its own DNS servers. If your VPN routes these requests to your ISP’s DNS servers instead, it’s called a DNS leak. This exposes your browsing activity and any websites you visit to your ISP or any other eavesdroppers. You can find out more about DNS leaks here.
- WebRTC leaks. WebRTC is a browser-based technology that allows audio and video communications to work inside web pages. WebRTC has clever ways of discovering your true IP address even if a VPN is on. The best VPNs block WebRTC requests. Alternatively, you can disable WebRTC completely at the browser level.
- IPv6 leaks. IPv6 is a new form of IP address that is not currently supported by most VPNs. Unless a VPN supports or actively blocks IPv6, your personal IPv6 address can be exposed if you’re on an IPv6-enabled network. This is called an IPv6 leak, and you can read more about it here.
Why Is My VPN Leaking?
Most users want to keep their identity and activity private, so VPN providers market themselves accordingly. The truth is, however, that most VPN protocols were not actually designed with these goals in mind.
By default, most VPN protocols leak your queries to default DNS servers. They leak IPv4 traffic when forced to reconnect, and they are usually completely oblivious to IPv6 traffic. Only the VPNs specifically developed to offset these problems will offer you protection.
Without proper protections your VPN can leak if:
- There is an interruption in network connectivity.
- You’re using WiFi and switch to a different network.
- You connect to a network that is fully IPv6 capable.
- Your DNS requests are sent outside of the encrypted VPN tunnel.
- You are using a VPN service or browser that does not provide adequate WebRTC protections.
We’ll now cover the different types of VPN leak in detail. To find out which VPNs leak you can skip straight to our VPN Leaks Comparison Table. Alternatively, you can find out how to properly protect yourself from VPN leaks in the last chapter of this guide.
1What Is an IP Address Leak?
IP addresses are unique identifiers that are assigned to devices on a network. For the public internet, your Internet Service Provider (ISP) assigns an IP address to your network router, which all of your devices then connect to.
An IP leak happens when your VPN fails to mask your true IP address with one of its own, leaving your identity open and visible to your ISP and all of the websites you visit.
IP leaks occur when the device running a VPN contacts the default server rather than the intermediary VPN server it was supposed to. This means that the websites or apps you’re using can see your real IP address instead of the one your VPN has assigned you.
If your IP address is leaking then your VPN is simply not doing its job. Your privacy is not protected and your online location remains the same, rendering the VPN service essentially worthless.
If your VPN is leaking your IP address, choose a new VPN provider. You can find our latest VPN recommendations here.
2What Is a DNS Leak?
The Domain Name System (DNS) is responsible for translating URLs and domain names (like example.com) into actual IP addresses to connect to. In short, it ‘translates’ the numerical names of web servers into memorable words, and vice versa.
When you enter a URL into your browser to connect to a website, you first contact a DNS server which requests the IP address of that website. The server then sends your browser the ‘directions’ to the website you’re looking for.
If you’re not connected to a VPN, this process is carried out by your ISP’s DNS servers. This is a serious problem for privacy. Your DNS requests are essentially plain text records of the websites you visit. More often than not, ISPs will store these requests along with the IP addresses that make them.
If you live in the US, your DNS data might be shared with third parties or sold to advertising companies. In countries like the UK, Australia, and parts of Europe, this data is stored for several years and shared with authorities upon request.
When you connect to a functioning VPN, your device will use the DNS servers operated by the VPN service rather than your ISP. All of the traffic coming from your device, including your DNS requests, will be routed through the VPN network. This stops your ISP from seeing the websites you visit.
When DNS requests travel outside of the encrypted VPN tunnel to an unsecured DNS server instead, it’s called a DNS leak.
DNS leaks expose your browsing habits to your ISP and any eavesdroppers, allowing them to log the websites you visit, files you download, and the apps you use. Anyone else viewing your connection will also see the location and IP address of your ISP.
Many VPNs provide inadequate DNS leak protection. Often, your DNS requests continue to route through your ISP’s servers, exposing the websites you visit.
Your system might revert to unsecured DNS servers if your VPN is manually configured, you have changed your computer’s settings, or your VPN provider doesn’t provide adequate technical protection against leaks.
DNS leaks defeat the object of using a VPN. The content of your web traffic is still hidden by the VPN’s encryption, but your location and the websites you visit are left exposed and most likely recorded by your ISP. For more information, you can skip to How to Fix DNS Leaks.
3What Is a WebRTC Leak?
WebRTC leaks occur when your true IP address is exposed via your browser’s WebRTC functionality. These leaks can identify you even if your VPN is working correctly.
WebRTC stands for ‘Web Real-Time Communication’. It is a group of technologies that enable browsers to communicate directly with each other without an intermediate server. This allows for much faster speeds when using audio, video, and live streaming within your browser.
Two devices communicating directly via WebRTC need to know each others’ IP address. This means a website can exploit your browser’s WebRTC functionality to capture your true IP address, which could be used to identify you.
Efficient IP sharing is supposed to provide convenience and speed, so WebRTC uses several clever techniques to figure out your true IP address and bypass any obstacles that might prevent your real-time connection from taking place. Put simply, it allows browsers to gather your IP address simply by reading it off your device.
While often discussed in relation to VPN services, WebRTC leaks aren’t really flaws within your VPN or your browser — they are simply part of your browser’s design.
Chrome, Opera, Firefox, and Microsoft Edge are most susceptible to WebRTC leaks because they have WebRTC functionality enabled automatically.
We’ve seen several VPN browser extensions suffer WebRTC leaks in Firefox since the browser’s latest update.
While any IP address leaks threaten your privacy and anonymity, WebRTC leaks are particularly worrying because they are so easily overlooked. In addition, not every VPN provider can protect you.
WebRTC leaks highlight a very important concept for those seeking privacy and anonymity online: the browser is usually the weak link. Luckily, there are some simple steps that can safeguard you against this problem.
For more information on how to disable WebRTC to prevent leaks, skip to the last chapter of this guide.
4What Is an IPv6 Leak?
IPv6 stands for ‘Internet Protocol version 6’. It is the most recent version of the Internet Protocol (IP) — otherwise known as the IP address — used to identify and locate computers on a network and route traffic across the internet.
IPv6 was designed to eventually replace IPv4 — the current and most widespread standard — as it became evident that far more addresses would need to exist than there were IPv4 addresses available.
IPv6 is being used by some networks and ISPs during the transition period from IPv4. Unless you have taken steps to disable it, you are probably sending and receiving IPv6 data every time you connect to the internet.
While IPv6 is the future, not all VPN providers currently support it, which leaves them vulnerable to leaks. Many VPNs only route IPv4 traffic through the encrypted VPN tunnel, leaving IPv6 traffic completely unprotected and sent to the open internet. This is called an IPv6 leak.
IPv6 leaks are not uncommon. This is a serious problem, because IPv6 addresses are typically device-specific. With requisite authority, IPv6 data could be tied to your ISP, which could be readily used to identify you.
It’s important to choose a VPN service that provides a VPN-specific IPv6 address or blocks IPv6 traffic completely. If IPv6 traffic is not blocked, your VPN should provide an IPv6 DNS server that’s accessible only through the VPN tunnel.
For more information on how to prevent IPv6 leaks and to find out which VPNs offer IPv6 leak protection, you can skip straight to How to Fix IPv6 Leaks.