Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.

What Are VPN Leaks, and How Do You Fix Them?

JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process.

Fact-checked by Simon Migliano

VPN leaks can expose your IP address, DNS requests, and browsing activity to your ISP and anyone monitoring your internet connection. Unless you know how to check for VPN leaks, you may never realize they’re happening. In this article, we explain the different types of VPN leaks and exactly how to fix them.

Two characters trying to fix a leaking pipe.

Many VPN services that claim to protect your privacy are in fact leaking your IP address, DNS requests, and location without you even knowing it.

Your VPN connection may seem safe: there are no notifications or errors, your VPN service has a strict no-logging policy, and it’s headquartered in a privacy-friendly jurisdiction.

However, it’s still possible that your internet service provider (ISP), government authorities, and the websites you visit can see your IP address and browsing activity.

Our own investigation into free VPNs revealed that 25% of the most popular free Android VPN apps failed to protect users due to DNS and other leaks.

So how do you know if your VPN is leaking, and which VPNs can you actually trust to protect your data?

In this guide, we’ll explain the different types of VPN leaks, how to check for them, and how to fix them.

EXPERT TIP:

The easiest way to test for data leaks is to use our VPN leak testing tool. If you’ve tested your VPN and found IP, DNS, or WebRTC leaks, you can follow the instructions in this guide to fix them.

If you’re consistently experiencing data leaks with your current VPN provider, you should also consider subscribing to a better VPN service.

Our top recommendation for 2024 is ExpressVPN, which has never failed a leak test in over five years of testing.

What Are VPN Leaks?

A ‘VPN leak’ refers to a security flaw that allows your IP address, DNS requests, or other identifying information to be revealed to any third party monitoring your internet connection.

Four types of VPN Leak

Four different types of VPN leaks.

VPN software is primarily designed to hide your public IP address and encrypt your web traffic by rerouting it through a secure tunnel to a remote server. When your VPN leaks, some or all of this sensitive information passes outside the encrypted tunnel.

If your real IP address or DNS requests are leaking, your ISP can still see your browsing activity and any websites you visit can see your real IP address. Your privacy is not protected, and your identity is exposed, making the VPN service useless.

To find out if your VPN is working as it should, you can run your own test at home using our VPN and torrent IP leak testing tool. It requires very little technical knowledge and takes just a matter of minutes.

You can also conduct a basic manual test for IP leaks using our What Is My IP checker tool. Simply check your IP address before and after connecting to a VPN server – if your IP address doesn’t change, your VPN isn’t working.

Here is a summary of the three main types of VPN leak:

IP Address Leaks

IP address leaks occur when your VPN service fails to mask your public IP address with one of its own. This is a significant privacy risk as any websites you visit will be able to see your real identity and geographic location.

If your IP address is leaking, your VPN is simply not doing its job. Your online privacy is not protected, and streaming services will be able to detect your true location.

IPv4 leaks are rare, but IPv6 leaks are quite common – especially amongst low-quality VPN services. Only VPNs specifically developed to reroute or block IPv6 traffic will offset this problem.

Surfshark Kill Switch Test

Surfshark’s kill switch does not stop IP address leaks when changing servers on macOS.

Premium VPNs should include a kill switch to protect your IP address in the event of a connection loss. However, our VPN kill switch testing revealed that many top services still leak your IP address if you change VPN servers while connected.

DNS leaks

DNS leaks occur when your DNS requests are revealed to your ISP’s DNS servers even when connected to a VPN server.

DNS requests are essentially records of the websites you visit when browsing the internet. Normally, this process is carried out by your ISP’s DNS servers, which often log the requests along with your IP address.

SuperVPN's leak test results

In our tests, SuperVPN leaked our DNS requests.

A VPN is supposed to encrypt your DNS queries and route them to its own private DNS servers. This prevents your ISP from monitoring the websites you visit. If your VPN fails to reroute your DNS requests and routes them to your ISP’s default DNS servers instead, it’s called a DNS leak.

To find out which servers your device is using, you can test your DNS servers using our tool.

WebRTC leaks

WebRTC is a browser-based technology that allows audio and video communications to work inside web pages. It’s enabled by default in popular browsers such as Chrome, Firefox, and Opera.

Websites can use your browser’s WebRTC functionality to discover your true IP address, even when you’re using a VPN. If this happens and your true IP address is not blocked by your VPN, it’s known as a WebRTC leak.

Which VPN Services Leak Data?

We’ve reviewed over 65 VPNs and tested every individual service for IP, DNS, and WebRTC leaks.

Our testing revealed that some of the most-downloaded VPNs on the Apple and Google app stores leak some kind of user data through DNS or WebRTC. In the table below, you can see some of the most popular culprits.

For an in-depth analysis of over 150 free Android VPNs and their security tests, read our Free VPN Risk Index.

*Leaks detected during testing of Chrome extension.

How to Fix VPN Leaks (IP, DNS, WebRTC, and More)

Investing in a reliable and secure VPN is the simplest and most important decision you can make if you’re concerned about your privacy online.

If you’ve tested your VPN for leaks and found any issues, you can follow the instructions in this section to fix them and stop your VPN from leaking.

If you’re consistently experiencing data leaks with your current VPN service, you should also consider subscribing to a more secure VPN provider.

How to Fix IP Address Leaks

Fixing an IP leak will depend on the type of IP address you’ve been assigned. Generally speaking, the only way to prevent IPv4 leaks is to use a high-quality VPN. By contrast, IPv6 leaks can usually be resolved in your device’s settings.

Screenshot of ExpressVPN's macOS Advanced Settings, highlighting its IPv6 Leak Protection.

ExpressVPN offers IPv6 Leak Protection in its Advanced Settings.

Here’s how to prevent IPv4 and IPv6 leaks:

How to Fix IPv4 Leaks

  1. Disconnect and reconnect to your VPN. Make sure the VPN is turned on.
  2. Ensure your web browser isn’t being split-tunneled by your VPN.
  3. Open a new browser window and check your IP address.
  4. If your real IPv4 address is still showing, your VPN simply does not work. You’ll need to find a better VPN service that works to spoof your IP address.

How to Fix IPv6 Leaks

If you’ve been assigned an IPv4 address, and you do not have an IPv6 address, you don’t need to worry about IPv6 leaks.

However, if you do have an IPv6 address that’s being leaked by your VPN, follow these steps:

  1. Make sure that your VPN is turned on.
  2. Ensure your web browser isn’t being split-tunneled by your VPN.
  3. Check your VPN’s settings menu for ‘IPv6 Leak Protection’ and ensure that it is enabled.
  4. Open up a new browser window and check your IP address.
  5. If your real IPv6 address is still showing, you have two choices: find a new VPN or disable IPv6 on your computer.

How to Disable IPv6 on Different Devices

Unless your VPN supports or actively blocks IPv6 traffic, your personal IPv6 address will be exposed if you’re on an IPv6-enabled network.

The majority of VPNs will have no provisions for IPv6 at all and will therefore always leak IPv6 traffic. In this case, you can fix IPv6 leaks by disabling IPv6 on your device altogether and using IPv4 instead.

How to Disable IPv6 on Windows 10

  1. Right-click on the ‘Network’ or ‘WiFi’ icon in your system tray.
  2. Click ‘Open Network & Internet settings’.
  3. Select ‘Change adapter options’.
  4. You will be presented with a list of all your computer’s adapters. Find the one that you’re currently using to connect to the internet. Right-click on it, then click ‘Properties’.
  5. A new window will open with a tab named ‘Network’. Scroll down until you see an option labeled Internet Protocol Version 6 (TCP/IPv6).
  6. Uncheck the box next to it, click OK, and then restart your computer.
  7. Once your computer has rebooted, check to ensure IPv6 isn’t leaking anymore.

How to Disable IPv6 on macOS

  1. Open ‘Finder’ and select ‘Applications’ from the left-hand menu. Open the ‘Utilities’ folder and then open the ‘Terminal’ application.
  2. If you are connected via WiFi, enter this: networksetup -setv6off Wi-Fi, then press Enter.
  3. If you are connected via Ethernet, enter this: networksetup -setv6off Ethernet, then press Enter.
  4. You can then close Terminal and check for IPv6 leaks to make sure the issue is resolved.

How to Disable IPv6 on iOS or Android

You cannot disable IPv6 on iPhone, iPad, or Android devices at the system level. If your VPN app isn’t preventing IPv6 leaks on these devices, you should consider switching to a more secure VPN.

How to Fix DNS Leaks

Your VPN could be leaking DNS requests for a number of reasons. Luckily, there are a few simple ways to fix the most common issues.

Firstly, if you have manually set your device’s DNS to a third-party service like Google’s, then you can ignore any DNS leaks. To double check, use our DNS server test to make sure your device is using the servers you’ve chosen.

If you haven’t manually changed your device’s DNS and your device is still using your ISP’s default servers – even when using a VPN – then your VPN is leaking your DNS requests.

The most effective way to fix these DNS leaks is to switch to a VPN service that maintains its own zero-log DNS servers.

If you don’t want to switch VPN services, you’ll need to follow the instructions below to fix your DNS leaks.

Change Your DNS Settings

If your VPN doesn’t automatically connect to a private DNS server, you’ll have to manually connect to a third-party DNS server. To do this, you will need to change the DNS settings on your device.

We recommend choosing a third-party DNS server that does not reveal your true location, such as Google Public DNS or OpenDNS. Here’s how to do it:

How to Change Your DNS Settings on Windows 10

  1. Right-click on the Network or WiFi icon in your system tray and click Open Network & Internet settings.
  2. Select Change adapter options.
  3. You will be presented with a list of all your computer’s adapters. Find the one you’re currently using to connect to the internet, right-click on it, then click Properties.
  4. The new window will open on the Network tab. There will be one option labeled Internet Protocol Version 4 (TCP/IPv4) and another labeled Internet Protocol Version 6 (TCP/IPv6). Select Internet Protocol Version 4 (TCP/IPv4) then click Properties.
  5. You will see two checkboxes towards the bottom of the window, one labeled Obtain DNS server automatically and one labeled Use the following DNS server addresses. Click on the second option.
  6. The two previously grayed-out text fields should now be white. In the Preferred DNS server field enter 8.8.8.8. In the Alternative DNS server field enter 8.8.4.4. This will set your DNS to Google’s.
  7. If your router is also IPv6 compatible, repeat steps 4-6 but for the Internet Protocol Version 6 (TCP/IPv6) option.
  8. Check your DNS address with your VPN on to make sure the issue is resolved.

How to Change Your DNS Settings on macOS

  1. Open System Preferences then select Network.
  2. A list of network adapters will appear on the left-hand side of the window. The one which is currently in use will have a green dot by it. Select it, then click on Advanced.
  3. Click on the DNS tab. The left-hand side of the window will now show a list of your DNS servers. Click the + icon in the bottom-left-hand corner.
  4. Enter 8.8.8.8 and press the Enter key. This should now have replaced the greyed-out default DNS server that was previously at the top of the list (or the only item in it).
  5. Click the + icon again and enter 8.8.4.4, then press the Enter key. Your DNS will now be changed to Google’s.
  6. Check your DNS address with your VPN on to make sure the issue is resolved.

How to Change Your DNS Settings on iOS Devices

  1. Open the Settings app.
  2. Tap on Wi-Fi, then tap on the ‘i’ symbol next to the network you’re connected to.
  3. Scroll down to the DNS section and tap on Configure DNS. By default, this will be set to Automatic. Tap Manual > Add Server then enter 8.8.8.8, 8.8.4.4 and tap Save.
  4. Check your DNS address to make sure the changes are working properly.

How to Change Your DNS Settings Android Devices

  1. Open the Settings app.
  2. Tap on Connections > More connection settings > Private DNS.
  3. Check the box next to ‘Private DNS provider hostname’. In the field below, type in dns.google and tap Save.
  4. Check your DNS address to make sure the changes are working properly.

Update Your OpenVPN Version

Some ISPs use a transparent DNS proxy – a ‘middleman’ that captures and redirects web traffic – to make sure your requests are sent to their own servers.

Transparent DNS proxies effectively ‘force’ a DNS leak without notifying the user. Luckily, most leak detection websites and online tools will be able to identify a transparent DNS proxy in the same way as a normal DNS leak.

The latest versions of the OpenVPN protocol have a simple method to tackle this problem:

  1. Find the .ovpn or .conf file for the server you’re trying to connect to. These files will be stored in folders on your machine, usually in C:\Program Files\OpenVPN\. For more information, read the OpenVPN manual.
  2. Once you’ve found it, open the file in an editing program like Notepad. Add: block-outside-dns to the bottom.
  3. Rerun a DNS leak test to check the leak is resolved and find any additional issues.

If you haven’t already, update to the latest version of OpenVPN. If your VPN service doesn’t support this or is using an older version of the protocol, it’s worth looking for a different VPN service.

Fortunately, most premium VPN services have their own solutions for tackling transparent proxies. For more details, contact your provider’s customer support service.

Disable Teredo

Teredo is a built-in feature of Windows operating systems. It’s designed to help IPv4 and IPv6 coexist by allowing IPv6 addresses to be transmitted and understood on IPv4 connections.

However, because Teredo is a tunneling protocol, it can sometimes take priority over your VPN’s encrypted tunnel, causing a DNS leak.

Here’s how to disable Teredo on Windows devices:

  1. Open Command Prompt and type netsh interface teredo set state disabled
  2. Press the Enter key to disable Teredo.
  3. Rerun a DNS leak test to check the leak is resolved and find any additional issues.

You might experience occasional issues with certain websites or servers when Teredo is disabled. That said, it is a much more secure choice for VPN users.

How to Fix WebRTC Leaks

WebRTC leaks are primarily a browser issue. For that reason, fixing WebRTC leaks isn’t always as simple as just subscribing to a good VPN.

If your VPN does offer a ‘Disable WebRTC’ feature, be sure to enable it. Remember that most WebRTC blocking features are found in VPN browser extensions rather than desktop applications.

If you are detecting WebRTC leaks and your VPN doesn’t offer an option to block it, you will need to disable WebRTC in your browser settings.

Here’s how to disable WebRTC in some of the most popular web browsers:

Disabling WebRTC in Google Chrome or Microsoft Edge

You cannot disable WebRTC directly within Google Chrome or Microsoft Edge. In this case, we advise that you either use one of our recommended private browsers or install an extension that does it for you.

Our favorites are WebRTC Leak Prevent and uBlock Origin.

These extensions aren’t always 100% effective, so using a browser that allows you to disable WebRTC is recommended. Here’s how to do it:

How to Disable WebRTC in Mozilla Firefox

  1. Type about:config into your address bar and press Enter. Click the Show All button.
  2. Toggle media.peerconnection.enabled to false.
  3. To disable media devices, toggle media.navigator.enabled to false.
  4. Retest for WebRTC leaks to make sure the issue is resolved.

How to Disable WebRTC in Safari

  1. Open Safari’s settings menu.
  2. Click on the Advanced tab, then check the box labeled ‘show Develop menu in menu bar’.
  3. Click on Develop in the menu bar. Under the WebRTC dropdown option, uncheck Enable Legacy WebRTC API. If this option is grayed out, you don’t need to change anything.
  4. Retest for WebRTC leaks to make sure the issue is resolved.

How to Disable WebRTC in Opera

  1. Type about:config into your address bar and press Enter.
  2. Go to Settings > Advanced > Privacy & security. Scroll down until you see WebRTC.
  3. Check Disable non-proxied UDP and save your changes.
  4. Retest for WebRTC leaks to make sure the issue is resolved.

How to Disable WebRTC in Brave

  1. Open the Brave menu and click Settings > Shields > Fingerprinting Blocking.
  2. Select ‘Strict, may break sites’. If you find that sites you use regularly are adversely affected, you can revert this to the Standard setting.
  3. In the left-hand menu, click Additional Settings > Privacy and security.
  4. Change the dropdown menu option next to ‘WebRTC IP Handling Policy’ to ‘Disable Non-Proxied UDP’.Retest for WebRTC leaks to make sure the issue is resolved.

How to Fix HTML5 Geolocation Leaks

If you’ve tested for leaks and your real location is still visible on the map, there are two possibilities. One is that your public IPv4 or IPv6 address is still leaking. To fix this, follow the steps outlined above.

If the problem persists, it’s likely that HTML5 geolocation is revealing your true location. This technology determines your location using techniques that can’t be protected by a VPN. For example, it can detect WiFi hotspots near you, or use cellular data to triangulate your longitude and latitude.

To fix these location leaks you need to disable HTML5 geolocation in your browser. You can also use the ExpressVPN browser extension, which has built-in HTML5 leak protection.

Here’s how to do it in the most popular web browsers. Once you’ve followed these steps, make sure you clear your browser’s cache, cookies, and history.

How to Disable HTML5 Geolocation in Google Chrome

  1. Open the Chrome menu, then click Settings.
  2. Scroll down to the Privacy and security section and click Site settings.
  3. Scroll down to Permissions and click on Location.
  4. Ensure that Ask before accessing (recommended) is toggled on.

This won’t disable HTML5 geolocation entirely, but it will give you the choice of enabling or disabling the technology for each individual website you visit.

How to Disable HTML5 Geolocation in Mozilla Firefox

  1. Open Firefox and type about:config into the address bar and press Enter. Click the button labeled Show All.
  2. Type geo.enabled into the search bar and press Enter.
  3. A bar will appear labeled geo.enabled. Double-click it so that it now says false.

How to Disable HTML5 Geolocation in Safari

  1. Click the Safari menu button in the top left-hand corner, then click Preferences.
  2. Click on the Privacy tab, then next to Website Tracking check the box labeled Prevent Cross-site tracking.

How to Disable HTML5 Geolocation in Microsoft Edge

  1. On your Windows PC press Win + A. This will open up the Action Center on the right-hand side of your screen
  2. Right click on Location and then click Go to Settings.
  3. Scroll down to the Allow apps to access your location section and change the slider to the Off position.
  4. Scroll down further to the Location history section and click Clear.

How to Disable HTML5 Geolocation in Opera

  1. Open Opera and type about:config into the address bar and press Enter.
  2. Click Advanced in the left-hand menu, then click Privacy & security.
  3. Click Site Settings then Location.
  4. Toggle the slider next to Ask before accessing (recommended) to Off.

How to Disable Flash

Flash is outdated and a security risk. It will soon be completely removed from all popular browsers. If our test has told you that Flash is still enabled in your browser, follow these steps to disable it.

To Disable Flash in Google Chrome

  1. Open the Chrome menu, then navigate to Settings > Privacy and security > Flash.
  2. Check that the toggle is in the left-hand position: Block sites from running Flash.

To Disable Flash in Mozilla Firefox

  1. Open the Firefox menu and select Add-ons > Plugins.
  2. Look for Shockwave Flash and select Options.
  3. At the bottom of the next screen, check the box next to Enable Adobe Flash protected mode.

If you have only recently installed the browser for the first time, then Shockwave Flash may not actually be listed as a plugin. In this case, you have nothing to worry about and can ignore steps two and three.

To Disable Flash in Microsoft Edge

  1. Open the Edge menu and click Settings, then click Cookies and site permissions.
  2. Click on the option labeled Adobe Flash.
  3. Toggle the switch under Use Adobe Flash Player to the Off position.

To Disable Flash in Safari

Flash is now disabled by default in Safari. You don’t need to do anything.

  1. Copy and paste opera://settings/content/flash?search=flash into the search bar, then hit Enter.
  2. Make sure that the toggle next to Allow sites to run Flash is set to Off.

How to Fix a Data Center IP

If your IP address has been identified as belonging to a data center, that almost certainly means that your VPN is running. This type of leak won’t necessarily expose your identity, but it will reveal the fact you’re using a VPN.

IP addresses can be identified by the type of connection they’re used for. Your standard home or mobile connection will be labeled as a residential IP address, as you’re a normal person using a normal amount of data.

IP addresses belonging to data centers are easy to identify due to the huge amounts of data that flow to and from them at all times of day. Most VPN IP addresses will fall into this category.

To fix this, simply turn off your VPN or proxy.

How to Fix Torrent IP Leaks (TCP & UDP)

If you use a VPN while torrenting then you need to make sure that your BitTorrent client isn’t leaking your IP address. This is something that can happen even if your VPN is working as intended with other apps and web browsing.

A torrent IP leak can occur from two sources: TCP and UDP. These are the two protocols used when you download a file via torrent, and they can each be fixed in their own unique way.

How to Fix a Torrent TCP IP Leak

Solution 1: Restart your BitTorrent client and re-add the magnet file

One of the most common causes of IP leaks when torrenting is beginning the torrent before connecting to a VPN server. Remove any torrents, close your BitTorrent client, and connect to a VPN server. Re-add the magnet files and retake our test once the VPN is connected and running.

Solution 2: Disable IPv6 or enable IPv6 protection

Some VPNs may only protect IPv4. In this instance, if you have an IPv6 address it can leak.

If your VPN has an option named something like ‘IPv6 Protection’, enable it. Similarly, if it has an option named ‘Disable IPv6’, try that. This will block all IPv6 connections, preventing any possible leaks.

Solution 3: Deactivate any proxy settings in the BitTorrent client

If your BitTorrent client is set to proxy via another device on your local network and that machine isn’t protected by your VPN then there is a chance that your IP address could leak.

Disable the proxy and retake our test – you can usually find proxy settings within your BitTorrent client’s connection settings menu.

How to Fix a Torrent UDP IP Leak

UDP leaks are highly uncommon, and all the solutions above for a TCP IP address torrenting leak can also be applied to fixing UDP IP address torrenting leaks.

While unlikely, there is one other scenario in which your VPN could be leaking your IP address via UDP: if your VPN does not support it. In this instance there is nothing you can do other than change to a better VPN for torrenting.

How to Fix Torrent DNS Leaks

If you experience a DNS leak while torrenting using a VPN, there is an easy solution you can try to fix it.

Before you attempt this solution, make sure that your VPN is running and connected to a server before you open up your BitTorrent client and before you add any torrent magnet files. It’s possible that your client could still use your ISP’s DNS if not.

You should also check that, if it has the option, your VPN is set to use first-party DNS servers. Once you’ve done so, you can attempt to fix the leak by changing your device’s DNS settings.

How to change your default DNS server to a public DNS server

By default, your device will use your ISP’s DNS servers to resolve DNS requests (even those coming from your BitTorrent client). This can result in your ISP identifying the torrent you are downloading. By switching to a public DNS server you can prevent this – we explain how further up the page.

It’s also vital that you still use your VPN while torrenting, even if you follow the above steps.

Preventing VPN Leaks

Once you’ve tested your VPN and fixed any leaks you may have found, it’s worthwhile taking some steps to minimize your chances of leaking data in the future.

To begin with, make sure that you’ve followed any relevant steps outlined above. This includes making sure your VPN blocks or supports IPv6 traffic, disabling Teredo, and if necessary, changing your settings to an independent DNS server.

Afterwards, consider the following steps to reduce your chances of VPN leaks:

1. Block Non-VPN traffic

Some VPN clients include a feature to automatically block any traffic traveling outside the VPN tunnel — often called IP-binding. If your provider has this option, make sure to enable it.

Alternatively, you can configure your firewall to only allow traffic sent and received via your VPN.

2. Invest In VPN Monitoring Software

VPN monitoring software allows you to inspect your network traffic in real time. This means you can check for suspicious traffic and see if a DNS request is sent to the wrong server. Some variations also offer tools for automatically solving DNS leaks.

This software is rarely free, so will add an extra expense on top of your existing VPN subscription. Examples of VPN monitoring software include PRTG Network Monitor and Opsview Monitor.

3. Use a Different VPN

The best VPNs will have IPv6 compatibility, DNS and WebRTC leak protection, the latest version of OpenVPN and the ability to bypass transparent DNS proxies.

A VPN kill-switch is another critical part of your VPN client. It will continuously monitor your network connection and make sure that your true IP address is never exposed in the event of a dropped connection.

If you’re repeatedly suffering from data leaks with your existing provider, it’s probably time to invest in a new VPN service.