What are VPN Leaks and how do you fix them?
You need a VPN, but what if your VPN isn't protecting you as you need it to?
Most people who use VPNs do so in order to hide from prying eyes. There are times, however, when the VPN is secretly leaking your details to your internet service provider and to other third parties.
A VPN leak is defined as an even when a piece of information — such as your IP address, or the DNS of the site you are visiting — is accessible outside the encrypted tunnel that is the VPN. For example, if your VPN client has a DNS leak, searching in Google will tell your ISP that you are visiting the site, even if it cannot tell what you’re doing there. If you have an IP leak, on the other hand, Google will see your original IP address even if you’re using a VPN.
VPN leaks come in different forms, but they can all be traced to security loopholes that come from bugs and other kinks in the security protocols. Even though VPNs are advanced systems, they are also prone to issues that need patching up. Technologies change and evolve, causing potential problems along the way. The best VPN services can see and address these issues even before they arise. Or, they can see the issue the moment it manifests, and roll out an emergency fix. If that’s the case, you have nothing to worry about — your privacy is secured.
But the VPN industry is not a level playing field, and there are services that are slower in patching things up. Worse, there are some that don’t even bother about routine checks and fixes. So before you dive headfirst into a multi-year VPN subscription, it’s important to test at regular intervals whether or not your preferred service is leaking your private details.
How to Check for VPN Leaks
Checking for VPN Leaks isn’t so hard — all you have to do is to follow these steps:
1. Get your regular IP address without VPN turned on. You can do this by going to any IP checker, such as this one. You will see the IP address any third person would see if they snoop around your connection while you’re not connected to a VPN. Note the string of numbers.
2. Go to a leak test website. Still with your VPN turned off, go to an IP leak test website, such as this one. This should show you the same IP address as the one you saw earlier.
The DNS entry under DNS Address Detection should match the DNS settings of your device — take note of the address as well. This will be your benchmark.
The leak test website linked above doesn’t screen for IPv6 leaks (more on this later), so you may want to use a different tool such as this one<. List down the numbers you see again.
3. Connect to your VPN, and check the leak test websites again. Fire up your VPN client, wait for it to successfully connect, and check both leak test websites once more. If you are getting results that are totally different from your prior results, congratulations! Your VPN is working as it should! Even if this is the case, it’s important to check your VPN a few more times at different times of the day just to be sure.
If you’re seeing your own details, however, you’re in a bit of a tight spot. At the very least, prying eyes can identify where you’re from, which for some defeats the entire purpose of using a VPN. What can you do? Read on and find out!
Note that if you’re seeing your exact same IP address in the leak test sites even if you’ve already turned your VPN on, then that’s not a leak — the dam has burst, and your VPN provider isn’t encrypting your data at all! It’s time to shop for a new provider, or at least contact your current provider’s support line. There’s still the chance something’s wrong with your settings that cause the VPN to malfunction.
The Different Types of VPN Leaks
If you find a leak, it’s helpful to understand its many different forms. There are 5 types of VPN leaks you should know about.
Let’s start with the worst and rarest type of leak, where you see your real, naked IP address when you go to the leak test site. True leaks of this kind are pretty rare, and as mentioned above, it’s more likely that you have a non-functioning VPN.
You can try going through your VPN’s recommended troubleshooting, but if you’re absolutely certain that there’s nothing wrong then it may be better to check the reviews on our site to check for better VPNs.
IPv6 is the next generation internet protocol, which came about for a simple reason — there’s not so many internet-connected devices that we’ve run out of IPv4 addresses!
Not many VPN companies support traffic passing via IPv6. This is where the leak arises — if your ISP has both an IPv4 address and an IPv6 one, and the VPN service only supports IPv4, only the latter will be encrypted. That results in IPv6 passing through unprotected by the VPN tunnel, becoming a leak.
This is what happens when your device sends a connection request (a “DNS query”) to a website, and that connection request passes outside the VPN tunnel. This results in the query going to your ISP instead. If the VPN is working properly, all your queries should go through the service’s own DNS servers.
DNS leaks can happen for various reasons. There are even times when DNS leaks are false positives, occurring after you manually set your device DNS. There are many apps allowing easy access to this setting. Many change their DNS to known faster ones, such as that of Google or Cloudflare. If you’ve done this, then there’s no problem should your VPN leak your DNS.
Sometimes DNS leaks are connected to IPv6 leaks, since DNS queries made via IPv6 cannot be encrypted by an unsupported VPN provider. Sometimes it’s a network configuration issue. Even worse, maybe your VPN provider does not have its own DNS server, which is a sure sign you should shop around for a more reliable VPN company.
Sometimes, the issue is with your host device. Windows can be especially prone to DNS leaks, due to some of its features. There’s SMHNR, or the Smart Multi-Homed Name Resolution features that causes your device to connect with the fastest available DNS server. This is most likely your ISP’s server, however. Then there’s Teredo, which is a Windows tunneling protocol that gives both IPv6 and IPv4 compatibility. This can result in DNS leaks, however, since Teredo can force the machine to choose it over the VPN tunnel.
Finally, it’s possible to have DNS leaks due to third-party interference. Some ISPs use a “transparent DNS proxy”, which is a server that intercepts your queries on their way to a different VPN server (i.e., your VPN’s). The worst case scenario is when hackers or other malicious elements have taken over your device, and are forcing your queries to go through their own DNS server.
WebRTC is a system that allows web browsers and similar applications to communicate over the internet by means of voice and video. It’s the project that allowed you to start making video calls using your browser! RTC stands for Real Time Communication, and it was a leap forward in terms of technology and accessibility. As with most new frontiers, however, it brought its own slew of security risks.
WebRTC is made so that it can bypass VPN tunnels, therefore allowing the ISP to see where you’re connecting to as you make your call. This isn’t so bad by itself, except that it makes it very easy for malicious elements to de-anonymize your connection and harvest your information. It doesn’t help that WebRTC is available on all major browsers. Thankfully a few privacy-conscious browsers have this turned off by default.
This is the simplest type of leak, and the least worrying. Simply, a traffic leak happens when the VPN service suddenly disconnects for whatever reason. It may be the VPN going down, or it may be your device being unable to maintain the strain that the encryption protocol gives it. It’s like having the tunnel disappear suddenly while your connection is en route, leaving the content out there for your ISP to see.
This doesn’t happen very frequently if you have a good VPN provider, whose client is lean and adaptive, and optimized to always select the best server for you. Even in the unlikely event that this server goes down, a good VPN client should have a kill-switch that causes your internet connection to go down along with it — this will disrupt all traffic, leaving no trace of your connection once the VPN tunnel goes down.
Fixing VPN Leaks
If jumping ship to another VPN isn’t to your taste (especially if you already have a reputable VPN provider) then you might want to try your hand at some of the basic troubleshooting steps for VPN leaks. A few are more technical than others, which is why we have put them in another post, so as not to make this one too long. While we try to explain everything in as non-technical terms as possible, a reminder is still in order — if you do not understand what an option does, think twice before fiddling with it and making any changes!
As mentioned earlier, these are the easiest to fix. Here are the things you should watch out for to make sure your basic IP address isn’t spilling out from the VPN tunnel.
- Make sure the VPN connection is turned on, and has properly connected without any errors.
- Make sure split-tunneling isn’t turned on, and if it is, it’s not splitting any unwanted apps like your browser.
- Make sure your VPN server isn’t having any technical issues at the moment. A good VPN app should be able to filter out malfunctioning servers, or at least have an announcement up regarding any server issues.
If your IP address is still leaking, then it’s highly possible your VPN is a scam! Try our reviews to see if you can find a better one. And yes, we check for leaks, too!
The incompatibility between your ISP and your VPN may be causing this leak. First, do the same things as you would with an IPv4 link. If that does not help, you might have to try disabling IPv6 on your device.
Note that for the best computer experience, disabling IPv6 is NOT recommended. The only time IPv6 should be disabled is if it causes leaking issues with your VPN, and even then this is a last resort.
Here are links to our posts about disabling IPv6 on various devices:
Note that you cannot disable IPv6 on mobile devices (either Android or iOS), since they are fixed at a system level. Android experts may be able to do so after rooting their phone, but this is never recommended as it can introduce many more privacy problems than it solves. If you’re experiencing an IPv6 leak on your mobile device, it’s best to just shop around for a different VPN provider.
The best way to prevent DNS leaks is to get a VPN provider that has its own no-log DNS servers. This way, your DNS queries are forced to go through these servers instead of any publicly-available alternative. If this is off the table, you can try to patch up the leak by switching your settings so the device uses a reputable third-party server such as the aforementioned Google Public DNS. Doing this allows your VPN to still tunnel your queries instead of letting it leak to your ISP.
Here are instructions to change your DNS Settings for different devices:
- Change DNS settings on Windows
- Change DNS settings on MacOS
- Change DNS settings on Android
- Change DNS settings on iOS
If your ISP uses a transparent proxy, the issue might be a tad more complicated to fix. A transparent proxy snatches your DNS queries and forces them to go through the ISP’s servers, thereby forcing a leak.
The best way to fix this type of vulnerability is to make sure you have the latest version of the OpenVPN protocol (assuming your VPN uses this encryption protocol). For instructions on editing your OpenVPN protocol config file, click here.
Finally, if you’re on Windows, you might want to try disabling the built-in Teredo feature. You can find instructions to do that here.
In 2014, the Heartbleed bug shook the world of online security. This vulnerability was able to break past the security afforded by VPNs, exposing the VPN user’s identity. This was followed by the discovery of a vulnerability that allowed malicious elements to use a web browser feature to see the user’s original IP address.
That feature is part of the WebRTC protocol. Many claim that WebRTC isn’t completely safe until this very day, and VPN users should especially beware.
Various VPN clients offer an express feature that allows you to disable WebRTC on your device globally. If your client does not allow for this, you may be able to disable WebRTC through your browsers instead. Click on this link for instructions!
Preventing VPN Leaks
Now that you know all about VPN leaks and how to fix them, it’s time to find out how you can prevent them from occurring in the first place.
1. Use IP-Binding. IP-binding is a special feature available in some VPN services. This blocks all traffic travelling outside the VPN connection. Make sure to turn this on.
If you fancy a more technical solution (ideal if your VPN does not have IP-Binding), you may try configuring your device firewall instead. It is possible to edit the firewall settings so that it will only allow traffic that is sent and received through your VPN.
Be VERY careful about this, though, as this may mean you cannot connect to the internet if your VPN goes down! The best option is to download a firewall management app for your OS, and edit the settings from there. This can take a little trial and error since some apps offer easier profile editing than others. Easy profile-switching is also important, so you can allow non-VPN traffic in case the server goes down. You can check different firewall apps and compare their features, then follow their documentation to set your VPN as the only means into and out of your device.
2. Use a Kill-Switch. We’ve already discussed the value of a kill-switch, and it’s one good reason why you should invest in a top-notch VPN that has this feature. This way, you won’t be caught dead with your IP naked even when your VPN access goes down.
3. Go for a VPN monitoring software. This may be an extra cost, but if you’re serious about your privacy, it’s a must. It may be an overkill for regular users, but those who can only live in anonymity would need this.
A VPN monitoring software allows you to see the status of your network in real time. This tells you at a glance to which servers your DNS queries are going to, and it even helps you fix DNS leaks on the spot.
Of course, when all else fails, it may be time to quit your current VPN provider! It’s best to do the leak tests before you commit to a long-term subscription, but if you got caught in the middle of a bad bargain you may want to call up your VPN’s customer support to ask for a refund. Then, look around our site for reviews to see which alternatives are best suited to your individual needs!