Here is the hard truth that the VPN industry is desperate for you not to internalize: a green "Connected" icon in your VPN app means almost nothing. It tells you the encrypted tunnel was established. It does not tell you that every byte of your network traffic is actually flowing through that tunnel. In fact, on a default install of most consumer VPN apps in 2026, at least one of three different leak vectors is actively bleeding your real identity onto the wider internet at this very moment.
This guide is the testing protocol we run on every single VPN before it gets a number on our homepage. No fluff, no marketing, no affiliate-first reasoning. Just the technical checks, the real test URLs, and the precise readings that mean your VPN is broken. Bookmark this page. Run these checks the day you install any new VPN. Run them again every time the app pushes an auto-update.
What you will learn
- The four leak types that actually matter and what each one exposes
- Free, neutral test sites we trust (and the ones we do not)
- Step-by-step DNS leak detection in under 60 seconds
- How to spot a WebRTC leak that bypasses the entire VPN tunnel
- Why IPv6 leaks are silently common in 2026 and how to nuke them
- Traffic correlation, the leak no test site can detect
- What to do the moment you find a leak
The Four Leaks Worth Testing For
Most blog posts on this topic stop at "DNS leak" and call it a day. That is wildly insufficient in 2026. Here is the full landscape, ordered by how often each one actually betrays real users in production.
| Leak Type | What it exposes | How common in 2026 |
|---|---|---|
| DNS leak | Every domain you visit, plus your ISP identity | Very common |
| WebRTC leak | Your real local IP via browser JavaScript | Extremely common in Chrome / Firefox |
| IPv6 leak | A second, parallel real IP address with full geolocation | Common on US fiber and EU broadband |
| Traffic correlation | Your activity matched by timing, not IP | Rare, but devastating when it happens |
Step 1: Establish a Clean Baseline
Before you connect to anything, you need to know what your real, exposed-to-the-world fingerprint looks like. Otherwise you have no way to tell what changed once the VPN comes up.
Open a fresh browser window with the VPN off. Visit ipleak.net. Write down or screenshot the following five values exactly:
- Your IPv4 address (the big number at the top)
- Your IPv6 address if one is shown
- Your ISP name (Comcast, Spectrum, BT, Vodafone, and so on)
- The DNS resolver hostnames listed under "DNS Addresses"
- The geolocation city pin on the map
This is your "before" picture. Every single one of those five values must change once the VPN is connected. If even one stays the same, you have located a leak.
Step 2: The DNS Leak Test
DNS leaks are the most common and most damaging because they expose your full browsing history to your ISP even while your traffic looks encrypted on the wire.
What is actually happening
Every time you type a URL, your computer needs to translate that human name into a numeric IP address. That translation request is called a DNS query. By default, your operating system sends DNS queries to whatever DNS server your ISP gave you on connection. A correctly working VPN forces all DNS queries to go through the tunnel and get resolved by the VPN provider's DNS servers instead.
When this fails, your traffic body still goes through the encrypted tunnel, but the lookup queries leak out the side. Your ISP cannot read the page contents but they can see the full list of every domain you visit. For most threat models, that is functionally identical to having no VPN at all.
The 60-second test
- Connect your VPN to any server. We recommend a country far from your real location for maximum contrast.
- In a fresh browser tab, open dnsleaktest.com and click "Extended test."
- Wait for the results. Look at the rightmost column titled "ISP."
- If you see your real ISP name there (the same one you noted in Step 1), the DNS is leaking. Period.
- If every row shows the VPN provider's name (NordVPN, IPVanish, Mullvad) or a neutral resolver like Cloudflare or Quad9, you are clean.
A common false-pass: many ISPs in the US and UK route DNS queries through their own copy of Cloudflare or Google DNS. If you see "Cloudflare" or "Google" in the result list, do not assume you are safe. Compare to your baseline. If you saw the same Cloudflare entries before connecting the VPN, the resolver path itself never changed and the VPN is not capturing DNS at all.
If the DNS test fails
Open your VPN client settings and look for an option labeled "Use VPN provider DNS," "Custom DNS," or "DNS leak protection." Some clients call it "Force VPN DNS." Enable it. Reconnect. Re-test. If your VPN does not even offer this toggle, that is a hard signal to switch providers immediately.
Step 3: The WebRTC Leak Test
WebRTC is a real-time communication protocol that web browsers use for video calls, peer-to-peer file sharing, and voice apps. It also has a very inconvenient habit of exposing your real local IP address to any website that asks for it, completely bypassing your VPN tunnel.
Why this is sneaky
WebRTC was specifically designed to work with NAT traversal. To make peer connections work behind a router, browsers query something called STUN servers and report back every IP address the local machine has. Both your private LAN address (192.168.x.x) and your real public IP get gathered and exposed to JavaScript on the page. A tracking script can read this in milliseconds without user permission.
Even worse, this happens at the browser layer, not the network layer. The VPN tunnel never even sees the request because it never leaves the browser process to be routed.
How to test
- With VPN connected, visit browserleaks.com/webrtc.
- Look at the "Public IP" row.
- If you see your real IPv4 from Step 1 anywhere, you are leaking through WebRTC. The fact that the VPN icon is green is irrelevant.
How to fix it
WebRTC leaks are almost never fixed by the VPN itself. They are fixed at the browser. Three options, ordered by reliability:
- Brave Browser: Brave ships with WebRTC IP handling set to "default public interface only" out of the box. This is our default recommendation for general privacy browsing.
- Firefox config flag: Type
about:configinto Firefox, search formedia.peerconnection.enabled, and set it to false. WebRTC is now disabled. Video calling apps will break, but tracking is closed. - Browser extension: uBlock Origin in advanced mode lets you block WebRTC entirely. Ironically, the official "WebRTC Leak Prevent" extensions for Chrome are often less reliable than just switching browsers.
Step 4: The IPv6 Leak Test
This is the leak everyone forgets about, and it has gotten dramatically more common as IPv6 deployment has accelerated. By 2026, around 45 percent of US residential connections and 60 percent of mobile connections in the EU use IPv6 by default. If your VPN was last seriously updated before 2022, there is a real chance it never properly handled this.
What goes wrong
Your computer might have both an IPv4 and an IPv6 address. The VPN tunnels the IPv4 traffic perfectly. But when a website is reachable via IPv6 (most modern sites are), your operating system prefers IPv6 and sends the request directly through your real network interface, with your real IPv6 address attached. The VPN never sees this traffic. Your ISP and the destination website both see your real, geolocatable IPv6 address while the VPN icon happily shows green.
How to test
- With VPN on, visit test-ipv6.com.
- Look at the "Your IPv6 address" line.
- If a value appears there and it matches your baseline IPv6 from Step 1, you are leaking.
- Cross-check at ipleak.net in the IPv6 row.
The two clean fixes
Either your VPN tunnels IPv6 too, or it must block all IPv6 traffic at the operating system level so it cannot escape unencrypted. Most premium providers in 2026 do the second. Look for a setting called "Block IPv6," "IPv6 leak protection," or simply "Disable IPv6 outside tunnel." Enable it. If your VPN does not offer this, you can manually disable IPv6 on your network adapter as a last resort, but you lose the IPv6 benefits for the rest of your usage.
Step 5: Traffic Correlation, the Leak You Cannot Test
Even with all four leaks above plugged, a sufficiently motivated adversary can still deanonymize you using nothing but timing analysis. This is called traffic correlation, and no test site can detect it because the leak is not in your machine. It is in the network as a whole.
How it works
Imagine the FBI suspects you posted something at exactly 14:32:07 from a Surfshark IP. They cannot read the contents of your tunnel, but they can ask your ISP for connection metadata: at 14:32:07, who in this metro area was sending a 4 KB packet to a Surfshark server? If only one person matches, that is you. The encryption was perfect. The timing was the leak.
Real defenses against correlation are limited:
- Multi-hop / double VPN: Your traffic exits one VPN server and re-enters a second one in a different country. Correlation now requires cooperation between two ISPs in two jurisdictions, which is dramatically harder.
- Tor over VPN: The Tor network adds three random hops with intentional latency and packet padding. Correlation becomes statistically impractical for most threat models.
- Always-on connection: If you stay connected 24 hours a day with constant background traffic, individual sessions become impossible to isolate.
If your threat model includes nation-state adversaries, a single VPN is not enough no matter how perfect the leak protection. You need Tor in addition to or instead of a VPN. For the other 99 percent of users (avoiding ISP profiling, geo-blocking, public Wi-Fi snooping, copyright trolls), a properly configured premium VPN that passes all four leak tests above is genuinely sufficient.
Tools We Trust (and Tools We Do Not)
The leak-test space is overrun with sites operated by the very VPN companies whose products you are trying to test. Some of them quietly mark "no leak detected" even when one is present, just to keep the install conversion rate up. We have caught at least four major brands doing this in the last 18 months.
Trust
- ipleak.net (operated by AirVPN, but with public source code and reproducible results)
- browserleaks.com (independent, has been around since 2014)
- dnsleaktest.com (independent, donation-supported)
- test-ipv6.com (operated by Comcast, but technically neutral)
Use with extra care
- Any leak test hosted on a VPN provider's own domain. Always cross-check with one of the neutral sites above before believing a clean result.
- Tests that require you to install a browser extension before running. The extension itself can fake the result.
What to Do When You Find a Leak
- Disconnect immediately. Do not keep browsing while leaking. Whatever damage is being done is being recorded right now.
- Open the VPN settings and enable every leak protection toggle available: kill switch, DNS leak protection, IPv6 block, WebRTC handling.
- Reconnect and re-run the full test from Step 1.
- If the leak persists, switch protocols inside the app. WireGuard is generally the most leak-resistant; older OpenVPN UDP setups sometimes have race conditions on connect.
- If it still persists, the VPN is broken. Cancel within the refund window and try one of the providers we have actually verified in our top three.
The 30-second weekly check we run. Connect VPN, open ipleak.net in one tab and browserleaks.com/webrtc in another, glance at both, done. If you do this once a week you will catch every silent regression that auto-updates can introduce. Most users never check after the first install. Most users are leaking right now.
The Verdict
Trusting a VPN icon is exactly like trusting a "Secure" padlock in the address bar without ever checking the certificate. The icon means the handshake completed. It says nothing about whether your traffic is actually behaving the way you think it is. Run the four tests. Re-run them after updates. Do not assume a brand name with a billion-dollar marketing budget guarantees a clean install. Some of the worst leakers we have ever found are the household names you see on every YouTube ad break.
The good news: once you have a VPN that passes every test, the maintenance burden drops to near zero. The first install is the dangerous moment. After that, a 30-second weekly check is all the discipline real anonymity requires.