Top10VPN is editorially independent. We may earn commissions if you buy a VPN via our links.
What Are VPN Leaks, and How Do You Fix Them?
JP Jones
JP Jones is our CTO. He has over 25 years of software engineering and networking experience, and oversees all technical aspects of our VPN testing process. Read full bio
A VPN leak can expose your IP address, DNS requests, and browsing activity to your ISP or anyone else monitoring your internet connection, putting your internet privacy at risk. Find out how to check for VPN leaks such as DNS, IPv6 and WebRTC, and what you can do to stop them to secure your internet traffic.
Your VPN could be leaking your IP address, DNS requests or location and you wouldn’t even know it without running a leak test.
A VPN leak is a security flaw that can expose your real IP address or online activity. They often occur in low-quality VPN services, or due to incorrect configuration.
The most common types of data leaked by VPN services include your IP address, DNS address, and WebRTC data.
If your VPN is regularly leaking, you can follow the instructions in this guide to fix it, or consider switching to a better VPN service.
Why Trust Us?
We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.
What Are VPN Leaks?
A VPN leak is a security flaw that exposes your IP address, DNS requests, or other personally identifying information to any third party monitoring your internet connection.
When a VPN is described as “leaking,” it means that a portion of your traffic is traveling outside the encrypted tunnel, failing to hide your public IP address and encrypt your internet traffic. This is a fundamental failure, as it exposes your identity and internet activity.
In our testing, we’ve found DNS leaks are the most common but other types of VPN leak include IP leaks (including IPv6 leaks) and WebRTC leaks.
An IP (Internet Protocol) address is an identifier for devices connected to the internet or a local network, allowing them to locate and communicate with one another.
IP addresses also help determine a device’s geographical location.
An IP leak occurs when your VPN service fails to mask your real public IP address with one of its own, posing a serious privacy risk as any websites you visit will be able to see your true location and potentially identify you.
There are two types of IP address, IPv4 and IPv6, and either can leak.
While IPv4 leaks are much less common than IPv6 leaks, our recent findings show that as many as 15% of free Android VPNs suffered IPv6 leaks compared to just 3% for IPv4.
Screenshot of leak test tool results showing that uVPN has an IPv6 leak.
Unless your VPN software has built-in IPv6 leak protection, the only way to stop this kind of leak is by disabling IPv6 traffic on your device. Unfortunately, this is not possible on iOS and Android.
IPv6 leaks are equally as dangerous as IPv4 leaks. Websites will have access to your real location, and your ISP will be able to track your internet history.
Surfshark’s kill switch does not stop IP address leaks when changing servers on macOS.
Premium VPNs should include a kill switch to protect your IP address should your connection unexpectedly drop. However, our VPN kill switch tests revealed that many top services still leak your IP address if you change VPN servers while connected.
DNS (Domain Name System) is often described as the phonebook of the internet. It translates domain names into IP addresses which a browser needs to load internet resources, such as websites.
Whenever you visit a website your browser sends a query to a DNS server, which looks up the IP address associated with the domain name. It will then communicate with that IP address and request the website.
The same thing happens when you use Netflix or any other app that connects to the internet.
Normally, this process is carried out by your ISP’s DNS servers, which often log the requests along with your IP address.
A VPN is supposed to encrypt your DNS queries and route them to its own private DNS servers.
In our tests, SuperVPN leaked our DNS requests.
The most common type of DNS leak occurs when your VPN fails to reroute your DNS requests and instead routes them to your ISP’s default DNS servers, or those of another third party without your consent.
To find out which servers your device is using, you can test your DNS servers using our tool.
Many VPNs will use DNS servers operated by Google, Cloudflare or OpenDNS by default. Over half (57%) of free Android VPNs do this for example, our tests showed.
While configuring your VPN to use these public DNS servers can be a solution to a DNS leak, your VPN should not default to this behavior as it exposes your internet activity to a third party without your knowledge.
Some VPNs also leak DNS requests outside of the tunnel, leaving them exposed to your ISP or anyone else monitoring your internet traffic.
Wireshark screenshot of network traffic capture from Private VPN showing DNS requests leaking outside the tunnel.
In the Wireshark capture above, the Private VPN Android app is leaking DNS requests for the Top10VPN website. We found almost one in ten (9%) of free Android VPNs exposed DNS requests in this way.
The screenshot also reveals that this VPN also leaks numerous DNS requests to ad tracking domains, such as td.doubleclick.net. We found that the majority of free Android VPNs leaked these kinds of requests and while they don’t reveal any information about you, they do indicate that the VPN is improperly configured and not completely trustworthy.
Other risks arising from DNS leaks include exposure to DNS poisoning, where an attacker manipulates DNS responses to redirect you to malicious websites or intercept your traffic.
Why do DNS leaks happen?
VPN service issues: some VPNs may have misconfigured DNS settings at their end or they don’t operate their own DNS servers.
Incorrect user settings: software updates on your device or manual changes to your network settings can cause it to use the wrong DNS servers.
Third-party software: Other apps installed on your device may alter your DNS settings without you realizing.
ISP DNS redirection: Your ISP may be redirecting DNS queries, potentially bypassing your preferred configuration.
Malware: Malware can change your device’s DNS settings and redirect DNS queries to malicious servers.
DNS spoofing: A cyberattacker can intercept DNS queries and return false responses.
WebRTC (Web Real-Time Communication) is an open-source technology that allows web browsers and mobile apps to communicate in real-time, enabling features like video conferencing, voice calling, and peer-to-peer file sharing without the need for plugins or additional software.
It’s enabled by default in popular browsers such as Chrome, Firefox, and Safari.
WebRTC leaks occur when a VPN fails to prevent a user’s IP address and other identifying information from being exposed to websites and third parties, which happens because of the way WebRTC technology establishes direct peer-to-peer connections.
Almost one in five (18%) of free Android VPNs suffered WebRTC leaks, our tests revealed.
We’ve reviewed over 62 VPNs and tested every individual service for IP, DNS, and WebRTC leaks.
Our testing revealed that some of the most-downloaded VPNs on the Apple and Google app stores leak some kind of user data through DNS or WebRTC. In the table below, you can see some of the most popular culprits.
*Leaks detected during testing of Chrome extension.
We also recently tested 100 of the most popular free Android VPNs and were shocked to discover that 88 of them were leaking. DNS leaks were the most common — exposing 83 VPNs’ internet traffic — but 17 apps suffered multiple VPN leaks.
Donut chart showing percentage of free Android VPN apps affected by different types of VPN Leaks.
For an in-depth analysis of the 100 most popular free Android VPNs and their security tests, read our Free Android VPN Security Flaws research report.
How to Fix VPN Leaks (IP, DNS, WebRTC, and More)
Investing in a reliable and secure VPN is the simplest and most important decision you can make if you’re concerned about your privacy online.
If you’ve tested your VPN for leaks and found any issues, you can follow the instructions in this section to fix them and stop your VPN from leaking.
If your current VPN consistently suffers data leaks, you should also consider subscribing to a more secure VPN provider.
1. How to Fix IP Address Leaks
Fixing an IP leak will depend on the type of IP address you’ve been assigned. If your VPN is genuinely leaking your IPv4 address, the only solution is to change your VPN provider, although there are a couple of simple things you should check before making the switch.
IPv6 leaks, however, can usually be resolved in your device’s settings.
ExpressVPN offers IPv6 Leak Protection in its Advanced Settings.
How to Fix IPv4 Leaks
Disconnect and reconnect to your VPN. Make sure the VPN is turned on.
If your real IPv4 address is still showing, try the following steps before switching VPN providers:
Ensure your VPN software is up to date.
Check for any software conflicts, such as other VPNs or proxy services running simultaneously.
Contact your VPN provider’s support for assistance.
How to Fix IPv6 Leaks
If you’ve been assigned an IPv4 address, and you do not have an IPv6 address, you don’t need to worry about IPv6 leaks.
However, if you do have an IPv6 address that’s being leaked by your VPN, follow these steps:
Make sure that your VPN is turned on.
Ensure your web browser isn’t being split-tunneled by your VPN.
Make sure you are using a VPN protocol that can handle IPv6 traffic, such as Wireguard or properly-configured OpenVPN.
Check your VPN’s settings menu for ‘IPv6 Leak Protection’ and ensure that it is enabled.
Open up a new browser window and check your IP address.
If your real IPv6 address is still showing, you have two choices: find a new VPN or disable IPv6 on your computer.
How to Disable IPv6 on Different Devices
As most VPNs offer neither IPv6 support nor the option to block it, you will need to disable IPv6 traffic on your device and use IPv4 instead in order to fix a leak.
How to Disable IPv6 on Windows 11
Right-click the ‘Network’ or ‘WiFi’ icon in your system tray and select ‘Network and Internet settings’.
Click ‘Advanced network settings’.
Under ‘Related settings’, click ‘More network adapter options’.
Right-click your current internet adapter and select ‘Properties’.
In the ‘Networking’ tab, uncheck ‘Internet Protocol Version 6 (TCP/IPv6)’, click ‘OK’, and restart your computer.
After rebooting, verify that IPv6 is no longer leaking.
How to Disable IPv6 on Windows 10
The steps for Windows 10 are very similar to Windows 11, although the names of some of the options are a little bit different.
In Step 4, for example, look for ‘Change Adapter Options’.
How to Disable IPv6 on macOS
There are two ways to disable IPv6 on macOS:
Via System Preferences:
Open ‘System Preferences’ from the Apple menu.
Click ‘Network’, select your network connection, and click ‘Advanced’.
In the ‘TCP/IP’ tab, set ‘Configure IPv6’ to ‘Off’ or ‘Link-local only’.
Click ‘OK’ to apply the changes.
Using Terminal:
Open ‘Terminal’ from ‘Applications’ > ‘Utilities’.
List network interfaces: networksetup -listallnetworkservices
Disable IPv6 for Wi-Fi: networksetup -setv6off Wi-Fi
Disable IPv6 for Ethernet: networksetup -setv6off Ethernet
To re-enable IPv6, use: networksetup -setv6automatic Wi-Fi or networksetup -setv6automatic Ethernet
How to Disable IPv6 on iOS or Android
You cannot disable IPv6 on iPhone, iPad, or Android devices at the system level. If your VPN app isn’t preventing IPv6 leaks on these devices, you should consider switching to a more secure VPN.
How to Disable IPv6 on Your Router
The exact steps for disabling IPv6 will depend on the brand of your router. However, the general steps are as follows:
Type 192.168.0.1 into your browser address bar to load your router’s admin panel.
Log in using your credentials, likely found on the bottom of your router.
Navigate to your advanced settings.
Locate and disable IPv6 traffic.
Save your changes.
If your current router does not support disabling IPv6, consider replacing it with one that does. This will give you more control over your network settings and help prevent IPv6 leaks.
2. How to Fix DNS Leaks
Your VPN could be leaking DNS requests for several reasons. Fortunately, there are simple ways to fix the most common issues.
If you have manually set your device’s DNS to a third-party service like Google’s, then you can safely ignore any DNS leaks. To double-check, use our DNS server test to ensure your device is using your chosen servers.
If you haven’t manually changed your device’s DNS and it’s still using your ISP’s default servers, even when using a VPN, your VPN is leaking.
The most effective way to fix these DNS leaks is to switch to a VPN service that maintains its own zero-log DNS servers.
If you don’t want to switch VPN services, follow the instructions below to fix your DNS leaks.
Change Your DNS Settings
If your VPN doesn’t automatically connect to a private DNS server, you’ll need to manually connect to a third-party DNS server by changing your device’s DNS settings.
We recommend choosing a third-party DNS server that doesn’t reveal your true location, such as Google Public DNS or OpenDNS.
Here’s how:
How to Change Your DNS Settings on Windows 11
Right-click the Network or WiFi icon in your system tray and click Settings.
Click on your current network (Wi-Fi or Ethernet).
Scroll down and click Hardware properties.
Click on your internet adapter, then click Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
Click Use the following DNS server addresses.
Enter 8.8.8.8 for Preferred DNS server and 8.8.4.4 for Alternative DNS server to use Google’s DNS.
For IPv6-compatible routers, repeat steps 5-7 for Internet Protocol Version 6 (TCP/IPv6).
Check your DNS address with your VPN on to confirm the issue is resolved.
How to Change Your DNS Settings on Windows 10
There are some slight differences in the start of the process for Windows 11:
Right-click the Network or WiFi icon in your system tray and click Open Network & Internet settings.
Select Change adapter options.
Find the adapter you’re currently using to connect to the internet, right-click it, then click Properties.
Continue from step 5.
How to Change Your DNS Settings on macOS
Open System Preferences, then select Network.
Select the adapter currently in use (indicated by a green dot), then click Advanced.
Click the DNS tab, then click the + icon in the bottom-left corner.
Enter 8.8.8.8 and press Enter to replace the default DNS server.
Click the + icon again, enter 8.8.4.4, and press Enter to change your DNS to Google’s.
Check your DNS address with your VPN on to ensure the issue is resolved.
How to Change Your DNS Settings on iOS Devices
Open the Settings app.
Tap Wi-Fi, then tap the i symbol next to the connected network.
Scroll to the DNS section, tap Configure DNS, then tap Manual > Add Server. Enter 8.8.8.8, 8.8.4.4, and tap Save.
Check your DNS address to ensure the changes are working properly.
How to Change Your DNS Settings on Android Devices
Open the Settings app.
Tap Connections > More connection settings > Private DNS.
Check the box next to ‘Private DNS provider hostname’, type dns.google in the field below, and tap Save.
Check your DNS address to ensure the changes are working properly.
Update Your OpenVPN Version
Some ISPs use a transparent DNS proxy to capture and redirect web traffic, ensuring your requests are sent to their own servers.
Transparent DNS proxies effectively ‘force’ a DNS leak without notifying the user. Most leak detection websites and online tools can identify a transparent DNS proxy in the same way as a normal DNS leak.
The latest versions of the OpenVPN protocol have a simple method to tackle this problem:
Find the .ovpn or .conf file for the server you’re trying to connect to, usually in C:\Program Files\OpenVPN\. For more information, read the OpenVPN manual.
Open the file in an editing program like Notepad and add block-outside-dns to the bottom.
Rerun a DNS leak test to check if the leak is resolved and find any additional issues.
Update to the latest version of OpenVPN if you haven’t already. If your VPN service doesn’t support this or is using an older version of the protocol, consider switching to a different VPN service.
Most premium VPN services have their own solutions for tackling transparent proxies. For more details, contact your provider’s customer support.
Disable Teredo
Teredo is a built-in Windows feature designed to help IPv4 and IPv6 coexist by allowing IPv6 addresses to be transmitted and understood on IPv4 connections.
However, because Teredo is a tunneling protocol, it can sometimes take priority over your VPN’s encrypted tunnel, causing a DNS leak.
Here’s how to disable Teredo on Windows devices:
Open Command Prompt and type netsh interface teredo set state disabled.
Press Enter to disable Teredo.
Rerun a DNS leak test to check if the leak is resolved and find any additional issues.
You might experience occasional issues with certain websites or servers when Teredo is disabled, but it is a much more secure choice for VPN users.
3. How to Fix WebRTC Leaks
WebRTC leaks are primarily a browser issue, and fixing them may require more than just choosing a good VPN.
If your VPN offers a ‘Disable WebRTC’ feature in its browser extension, enable it.
If not, you’ll need to disable WebRTC in your browser settings. Here’s how to do it for popular browsers:
Disabling WebRTC in Google Chrome or Microsoft Edge
Install extensions like WebRTC Leak Prevent or uBlock Origin.
Type about:config in the address bar and click Accept the Risk and Continue.
Toggle media.peerconnection.enabled to false.
Retest for WebRTC leaks to make sure the issue is resolved.
How to Disable WebRTC in Safari
Enable Show Develop menu in menu bar in the Advanced settings
In the Develop menu, uncheck Enable Legacy WebRTC API if available.
Retest for leaks.
How to Disable WebRTC in Opera
Go to Settings > Advanced > Privacy & security.
Check Disable non-proxied UDP in the WebRTC section and save changes.
Retest for leaks.
How to Disable WebRTC in Brave
Set Fingerprinting Blocking to Strict, may break sites in Settings > Shields.
Change WebRTC IP Handling Policy to Disable Non-Proxied UDP in Additional Settings > Privacy and security.
Retest for leaks.
How to Fix HTML5 Geolocation Leaks
If your real location is still visible on the map after testing for leaks, there are two possibilities. One is that your public IPv4 or IPv6 address is still leaking. To fix this, follow the steps above.
If the problem persists, HTML5 geolocation is likely revealing your true location.
This technology determines your location using techniques that can’t be protected by a VPN, such as detecting nearby WiFi hotspots, triangulating your position using cellular data.
To fix these location leaks, disable HTML5 geolocation in your browser or use the ExpressVPN browser extension, which has built-in HTML5 leak protection.
Here’s how to disable HTML5 geolocation in popular web browsers. Remember to clear your browser’s cache, cookies, and history afterwards.
How to Disable HTML5 Geolocation in Google Chrome
In Chrome, go to Settings > Privacy and security > Site settings.
Under Permissions, click Location.
Ensure Ask before accessing (recommended) is toggled on.
This won’t disable HTML5 geolocation entirely, but it will allow you to choose whether to enable or disable it for each website you visit.
How to Disable HTML5 Geolocation in Mozilla Firefox
Type about:config into the Firefox address bar and click Accept the Risk and Continue.
Type geo.enabled into the search bar.
Double click the bar labeled geo.enabled to set it to false.
How to Disable HTML5 Geolocation in Safari
Go to Preferences > Privacy and check Prevent Cross-site tracking.
In the Websites tab, select Location and set it to Deny for all websites.
How to Disable HTML5 Geolocation in Microsoft Edge
On your Windows PC press Win + I to open Settings.
Go to Privacy > Location.
Toggle off Allow apps to access your location.
Under Location history click Clear.
How to Disable HTML5 Geolocation in Opera
Type about:config into Opera the address bar.
Go to Advanced > Privacy & security > Site Settings > Location.
Toggle Ask before accessing (recommended) to Off.
How to Disable Flash
Flash is outdated and a security risk. It will soon be completely removed from all popular browsers. If our test has told you that Flash is still enabled in your browser, follow these steps to disable it.
Google Chrome
Flash is now disabled by default in the latest version of Chrome, so you don’t need to do anything.
If for some reason you want to keep running an older version of Chrome, the steps to block Flash are as follows:
Open the Chrome menu and go to Settings > Privacy and security.
Click Site Settings > Flash.
Ensure Block sites from running Flash is selected.
Mozilla Firefox
Open the Firefox menu and select Add-ons > Plugins.
Look for Shockwave Flash and select Never Activate.
If you have only recently installed Firefox for the first time, Shockwave Flash may not be listed as a plugin. In this case, you have nothing to worry about.
Microsoft Edge
Open the Edge menu and click Settings > Cookies and site permissions.
Click Adobe Flash.
Toggle Use Adobe Flash Player to Off.
Safari
Flash is now disabled by default in Safari. You don’t need to do anything.
Opera
Copy and paste opera://settings/content/flash?search=flash into the address bar and press Enter.
Ensure the toggle next to Allow sites to run Flash is set to Off.
Test your VPN again to ensure Flash has been blocked.
How to Fix a Data Center IP
If your IP address is identified as belonging to a data center, it likely means your VPN is running. While this leak won’t necessarily expose your identity, it will reveal you’re using a VPN.
IP addresses are identifiable by their connection type. Home or mobile connections are labeled as residential IP addresses due to typical data usage.
Data center IP addresses are easily recognized by the massive data flow at all times. Most VPN IP addresses fall into this category.
To fix this, simply turn off your VPN or proxy.
How to Fix Torrent IP Leaks (TCP & UDP)
If you use a VPN while torrenting, ensure your BitTorrent client isn’t leaking your IP address. This can happen even if your VPN is working properly with other apps and web browsing.
A torrent IP leak can occur from two sources: TCP and UDP. These protocols are used when downloading a file via torrent, and each can be fixed uniquely.
How to Fix a Torrent TCP IP Leak
Solution 1: Restart your BitTorrent client and re-add the torrent file
A common cause of IP leaks when torrenting is starting the torrent before connecting to a VPN server. Remove any torrents, close your BitTorrent client, connect to a VPN server, re-add the torrent files, and retest once the VPN is connected and running.
Solution 2: Disable IPv6 or enable IPv6 protection
Some VPNs may only protect IPv4. If you have an IPv6 address, it can leak.
If your VPN has an ‘IPv6 Protection’ option, enable it. Alternatively, if it has a ‘Disable IPv6’ option, try that. This will block all IPv6 connections, preventing potential leaks.
Solution 3: Deactivate any proxy settings in the BitTorrent client
If your BitTorrent client is set to proxy via another device on your local network and that machine isn’t protected by your VPN, your IP address could leak.
Disable the proxy and retest – proxy settings are usually found within your BitTorrent client’s connection settings menu.
How to Fix a Torrent UDP IP Leak
UDP leaks are highly uncommon, and all the above solutions for a TCP IP address torrenting leak can also be applied to fixing UDP IP address torrenting leaks.
Although unlikely, there is one other scenario in which your VPN could be leaking your IP address via UDP: if your VPN does not support it. In this case, the only solution is to switch to a better VPN for torrenting.