When you use a VPN, it protects your online data 24/7, right? Yes, but only as long as the service doesn't suffer any leaks. If it does, complete privacy is off the table.
How often do leaks occur? Well, it's not a regular thing, but it does happen. For example, if you use free VPNs, you should watch out since around 25% of free Android VPN apps leak data.
And if that weren't enough, there was a similar issue back in 2018 when popular VPN extensions leaked user data.
Overall, it's not something you should worry about nonstop, but you shouldn't take this lightly either. That's why we put together this VPN leak guide. So that you'll have an easy time understanding what VPN leaks are and how to protect yourself from them.
This means the VPN leaks your traffic or IP address outside the encrypted tunnel. If that happens, anyone (ISPs, governments, hackers, advertisers) can monitor your browsing habits and online communications.
Also, you'll no longer be able to bypass geo-blocks since websites will see your real geo-location. Firewalls will be a problem, too, since you'll still have your original IP address with the same traffic restrictions applied to it.
Here are the many ways a VPN can leak your data if things go wrong:
This is the rarest one. Why? Because IPv4 (Internet Protocol version 4) is the standard IP address format - x.x.x.x (so 12.13.14.15. for example). If a VPN leaks IPv4 addresses, it just means the service isn't working at all.
These kinds of leaks will usually happen if the VPN service is poorly configured. Basically, it causes communication errors between your device and the server, resulting in the VPN leaking IPv4 addresses.
IPv6 (Internet Protocol version 6) is the successor to IPv4. It's a whole new address format that allows way more potential combinations, which is actually necessary since we ran out of IPv4 addresses.
It's great we have a solution for that, but here's the problem - only a little over 25% of web-connected networks have IPv6 support.
So the deployment rate is still pretty low. Yes, even for VPN services, since not many providers support IPv6 traffic. But if your ISP supports it, you'll have an IPv6 leak on your hands.
Basically, if you have both an IPv4 and an IPv6 address, the VPN will only route your IPv4 data through the encrypted tunnel if it doesn't support or block IPv6 traffic.
These happen when your DNS queries leak outside the VPN tunnel. If you don't know what those are, they're the connection requests you send to websites when you want to browse them.
Usually, when you use a VPN, your DNS queries should go through the VPN provider's DNS server. When a DNS leak happens, they go through your ISP's DNS server instead. That pretty much means your ISP can see what websites you browse even if you use a VPN.
VPN leaking DNS data can happen for a lot of reasons:
If you're not familiar with WebRTC, it's an open-source project that offers browsers and applications RTC (Real Time Communication) functionality - basically, support for voice and video calling.
It's definitely useful, but also risky since it contributes to VPN leaks. Long story short, WebRTC functionality can actually bypass the VPN tunnel sometimes, resulting in IP leaks.
If you want the full details about how WebRTC leaks happen, check out our article.
These leaks happen when the VPN connection suddenly goes down. Since the VPN tunnel is disconnected while you're still using the Internet, all your traffic leaks out of it. So anyone can spy on it.
VPN disconnections can happen for various reasons - like the server being too far away or you using a protocol that's too resource-intensive for your device. And the really scary thing is that these VPN leaks can happen even if you use a very reliable VPN with connections that are typically stable.
The easiest way to do this is to use a VPN leak test. ipleak.net from AirVPN is the most convenient one (at least in our opinion). It checks for everything - IPv4/IPv6, DNS, and WebRTC leaks.
Just follow the link, take a screenshot for reference, run a VPN connection, and reaccess the link. If the results are the same (you still see your original IP and ISP DNS addresses), you're dealing with a leak.
For this test, we used a Dutch VPN server from CyberGhost. The tester's real location is Romania. Here is how a leak-proof VPN connection should look like:
The IPv6 test is red because we disabled IPv6 on our end. Plus, CyberGhost clients prevent IPv6 leaks.
Also, no IP address shows up for WebRTC because CyberGhost offers WebRTC leak protection. We are also using uBlock Origin to block WebRTC leaks.
Don't just take our word for it, though - the next screenshots will prove everything is working well.
Now, if you want to test for specific leaks, here are some services you can use:
If you're very tech-savvy, you can also do some advanced testing. ExpressVPN made their testing suite open-source and free, and you can get it right here. They actually use it to leak-proof their apps. Here's the guide that can help you get started.
As far as we know, no tool can help you detect VPN traffic leaks - maybe if you use network monitoring software, though most tools are business solutions, so they don't come cheap.
To be honest, you won't really need a leak detection tool in this case. Most VPN clients will generally alert you when your VPN connection goes down.Â
We'll take a look at how to handle each type of issue individually:
There's nothing you can do to fix IPv4 leaks since the issue is on the VPN provider's end. Maybe pick a VPN with a free trial and test its connection during that period to make sure there are no problems.
IPv6 leaks, on the other hand, can be prevented. The first thing you should do is disable IPv6 on your device:
Unfortunately, you won't be able to disable IPv6 at a system-level on iOS devices.
Also, if you use Windows and know your way around the OS, you can use this fix from Microsoft to completely disable IPv6.
Other than that, consider using a service with VPN leak protection for IPv6. That just means the service blocks IPv6 traffic to prevent leaks. Here are some decent options:
Alternatively, you could also use a VPN that actually supports IPv6 traffic like Perfect Privacy and HIDE.me. That way, you'll continue having access to IPv6-only websites.
There's quite a list of things you need to do to fully prevent DNS leaks:
We already offered some tips on how to protect yourself from these VPN leaks in our WebRTC article (here's the link again).
But here's more information to help you out:
You can do things like using a VPN server that's closer to you, making sure the firewall doesn't interfere with the VPN connection or using a more lightweight protocol (IKEv2, SoftEther, WireGuard, L2TP/IPSec).
However, the easiest prevention method is to use a VPN with a Kill Switch. Basically, it's a feature that shuts down your web access when your VPN connection goes down. You can only use the internet again when the VPN is up and running.
The list of great VPNs with Kill Switches include:
VPN leaks are the main thing that stands between you using a VPN and true Internet privacy (well, that, and logs). To be sure you're safe from them, you need to take some precautions AND make sure you only use a reliable VPN (one with IPv6/DNS/WebRTC leak protection + a Kill Switch).
Know any other VPN leaks people should worry about? Or other ways we can better protect ourselves from them? Go ahead and share your insight with all of us in the comments below, or on social media.