MyIPScan
Guide

What Is a VPN Leak? Types, Causes and How to Test

A VPN leak is when data that should be protected by your VPN tunnel is instead transmitted outside it — exposing your real IP, DNS queries, or browser details to your ISP or websites.

By: Katia Belokon · Updated June 2026

What is a VPN leak?

A VPN is supposed to route all your internet traffic through an encrypted tunnel so that your ISP, DNS provider, and websites see the VPN server's IP address — not yours. A VPN leak occurs when some or all of your traffic bypasses that tunnel and becomes visible in its original form.

A VPN leak does not always mean the VPN software is broken. Leaks can happen due to browser APIs (WebRTC), operating system DNS behavior, dual-stack IPv4/IPv6 configurations, or brief connectivity gaps when reconnecting. The VPN tunnel may be working correctly for most traffic while a specific protocol or API leaks data around it.

The four types of VPN leaks

1. IP leak

An IP leak is when your real public IP address — the one assigned by your ISP — is visible to websites or IP lookup tools despite being connected to a VPN. This is the most severe type of leak because it directly identifies you or your ISP. IP leaks most commonly occur when the VPN connection drops and traffic briefly resumes through your real connection before the VPN reconnects.

2. DNS leak

A DNS leak is when your DNS queries — the requests to translate domain names like "google.com" into IP addresses — are sent to your ISP's DNS resolver instead of the VPN's resolver. Even if your browsing traffic goes through the VPN, a DNS leak means your ISP can see every domain you visit. DNS leaks are common on Windows when the OS falls back to system DNS settings that are not overridden by the VPN client.

3. WebRTC leak

WebRTC (Web Real-Time Communication) is a browser API used for video calls, voice calls, and peer-to-peer connections. To establish these connections, the browser collects IP addresses — including your real local and public IP — and shares them as ICE candidates. VPNs typically route IP-layer traffic but do not intercept the WebRTC ICE negotiation, so your real IP can be exposed to any website that uses WebRTC. This leak happens in the browser and is independent of your VPN client.

4. IPv6 leak

Most consumer internet connections now have both an IPv4 and an IPv6 address. Many VPN clients only tunnel IPv4 traffic by default. If your ISP provides you with an IPv6 address and the VPN does not handle IPv6, then IPv6 traffic from your device bypasses the VPN tunnel entirely. Websites that support IPv6 will see your real IPv6 address instead of the VPN's address.

What causes VPN leaks?

  • VPN client reconnecting: When a VPN connection drops and reconnects, there is a brief window where traffic flows through your normal connection. A kill switch prevents this.
  • Windows DNS fallback: Windows may send DNS queries to the system's configured DNS server if the VPN's DNS is slow or unavailable.
  • Split tunneling: Some VPN configurations route only certain traffic through the tunnel, leaving other traffic on the regular connection.
  • Browser WebRTC: The browser handles WebRTC independently of the OS network stack, bypassing VPN tunneling for ICE candidate collection.
  • IPv6 not tunneled: The VPN only tunnels IPv4 while IPv6 traffic routes through your ISP connection directly.

How to test for VPN leaks

The most reliable way to test for VPN leaks is to run a test without the VPN first to establish a baseline, then connect your VPN and run the same test again to compare.

  1. Disconnect your VPN. Run MyIPScan's VPN Leak Test and note your real IP, DNS resolvers, and WebRTC candidates.
  2. Connect your VPN.
  3. Run the VPN Leak Test again in the same browser without restarting it.
  4. Compare: your visible IP, DNS resolvers, and WebRTC IPs should all show the VPN server's details — not your real connection's details.

Run focused tests for specific leak types: DNS Leak Test, WebRTC Leak Test, and IPv6 Leak Test.

How to fix VPN leaks

  • Enable the kill switch in your VPN client to block all traffic when the VPN drops.
  • Disable IPv6 in your OS network settings if your VPN does not tunnel IPv6, or use a VPN that handles IPv6.
  • Force DNS through the VPN by configuring your VPN client to use its own DNS resolvers and disabling fallback.
  • Install your VPN's browser extension to block WebRTC IP exposure, or disable WebRTC in the browser settings.
  • Switch to a VPN with strong leak protection such as Mullvad or IVPN, which provide built-in protections for all four leak types by default.

Frequently asked questions

What is a VPN leak?

A VPN leak is a failure mode where data that should be inside your VPN tunnel is instead transmitted outside it, making your real IP address, DNS queries, or browser IPs visible to your ISP, DNS providers, or websites.

What are the types of VPN leaks?

The four main types are: IP leaks (your real IP visible), DNS leaks (DNS queries go to your ISP's resolver), WebRTC leaks (the browser's WebRTC API exposes your real IP), and IPv6 leaks (IPv6 traffic bypasses the VPN tunnel).

How do I know if my VPN is leaking?

Connect your VPN, then run a VPN leak test. If the visible IP, DNS resolver, WebRTC candidates, or IPv6 address shows your real ISP's details rather than the VPN server's details, you have a leak for that layer.

Does a VPN kill switch prevent leaks?

A kill switch prevents IP leaks from VPN reconnection events by blocking all traffic when the VPN drops. It does not prevent DNS, WebRTC, or IPv6 leaks — those require separate mitigations.

Which VPNs have the strongest leak protection?

Mullvad VPN and IVPN consistently offer the strongest default leak protection for all four leak types. ProtonVPN also performs well with the kill switch enabled. Always verify with your own test — provider claims alone are not sufficient.