When you use a VPN, it protects your online data 24/7, right? Yes, but only as long as the service doesn't suffer any leaks. If it does, complete privacy is off the table.
How often do leaks occur? Well, it's not a regular thing, but it does happen. For example, if you use free VPNs, you should watch out since around 25% of free Android VPN apps leak data.
And if that weren't enough, there was a similar issue back in 2018 when popular VPN extensions leaked user data.
Overall, it's not something you should worry about nonstop, but you shouldn't take this lightly either. That's why we put together this VPN leak guide. So that you'll have an easy time understanding what VPN leaks are and how to protect yourself from them.
What Are VPN Leaks?
This means the VPN leaks your traffic or IP address outside the encrypted tunnel. If that happens, anyone (ISPs, governments, hackers, advertisers) can monitor your browsing habits and online communications.
Also, you'll no longer be able to bypass geo-blocks since websites will see your real geo-location. Firewalls will be a problem, too, since you'll still have your original IP address with the same traffic restrictions applied to it.
The 5 Types of VPN Leaks
Here are the many ways a VPN can leak your data if things go wrong:
1. IPv4 Leaks
This is the rarest one. Why? Because IPv4 (Internet Protocol version 4) is the standard IP address format - x.x.x.x (so 22.214.171.124. for example). If a VPN leaks IPv4 addresses, it just means the service isn't working at all.
These kinds of leaks will usually happen if the VPN service is poorly configured. Basically, it causes communication errors between your device and the server, resulting in the VPN leaking IPv4 addresses.
2. IPv6 Leaks
IPv6 (Internet Protocol version 6) is the successor to IPv4. It's a whole new address format that allows way more potential combinations, which is actually necessary since we ran out of IPv4 addresses.
It's great we have a solution for that, but here's the problem - only a little over 25% of web-connected networks have IPv6 support.
So the deployment rate is still pretty low. Yes, even for VPN services, since not many providers support IPv6 traffic. But if your ISP supports it, you'll have an IPv6 leak on your hands.
Basically, if you have both an IPv4 and an IPv6 address, the VPN will only route your IPv4 data through the encrypted tunnel if it doesn't support or block IPv6 traffic.
3. DNS Leaks
These happen when your DNS queries leak outside the VPN tunnel. If you don't know what those are, they're the connection requests you send to websites when you want to browse them.
Usually, when you use a VPN, your DNS queries should go through the VPN provider's DNS server. When a DNS leak happens, they go through your ISP's DNS server instead. That pretty much means your ISP can see what websites you browse even if you use a VPN.
VPN leaking DNS data can happen for a lot of reasons:
- For starters, IPv6 leaks can cause DNS leaks since your IPv6 DNS queries won't go through the tunnel.
- Bad network configurations (like DHCP settings not getting an update) can force you to automatically use your ISP's DNS server.
- The VPN provider doesn't run its own DNS server. That's usually a huge red flag that the service isn't reliable or is a scam.
- Your ISP uses a transparent DNS proxy. Basically, that's a server that intercepts your DNS traffic when you try to use a different DNS server. Once it does that, it forcibly routes it to your ISP's DNS server, bypassing the VPN provider's server.
- If you're a Windows user, Teredo can get in the way. It's a tunneling protocol that provides IPv4 and IPv6 compatibility, which can also take precedence over the VPN tunnel, resulting in DNS leaks.
- Also, on Windows, SMHNR (Smart Multi-Homed Name Resolution) is a feature that forces your computer to accept responses from the fastest DNS server to speed up web browsing. Unfortunately, that's usually not the VPN's server, but your ISP's server.
- And on very rare occasions, a DNS leak can take place because hackers took over your router and are forcing your queries through a malicious DNS server.
4. WebRTC Leaks
If you're not familiar with WebRTC, it's an open-source project that offers browsers and applications RTC (Real Time Communication) functionality - basically, support for voice and video calling.
It's definitely useful, but also risky since it contributes to VPN leaks. Long story short, WebRTC functionality can actually bypass the VPN tunnel sometimes, resulting in IP leaks.
If you want the full details about how WebRTC leaks happen, check out our article.
5. Traffic Leaks
These leaks happen when the VPN connection suddenly goes down. Since the VPN tunnel is disconnected while you're still using the Internet, all your traffic leaks out of it. So anyone can spy on it.
VPN disconnections can happen for various reasons - like the server being too far away or you using a protocol that's too resource-intensive for your device. And the really scary thing is that these VPN leaks can happen even if you use a very reliable VPN with connections that are typically stable.
How Do You Detect VPN Leaks?
Just follow the link, take a screenshot for reference, run a VPN connection, and reaccess the link. If the results are the same (you still see your original IP and ISP DNS addresses), you're dealing with a leak.
For this test, we used a Dutch VPN server from CyberGhost. The tester's real location is Romania. Here is how a leak-proof VPN connection should look like:
The IPv6 test is red because we disabled IPv6 on our end. Plus, CyberGhost clients prevent IPv6 leaks.
Also, no IP address shows up for WebRTC because CyberGhost offers WebRTC leak protection. We are also using uBlock Origin to block WebRTC leaks.
Don't just take our word for it, though - the next screenshots will prove everything is working well.
Now, if you want to test for specific leaks, here are some services you can use:
If you're very tech-savvy, you can also do some advanced testing. ExpressVPN made their testing suite open-source and free, and you can get it right here. They actually use it to leak-proof their apps. Here's the guide that can help you get started.
What About Traffic Leaks?
As far as we know, no tool can help you detect VPN traffic leaks - maybe if you use network monitoring software, though most tools are business solutions, so they don't come cheap.
To be honest, you won't really need a leak detection tool in this case. Most VPN clients will generally alert you when your VPN connection goes down.
How to Prevent VPN Leaks
We'll take a look at how to handle each type of issue individually:
1. Fix IP Leaks (IPv4 & IPv6)
There's nothing you can do to fix IPv4 leaks since the issue is on the VPN provider's end. Maybe pick a VPN with a free trial and test its connection during that period to make sure there are no problems.
IPv6 leaks, on the other hand, can be prevented. The first thing you should do is disable IPv6 on your device:
- Windows 7 - Head to Control Panel> Network and Internet> Network and Sharing Center> Local Area Connection. Click on Properties and uncheck this option: "Internet Protocol Version 6 (TCP/IPv6)."
- Windows 8 - Use the Start Menu to go to Desktop. Once there, right-click on the Networks icon. Next, go to Open Network and Sharing Center> Local Area Connection, click on Properties, and uncheck the "Internet Protocol Version 6 (TCP/IPv6)" option.
- Windows 10 - On your desktop, right-click on the network icon and pick "Open Network and Sharing Center." On the right, click on "Change adapter settings," right-click on the primary connection, select Properties, and uncheck the "Internet Protocol Version 6 (TCP/IPv6)" option.
- Mac OSX - On most systems, you need to go to System Preferences> Network. Select the first connection on the list, pick Advanced, and for Configure IPv6 choose either Off or Link-local only.
- Android - Go to Settings> Connections> Mobile networks> Access Point Names. Choose the mobile operator, scroll down until you see "APN protocol," tap on it, and pick IPv4. To disable IPv6 on WiFi, though, you'll need to root the phone.
- Ubuntu - The process is a bit long, so here's a helpful guide.
Unfortunately, you won't be able to disable IPv6 at a system-level on iOS devices.
Also, if you use Windows and know your way around the OS, you can use this fix from Microsoft to completely disable IPv6.
Other than that, consider using a service with VPN leak protection for IPv6. That just means the service blocks IPv6 traffic to prevent leaks. Here are some decent options:
2. Fix DNS Leaks
There's quite a list of things you need to do to fully prevent DNS leaks:
- First, disable IPv6.
- Next, if you run Windows, you'll need to get rid of Teredo and SMHNR. Here's a guide showing you how to disable Teredo. As for SMHNR, follow these step-by-step tutorials to stop it from interfering with your VPN connections. And in case you use the OpenVPN app, try out this patch.
- If your network configurations are acting up, you'll have to force the DNS address switch. See if the VPN client has an option for forcing the VPN to only use the VPN provider's DNS server. Alternatively, manually change the DNS addresses to OpenDNS (126.96.36.199 and 188.8.131.52) or Google Public DNS (184.108.40.206 and 220.127.116.11).
- If you suspect your ISP uses a transparent DNS, enable the option that forces the VPN to only use the VPN provider's DNS server. If that's not available, you'll need to use the OpenVPN app. Once that's done, find the .conf or .ovpn files for the VPN servers, open them with a text editor, and add this command: block-outside-dns.
- Lastly, change the default login credentials for your router with stronger ones. That will stop hackers from finding them online in PDF manuals, and using them to break into your router. Alternatively, get a secure router.
3. Fix WebRTC Leaks
We already offered some tips on how to protect yourself from these VPN leaks in our WebRTC article (here's the link again).
But here's more information to help you out:
- If you don't know how to disable WebRTC on your browser, check out this guide.
- Use uBlock Origin on your browser. It's a script blocker that can prevent WebRTC leaks.
- Use a VPN with WebRTC leak protection. CyberGhost is a good example. ExpressVPN and Perfect Privacy have built-in protection in their clients, and they use firewall rules to offer extra protection too. Also, NordVPN blocks WebRTC leaks, and they even have a browser extension that does the same thing.
- If you use Opera or Chrome, consider using WebRTC Leak Prevent (for Opera and for Chrome).
4. Fix Traffic Leaks
You can do things like using a VPN server that's closer to you, making sure the firewall doesn't interfere with the VPN connection or using a more lightweight protocol (IKEv2, SoftEther, WireGuard, L2TP/IPSec).
However, the easiest prevention method is to use a VPN with a Kill Switch. Basically, it's a feature that shuts down your web access when your VPN connection goes down. You can only use the internet again when the VPN is up and running.
The list of great VPNs with Kill Switches include:
The Bottom Line
VPN leaks are the main thing that stands between you using a VPN and true Internet privacy (well, that, and logs). To be sure you're safe from them, you need to take some precautions AND make sure you only use a reliable VPN (one with IPv6/DNS/WebRTC leak protection + a Kill Switch).
Know any other VPN leaks people should worry about? Or other ways we can better protect ourselves from them? Go ahead and share your insight with all of us in the comments below, or on social media.