Using a VPN can dramatically increase your security online, but there are still several ways your VPN can leak your true identity online. The goal of this article is teach you about the most common types of VPN leaks, and how to fix them (or at least minimize the risk).
This article will cover:
- Accidental disconnects (IP leak)
- DNS Leaks (IP leak, Web history leak)
- IPv6 Leaks (IP leak)
- WebRTC/STUN leaks (IP leak)
You’ll learn what causes these types of leaks, as well as how to identify whether your VPN or computer is vulnerable.
But first, we need an introduction to what the term ‘IP leak’ means, and why they exist in the first place.
What is an IP leak?
An ‘IP Leak’ occurs if your Real IP address is accidentally exposed to another website, person, or service. (When you’re using a VPN, you only want them to see your VPN server’s IP address).
Your ‘real’ IP address is the one assigned to you by your Internet Provider, and can be used to specifically identify your unique internet subscription. All devices on your home network will share the same IP address.
You can easily check your IP address by using a tool like IPVanish’s free IPlocation tool:
What causes IP leaks?
IP leaks aren’t usually the fault of your VPN provider. They’re often caused by vulnerabilities in existing technology like:
- Web browsing software
- Browser plugins (flash)
- Operating systems
However high-quality VPN services will actually include technology to prevent and plug many of these leaks. We’ll look at each type individually, as well as recommend the most secure VPN services.
IP Leak via dropped/failed VPN connection
This is a common IP leak, and also the easiest to fix. The ‘Dropped Connection’ leak occurs if your VPN software disconnects suddenly, in which case all internet traffic will be routed through your normal internet connection (unsecured).
The Fix: Choose a VPN with a kill-switch option
What is a kill switch?
A kill-switch is a bit of code built into your VPN client that constantly monitors your network connection (what Network ‘Interface’ you’re using, and what’s your IP address).
If the kill-switch detects a change, it will instantly stop all internet connectivity until you either:
- Reconnect to the VPN
- Reset your network adapter
This piece of technology is simple & effective. We consider it an essential piece of equipment for anyone using a ‘non-logging’ VPN service.
Learn More: VPN Kill-switches (the complete guide)
Recommended VPNs w/ kill-switch
Most top providers now include a kill-switch in the desktop software (sometimes mobile apps too)
Here are some top picks:
If a VPN has ‘DNS Leak’, it means your DNS requests are being sent to an insecure DNS server (usually one controlled by your ISP/Internet Provider).
What is DNS: DNS stands for Domain Name System. Every time you type a URL into your browser (www.google.com), that request is sent to a DNS server which translates the domain name into a numeric IP address belonging to the server where the website is hosted.
1. What Causes DNS Leaks?
Many Internet Providers use a technology called ‘Transparent DNS Proxy’ which can intercept all DNS requests passing through their servers. Even if you specify a different DNS server on your PC or router, it’s possible these requests could still be intercepted.
Privacy concerns of DNS leaks
There are two main concerns of leaking DNS queries:
- Your ISP can see your web history (what websites you visited)
- Some DNS leaks can expose your real IP address to the DNS server
2. How to test for DNS Leaks?
There are several free websites that allow you to check if your VPN is leaking DNS requests. We like DNSleaktest.com, which is fast and simple. Basically it will show you a list of all DNS servers that your connection is using. It’s OK if there are multiple DNS servers in the list, but you don’t want to see a DNS server belonging to your ISP (Time Warner, Verizon, Comcast, etc).
Where to check your connection for DNS Leaks:
Learn More: DNS Leaks and how to fix them (Guide)
3. How to fix DNS Leaks
The easiest/best way to fix DNS leaks is to choose a VPN provider that has built-in DNS leak protection. These providers use their own custom (and private) DNS servers, and use special technology to ensure that your DNS requests are always routed securely, inside the encrypted VPN tunnel.
Some providers go even further, and have Encrypted, Zero-Log DNS servers (maximum privacy).
Recommended VPNs with built-in DNS leak protection:
Did you know that your computer and other individually connected devices actually have 2 IP addresses? An IPv4 address (192.168.1.1 for example) and an IPv6 address. IPv6 addresses are way longer (example ipv6 address from wikipedia is 2001:0db8:85a3:0000:0000:8a2e:0370:7334).
The reason IPv6 addresses were introduced recently is because we’re running out of IPv4 addresses, now that people have some many internet-connected devices (each with an IP address). With smart: phones, watches, toasters, tablets, etc. you could easily have 25 internet-active devices in your home.
Whether a website sees your IPv4 address or IPv6 address depends on:
- If IPv6 is enabled in your operating system (it’s on by default in windows)
- If the website/service supports IPv6
1. So what causes IPv6 Leaks?
Many of the popular VPN protcols (OpenVPN, PPTP, L2TP) were created before IPv6 addresses existed. So by default, many VPN services only route IPv4 traffic through the secure VPN tunnel, and IPv6 traffic is routed unsecured and unencrypted.
Fortunately there are two EASY fixes.
2. How to fix IPv6 Leaks
The best & easiest method (because you don’t have to rely on your VPN provider) is to simply disable IPv6 on your operating system.
Instructions to disable IPv6 on:
You can also choose to turn off IPv6 on your router.
And finally, you can just choose a VPN Provider with built-in IPv6 leak protection.
VPN Software that blocks IPv6 Leaks:
Note: IPv6 leak protection at the VPN level is only necessary if you can’t (or don’t want to) disable IPv6 at the OS level.
The WebRTC vulnerability is actually a web browser vulnerability, not an OS (operating system) issue. WebRTC is a p2p technology built into modern web browsers that enables new technologies like video-streaming/videoconferencing and the sharing of PC peripherals (like a microphone) between you and a website.
TorrentFreak reported that WebRTC can actually be used as an ‘Attack’ to trick your browser into exposing your real (non-VPN) IP address.
Risk Factor: In practice, the risk of WebRTC leaks is very low, because you’d have to be tricked into visiting a malicious website trying to view your IP address. This is pretty unlikely, and most websites could care less whether you’re using a VPN or not.
How to fix WebRTC Leaks
You have to disable WebRTC at the browser level in order to prevent STUN leaks. This can either be accomplished by editing your browser’s config files, or by installing a browser extension that does it for you.
Instructions by web browser:
How to test for WebRTC leaks?
The amazing tool at IPLeak.net checks for all major types of VPN leaks (DNS, WebRTC, and IPv6). Just visit this link, and scroll to the WebRTC section. If it shows an IP address, check if it matches your normal browser IP (without the VPN connected). If it does, you’re vulnerable to WebRTC leaks.
If you’ve successfully disabled WebRTC in your browser, you’ll see a message like this instead of an IP address:
Most IP leak types can affect any VPN protocol/provider at one time or another, but the best VPN services have built workarounds into their software to minimize the likelihood of an IP leakage.
That’s why it’s extremely important to choose a high-quality VPN service, preferably one with excellent software and support.
Good bets include:
- Private Internet Access
This is not an all-inclusive list, but it’s a good place to start.
Here are some sites to help you check your connection for IP leaks, and to learn more about IP technology and leakage in general.