How to Check if Your VPN is Actually Working

You have installed a VPN, connected to a server in another country, and the app shows "Connected." But is your real IP address actually hidden?

Not necessarily.

VPN leaks are more common than most people realize. DNS leaks, WebRTC leaks, and IPv6 leaks can all expose your real IP address and location — even while your VPN shows a reassuring green checkmark. A misconfigured VPN can give you a false sense of security that is worse than no VPN at all.

This guide walks through every leak type, how to test for it in under two minutes, and exactly how to fix it.

Start with the simplest check:

1. Disconnect your VPN completely (not just paused — fully disconnected). 2. Visit our homepage and note your IP address, location, and ISP. Write these down or take a screenshot. 3. Connect your VPN to a server — ideally in a different country to make the difference obvious. 4. Hard-refresh the page (Ctrl+Shift+R on Windows/Linux, Cmd+Shift+R on Mac) to bypass any browser caching.

What you should see after connecting: • A completely different IP address • A location matching your chosen VPN server city (not your real location) • An ISP showing the VPN provider's hosting company (not your real ISP)

Red flags to watch for: • Same IP as before → your VPN is not routing traffic correctly • Location unchanged → possible DNS leak or your VPN is using split tunneling • Your real ISP still visible → DNS leak (your DNS queries are bypassing the VPN) • IP changed but location still shows your city → VPN exit node is in the same city as you (common — try a different server)

A DNS leak is the most common VPN failure mode — and the sneakiest. Your visible IP address changes, but your DNS queries (which reveal every domain you visit) still go through your real ISP's DNS resolver.

Why this matters: Even if a website cannot see your real IP, your ISP can still log that you visited it by watching your DNS traffic. This undermines the main privacy reason to use a VPN.

How to test for DNS leaks: 1. Stay connected to your VPN. 2. Open a command prompt or terminal. 3. Run: nslookup whoami.akamai.net 4. The IP address in the response should belong to your VPN provider's network, not your ISP.

Alternatively: look up any domain using our DNS lookup tool while connected. If the resolver IPs in the results belong to your ISP (check against the ISP name shown on our homepage), you have a DNS leak.

How to fix DNS leaks: • Enable "DNS leak protection" in your VPN app settings (most quality VPNs have this). • Set your DNS manually to your VPN provider's DNS servers (check their docs for the addresses). • On Windows: Open PowerShell as admin and run: Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses ("VPN_DNS_IP"). Also disable Smart Multi-Homed Name Resolution via Group Policy. • On macOS: System Settings → Network → your connection → Details → DNS → remove all non-VPN entries. • Alternatively, switch to a VPN provider with better DNS handling. Mullvad and ProtonVPN are strongest on this.

WebRTC is a browser technology built for real-time communication — video calls, screen sharing, peer-to-peer file transfers. The problem for VPN users: WebRTC can create direct connections between your browser and remote servers that bypass the VPN tunnel entirely, revealing your real IP address.

This affects Chrome, Firefox, Edge, and Opera by default. Safari has WebRTC leak protection built in. Brave has it as an option in settings.

How to test: 1. Connect to your VPN. 2. In your browser, search for "WebRTC leak test" and use any of the top results. 3. Look for your real IP address appearing in the "Local IP addresses" or "Public IP addresses" sections. 4. If your real IP appears alongside your VPN IP, you have a WebRTC leak.

How to fix WebRTC leaks:

Firefox: Type about:config in the address bar → search for media.peerconnection.enabled → set it to false. This disables WebRTC entirely (may break video calling apps).

Chrome/Edge: Install the "WebRTC Network Limiter" extension from Google (official). Set it to "Use my default public IP address only."

Brave: Settings → Privacy and security → WebRTC IP handling policy → set to "Disable non-proxied UDP."

Your VPN app: Many modern VPN clients (NordVPN, ExpressVPN, Mullvad) include WebRTC leak protection. Check your VPN app's privacy settings and enable it if available.

Most VPNs were originally built for IPv4. As IPv6 has grown, many VPN services have lagged behind — they tunnel your IPv4 traffic but leave IPv6 connections unprotected. If you have an IPv6 address (which most modern ISPs assign), it can leak through even with your VPN active.

How to test: 1. Connect to your VPN. 2. Visit our homepage and check if an IPv6 address is displayed. 3. If you see an IPv6 address that starts with the same prefix as your normal connection (not the VPN's IPv6 range), you have a leak.

How to tell: If you note your IPv6 address before connecting to the VPN, it should be completely different (or absent) when connected. If it is unchanged, your IPv6 traffic is not tunneled.

How to fix IPv6 leaks: • Enable "IPv6 leak protection" in your VPN app settings — most major VPN clients now include this. • If your VPN does not support IPv6 tunneling, you can disable IPv6 on your device: - Windows: In Network Adapter settings, uncheck "Internet Protocol Version 6 (TCP/IPv6)" - macOS: System Settings → Network → your connection → Details → TCP/IP → Configure IPv6: Off - Linux: Add net.ipv6.conf.all.disable_ipv6=1 to /etc/sysctl.conf • Consider switching to a VPN provider with full IPv6 support (Mullvad supports it natively).

A kill switch is a safety net: if your VPN connection drops unexpectedly, the kill switch blocks all internet traffic until the VPN reconnects. Without it, every dropped connection briefly exposes your real IP — and if you are downloading something in the background, that data continues with your real IP.

How to test: 1. Connect to your VPN and confirm your IP is hidden. 2. Simulate a VPN drop: disconnect your VPN (or temporarily disable the network adapter your VPN uses) while trying to load a website. 3. If the website loads with your real IP, your kill switch is either disabled or not working. 4. Reconnect the VPN — the kill switch should re-enable internet access automatically.

Expected behavior with working kill switch: No internet access during the drop. The page fails or shows a network error.

How to enable: Every major VPN provider (NordVPN, ExpressVPN, ProtonVPN, Mullvad) has a kill switch in their settings. Look for "Kill Switch," "Network Lock," or "Always-on VPN." Enable it and leave it on permanently.

Mobile note: On iOS, use the "On Demand" feature in VPN settings to reconnect automatically. On Android, enable "Always-on VPN" in Settings → Network & internet → VPN.

Understanding why leaks happen helps you prevent them:

Split tunneling — Many VPN apps offer split tunneling, which routes some traffic outside the VPN for speed. If split tunneling is enabled and misconfigured, your browser may not be tunneled at all. Disable split tunneling if you are not actively using it.

VPN connection drops — VPN connections drop due to network switching (moving from Wi-Fi to mobile), ISP instability, or the VPN server going down. Each drop briefly exposes your real IP. This is why the kill switch matters.

Browser extensions or plugins — Some browser extensions make network requests independently and may bypass your VPN. Test in a fresh private window with no extensions active to isolate whether the leak is browser-related.

Operating system network stack issues — On Windows, some DNS settings persist across network changes. This can cause DNS queries to go to your ISP's server even when the VPN is connected. The fix: flush your DNS cache (ipconfig /flushdns) after connecting to your VPN.

Outdated VPN app — VPN clients are regularly updated to fix leak vulnerabilities. Keep your VPN app updated. If you have not updated in more than a few months, do it now.

Even a perfectly configured, zero-leak VPN hides only your IP address. Your browser still sends dozens of other identifying signals with every request.

• User-Agent — your browser name and version • Accept-Language — your language preferences (often unique to your locale) • Browser fingerprint — the combination of your screen resolution, installed fonts, canvas rendering, WebGL renderer, and 15+ other signals that can identify your browser uniquely, regardless of IP

This is why privacy-focused users combine a VPN with a privacy-respecting browser (Firefox or Brave with fingerprinting protection), or use Tor Browser which normalizes all these signals.

Check your browser's HTTP headers to see the full request headers your browser sends. Or run a live browser fingerprint check to see your canvas hash, WebGL renderer, installed fonts, and the 20 signals that identify you regardless of VPN. It is often more revealing than the IP address itself.

Run through this list whenever you connect to a new VPN server, update your VPN app, or switch networks:

✓ IP address is different from your real one (check on our homepage) ✓ Location matches your chosen VPN server ✓ ISP shows VPN provider's network, not your real ISP ✓ No DNS leaks (DNS queries go through the VPN tunnel) ✓ No WebRTC leaks (real IP not exposed in browser) ✓ No IPv6 leaks (IPv6 traffic is tunneled or blocked) ✓ Kill switch is enabled and tested ✓ Split tunneling is off (unless deliberately configured) ✓ VPN app is up to date

Bookmark our IP lookup tool for quick checks. For a dedicated leak test guide with browser console scripts, see our VPN IP leak test guide. A 10-second verification after connecting can save you from hours of unprotected browsing.