A VPN leak is when your real IP address or DNS queries escape the encrypted tunnel and become visible to websites or your ISP, even though the VPN is connected. The three common types are WebRTC leaks, DNS leaks, and IPv6 leaks.

How do I fix a WebRTC leak?

Block WebRTC's access to your real IP: in Firefox set media.peerconnection.enabled to false in about:config; in Chrome/Edge install a trusted WebRTC-control extension; or use a VPN with built-in WebRTC leak protection. Then re-test to confirm only your VPN IP appears.

How do I stop a DNS leak?

Use a VPN that routes DNS through its own servers and enable its 'DNS leak protection' or kill switch. On the OS, set DNS to the VPN's resolver and disable smart multi-homed name resolution (Windows). Confirm with a dedicated DNS leak test.

How do I fix an IPv6 leak?

Either use a VPN that tunnels IPv6, or disable IPv6 on your device so only the protected IPv4 tunnel is used. Many IPv4-only VPNs leave IPv6 traffic exposed unless IPv6 leak protection is enabled.

Does a VPN leak mean my VPN is broken?

Not necessarily. Leaks usually come from browser features (WebRTC), OS DNS settings, or IPv6 connectivity the VPN doesn't cover — not from broken encryption. Fixing the specific leak source restores full protection.

June 6, 2026 · 11 min read

How to Fix a VPN Leak (WebRTC, DNS, IPv6)

A VPN can still leak your real IP through WebRTC, DNS requests, or IPv6. Here's how each leak happens and the exact steps to fix it in your browser, OS, and VPN app.

Your VPN is connected, the app says "protected" — and a website can still see your real IP. That's a VPN leak: your real address or DNS queries slipping out around the tunnel. This guide covers the three that matter — WebRTC, DNS, and IPv6 — what each one is, and the exact steps to fix it. Start by checking your own connection with our VPN leak test, then fix whatever it flags.

Quick answer

Leak	What escapes	Fastest fix
WebRTC	Your real IP via browser peer-to-peer	Disable/limit WebRTC in the browser, or use WebRTC leak protection
DNS	Which sites you visit, to your ISP's resolver	Force DNS through the VPN + enable DNS leak protection
IPv6	Your real IPv6 address	Tunnel IPv6, or disable IPv6 on the device

A leak almost never means broken encryption — it means a feature outside the tunnel (a browser API, an OS DNS setting, or IPv6 routing) found another way out.

WebRTC leaks

WebRTC is the browser tech behind video calls and peer-to-peer connections. To set up those connections it asks a STUN server "what's my public IP?" — and that answer can be your real IP, sent directly over UDP, bypassing your VPN's normal routing. Worse, it can also expose local network IPs and your mDNS .local hostname.

You have a WebRTC leak if the test shows a public IP different from your VPN's IP.

Fix it by browser

Browser	How to stop WebRTC IP exposure
Firefox	`about:config` → set `media.peerconnection.enabled` to false
Chrome	No native toggle — install a reputable WebRTC-control extension, or use a VPN with WebRTC protection
Edge	Same as Chrome (Chromium) — use an extension or VPN-level protection
Safari	Settings → Advanced → "Show Develop menu" → Develop → WebRTC → disable "ICE Candidate Restriction" bypass; or rely on Safari's mDNS masking
Brave	Settings → Shields/Privacy → WebRTC IP Handling Policy → "Disable Non-Proxied UDP"

The most reliable option is a VPN with built-in WebRTC leak protection — it neutralizes the leak without breaking video calls entirely. After changing anything, re-run the test: only your VPN IP should appear.

DNS leaks

Every site you visit starts with a DNS lookup ("what's the IP for example.com?"). If those lookups go to your ISP's resolver instead of through the VPN, your ISP still sees every domain you visit — even though your traffic is encrypted. That's a DNS leak.

Why a web page can't fully detect this: a browser can't read your OS/VPN resolver directly. Dedicated DNS-leak sites detect it by resolving a unique hostname on their own authoritative DNS servers and logging which resolver asks. Our tool is edge-safe, so it flags DNS as a manual check and points you to the right test rather than faking a result.

Fix it

Use a VPN that runs its own DNS and routes lookups through the tunnel. Turn on its "DNS leak protection" setting.
Enable the kill switch so traffic (and DNS) is blocked if the tunnel drops.
Windows: disable Smart Multi-Homed Name Resolution (it queries all adapters at once). Set your DNS to the VPN's resolver, or a private one like 1.1.1.1 / 8.8.8.8.
Router VPNs: set the router's DNS to the VPN provider's servers so every device inherits it.
Confirm with a dedicated DNS leak test — you should see only your VPN's DNS servers, never your ISP's. You can also sanity-check resolution on our DNS tool, which queries over DoH.

IPv6 leaks

Many VPNs only tunnel IPv4. If your network also has IPv6, your device may reach sites over IPv6 outside the tunnel — exposing your real IPv6 address while IPv4 looks protected. Our test flags this when it sees a public IPv6 address.

Fix it

Best: use a VPN that fully tunnels IPv6 (check for "IPv6 support" or "IPv6 leak protection").
Simple: disable IPv6 on the device or router so only the protected IPv4 tunnel is used:
- Windows: Network adapter → Properties → untick Internet Protocol Version 6 (TCP/IPv6).
- macOS: networksetup -setv6off Wi-Fi (or Ethernet).
- Linux: set net.ipv6.conf.all.disable_ipv6 = 1 in sysctl.
- Router: disable IPv6 in the WAN/connection settings.
Re-test; the IPv6 row should read no public IPv6 exposure.

Read your test result

Our VPN leak test gives a single verdict plus a per-category breakdown:

No leaks detected — WebRTC shows only your VPN IP, no public IPv6.
Leak detected — WebRTC exposed a public IP your connection hides. Fix WebRTC first.
Review recommended — IPv6 or a local IP is visible; tighten IPv6 or browser settings.
DNS: manual check — verify with a dedicated DNS leak test (see above).

The 60-second checklist

Run the leak test with your VPN on.
WebRTC leak? Disable/limit WebRTC in your browser or enable VPN WebRTC protection.
IPv6 visible? Tunnel IPv6 or disable it on the device.
DNS? Turn on the VPN's DNS leak protection + kill switch; verify with a DNS-leak test.
Re-test until every row is clean.

Want the background on how these leaks expose you and how a VPN is supposed to mask your IP? Read WebRTC, DNS & IP Leaks Explained and What Is a VPN and How Does It Change Your IP. To see your current egress IP at any time, use What Is My IP.