What are IP leaks and how can you prevent them?
An IP leak, by definition, is quite simply what happens when your real IP address should be hidden, but it’s not. IP leaks are inexorably tied to Virtual Private Networks (VPN), which hide your original IP address and substitute it for the IP address of the VPN server to which you’re connected. VPNs also swap out your DNS servers, typically to their own, in-tunnel, DNS servers, so that third parties can’t obtain your web history through your DNS requests. With these measures in place, when you’re connected to the VPN, you’re more difficult to identify, locate, and track, enhancing your online privacy. That’s essentially a VPN’s raison d’être.
The above is how things are supposed to work. But sometimes, things go wrong, and your original IP address or the IP address of your DNS server(s) is exposed despite being connected to the VPN server. If and when that happens, you’ve got IP address leaks.
In this post, we’ll look at the most common IP address leaks, explain what causes them, and what you can do to prevent them.
But do bear in mind that if you’re using a high-quality VPN service, you shouldn’t experience IP leaks of any kind. While we offer some solutions to IP leaks in this post, I would recommend changing providers as a real solution and only use the tips provided here as a stop-gap measure until you make the switch.
Every device connected to your home network typically has two IP addresses: a private IP address and a public IP address. So, your desktop, laptop, tablet, smartphone each have a private IP address that they use to “talk” to each other over your home network. For example, your iPhone “talking” to your Plex server when you want to play a song or a video. Private IP addresses are assigned to your devices by your router and are typically in the range 192.168.X.X, 10.X.X.X, or 172.16.X.X. You may have seen these before.
On top of that, each device on your network also shares a public IP address used to connect to the internet – private IP addresses are not routable over the internet. This IP address is assigned by your ISP and is shared by all your devices when making requests over the internet. When you connect to a VPN, your public IP address gets swapped out for the IP address of the VPN server you’re connected to, so you appear to be at the same location as the VPN server rather than your actual location.
Whether public or private, there are two kinds of IP addresses today: IPv4 and IPv6 addresses. My private IP address example above used IPv4 addresses. An IPv4 address is made up of four numbers, ranging from 0 to 255, separated by periods.
IPv6 addresses are made up of eight groups of four hexadecimal digits, each group being separated by colons. For example, 2002:0de6:0001:0084:0100:9c4e:0390:7244. IPv6 addressing came about because we’re running out of possible IPv4 address combinations.
All that to say that these days, with us growing ever closer to the exhaustion of IPv4 addresses, some ISPs now assign two public IP addresses to their customers, one IPv4 address and one IPv6 address. If that’s your situation, you’re going to need to take care of both your public IP addresses (IPv4 and IPv6) in one way or another, when using an IP masking service, such as a VPN. If one of your public IP addresses is leaking, you’ll have compromised your privacy.
How to test for IP leaks?
Compare the results from these sites with the VPN connected and with it disconnected. If any of the IP addresses that appear are the same before and after connecting to the VPN, then you have a leak.
Either of these sites will list your detected IPv4, IPv6, DNS, and WebRTC addresses. If any of these display your ISP-assigned IPv4, IPv6, DNS, or WebRTC IP address rather than their VPN-assigned counterparts, you’ve got an IP address leak.
Onto the leaks. We’re going to start with IPv6 leaks.
The vast majority of internet users today still primarily use IPv4 addresses. Most VPN providers don’t support IPv6 yet, so the most common scenario is your IPv6 address leaking and compromising your masked IPv4 address. If your IPv4 address is leaking while connected to a VPN, it likely means the connection failed. Either that or your VPN isn’t doing anything at all, which seems unlikely – but you never know.
IPv6 leaks happen when a VPN provider fails to do one of two things:
- Fully support IPv6 and tunnel all IPv6 traffic through the VPN.
- Disable IPv6 traffic altogether at the system level.
Preventing IPv6 leaks
- Choose a VPN service that either fully supports and tunnels IPv6 traffic.
- Choose a VPN server that provides a client app with IPv6 leak protection.
- Disable IPv6 manually on your device. We have a full article that will explain how to disable IPv6 on macOS and Windows.
DNS stands for domain name system. And the domain name system is what allows you to access websites by name rather than by IP address. So when you type website.com in your browser, a connection is first made to a DNS server to translate website.com into an IP address, and then you’re sent off to the website.
That means that if I can snoop on your DNS records, I can see your entire web browsing history – even if you’re connected to a VPN. And that’s why a decent VPN will swap out your original DNS servers (which usually come from your ISP) with their own, in-tunnel DNS servers: so that all of your activity remains within the VPN tunnel.
DNS leaks can happen for different reasons. But it usually comes down to:
- A poorly built native VPN client app that fails to route DNS requests properly.
- A poorly built native VPN client app that fails to account for IPv6 DNS servers, causing an IPv6 DNS leak.
- A DNS misconfiguration in a third-party client app.
- A device operating system failing to route the DNS requests through the VPN.
- A VPN uses the device’s default DNS servers instead of its own
Preventing DNS leaks
- Choose a VPN service that provides DNS leak protection (routing your DNS requests to the provider’s in-tunnel DNS servers).
- Check your VPN using our DNS Leak Test.
- If you’re experiencing an IPv6 DNS leak only, disable IPv6 manually on your system.
- Manually change your DNS servers on your system to your VPN provider’s DNS servers. This won’t technically fix the leak itself, but you’ll be leaking DNS to your VPN provider instead of your ISP. Your DNS requests will be resolved by your VPN provider’s in-tunnel DNS servers.
WebRTC is an HTML5 platform that allows voice and video communication from a web browser. Almost all modern browsers now support WebRTC, including Chrome, Firefox, Opera, Edge, Safari, and Brave. WebRTC enables web apps to initiate peer-to-peer connections using nothing more than a stock web browser.
The issue with WebRTC is that even if you’re connected to a VPN, when you visit a WebRTC-enabled website, it can interact with your device and transmit data outside of the VPN tunnel. That interaction will reveal your real IP address to the website in question, defeating the privacy enhancements of the VPN.
WebRTC leaks can happen when:
- A poorly built VPN client app fails to address WebRTC leaks on IPv4 or IPv6.
Mitigating WebRTC leaks
- Use a VPN service that mitigates WebRTC leaks.
- Disable WebRTC manually in your browser. Here’s a good guide on how to disable WebRTC in your web browser.
VPN disconnects & network disruptions
There are other scenarios in which your IP address may leak: if your VPN connection suddenly drops or you experience a network disruption (WiFi suddenly becoming inaccessible, for example), which causes your VPN to start leaking or to disconnect altogether. As opposed to the other causes for IP leaks described above, the leaks described here are temporary rather than persistent. And that’s because disconnect and disruption leaks are triggered by an external event
Dropouts can particularly affect people who torrent over VPN. Obtaining large files can take a lot of time. Hence, many torrenters leave their computer unattended as they wait for the download(s) to finish. If a VPN dropout were to occur while the computer is unattended, you might be leaking your IP address for hours as your traffic goes through your ISP connection.
Dropouts can also affect mobile users that switch between WiFi and mobile data while connected to a VPN. Your VPN may disconnect during the switch, exposing your real IP until the connection is reestablished. Or the switch may trigger a network disruption, and your VPN app may start leaking data. It only takes a few seconds to compromise your privacy online.
VPN connections, like any other network connection, are susceptible to network disruptions and can fail. A properly implemented kill switch may help you in case of an outright disconnect. But your VPN connection won’t necessarily disconnect after a network disruption; it may simply end up in a misconfigured state and start leaking data – a kill switch won’t help you in that situation.
So a disconnect leak is easier to manage than a network disruption leak because a kill switch will help you. But for disruption leaks, there isn’t much you can do. The only thing I would recommend is to test your VPN connection for leaks regularly. It shouldn’t take you long to find out if your VPN provider is consistently leaking data. If that’s the case, switch providers.
Here’s an article in which VPN providers were tested for various types of leaks – it’s a pretty sobering read.
Mitigating VPN disconnect & network disruption leaks
- Choose a VPN provider that has a built-in kill switch in its client app. This article lists some well-established VPN providers that support kill switches and on which platform (not all providers support kill switches in all of their apps).
- If you have some networking skills and that you’ve installed an outgoing firewall installed on your system, you can create your own kill switch manually. I won’t go into specifics as the exact method depends on the firewall you’ve installed. But basically, you need to add one firewall rule that blocks all outgoing traffic on your ISP gateway. Then add another rule that allows traffic out your VPN gateway. The advantage of this method is that even if your VPN app completely crashes, your kill switch will remain intact. Here’s a guide on how to create a VPN kill switch in Linux.
- Regularly test your VPN connection for leaks and switch providers if it consistently leaks.
So that, in a nutshell, is the deal with IP leaks. IP leaks are a big deal. An IP leak breaks a VPN’s main purpose: to hide your real IP address and location. When you pay for a VPN that leaks your IP one way or another, what are you paying for? I believe that having the illusion of security is much worse than not being secure and being aware of it.
Luckily, testing for IP leaks is easy, as is the best to fix IP leaks: choose a VPN provider that doesn’t leak. (It really isn’t that difficult).