One unknown secret of the VPN industry is that most VPNs leak.
One in-depth study of Android free VPN apps found that 84% leaked the user’s IP address. I’ve also confirmed that many paid VPNs are also vulnerable to traffic leaks.
In other words, many of the VPN services that market themselves as privacy and security solutions are in fact leaking your IP address and/or DNS requests. These leaks leave you exposed, which in turn could put you in a dangerous situation depending on your circumstances, location, and online activities – such as political dissidents and journalists in oppressive countries.
Also concerning is the fact that many VPNs have broken features. This is often the case with “kill switches” that do not effectively block traffic or “IPv6 leak protection” that does not secure your IPv6 address. It only takes one leaked packet to expose your identity and activities to third parties.
In this guide we’ll cover two different levels of VPN tests:
- Basic tests – These are the tests that anyone can run. Simply connect to your VPN and then hit the testing sites. Unfortunately, these basic tests will not identify all leaks (such as brief reconnection leaks).
- Advanced tests – These tests require more technical proficiency to get everything setup correctly, but they will identify any leaks you may have with your VPN. ExpressVPN put together the best testing suite available for in-depth leak testing. These testing tools are open source and available on GitHub.
We’ll start with basic VPN test procedures to identify obvious problems.
Basic VPN tests
Below are basic steps for identifying:
- DNS leaks
- IP address leaks (IPv4 and IPv6)
- WebRTC leaks
With these basic tests, you are relying on the testing website to identify problems. But as we noted above, you may have leaks that the test website does not pick up, which is why the advanced tests are the best solution.
Test for VPN leaks
To test for active leaks, simply connect to a VPN server and visit the test site. You are checking to see how the VPN performs when the tunnel is active and stable.
You can also simulate different interruptions to see how well the VPN does if network connectivity drops. For example:
- Connect to a VPN server and load ipleak.net in your internet browser.
- Manually interrupt your internet connection (disconnect the ethernet cable or WiFi) while the VPN client is running.
- Reconnect to the internet and also load a few different test websites to see if your VPN is leaking upon reconnection.
This will help you to identify obvious problems with your VPN, but it won’t definitively identify all leaks (see advanced tests below).
VPN test websites
Here are a few testing sites you can use to check for different leaks:
- ipleak.net (IPv4, IPv6, WebRTC, and DNS) – from AirVPN
- Perfect Privacy Test tools (IPv4 and IPv6, DNS, WebRTC) – from Perfect Privacy
- ExpressVPN leak tests (IPv4, DNS, WebRTC) – from ExpressVPN
- test-ipv6.com (IPv4 and IPv6)
- dnsleaktest.com (use extended test)
- BrowserLeaks WebRTC Test
- ipx.ac (IPv4, IPv6, WebRTC, DNS, browser fingerprinting and more) – from VPN.ac
- ipleak.org (IPv4, IPv6, WebRTC, DNS) – from VPNArea
Now let’s see what a VPN leak looks like.
Identifying VPN leaks
When you use the testing site ipleak.net, it is fairly easy to identify leaks and problems, especially when you are connected to a VPN server outside your country. Note, the WebRTC leak test will show local IP addresses (usually beginning with 10.xxx or 192.xxx or sometimes an alpha-numeric IPv6 address that is also local). These are not leaks, but rather your local IP addresses (further explained here). If you see your real (Public) IPv4 or IPv6 under the WebRTC section, then these are indeed WebRTC leaks.
Below you can see that I redacted the IP addresses in red where I experienced leaks with a VPN Unlimited server in the UK.
With the test results above you find:
- IPv4 address from UK server, but my real IPv6 address below (leak).
- Local IP address on the left (redacted, not a leak), but my public IPv6 address on right (WebRTC leak).
- IP address (DNS) from VPN server on left, but my internet service provider’s IP address on the right (DNS leak).
Example with no leaks
Now here are the test results when connected to a Perfect Privacy server in Sweden. Note, in the screenshot below, I am using a multi-hop VPN chain, using servers in Frankfurt, Copenhagen, Calais, and Malmo. The last server in the chain (Sweden) corresponds to the VPN tests results below.
In the screenshot above you see:
- IPv4 and IPv6 addresses from the Perfect Privacy server
- Local IP addresses under WebRTC detection (no public IP addresses, no leaks)
- DNS addresses from Perfect Privacy servers (Perfect Privacy uses multiple, secure DNS resolves)
Note on locations: The various testing sites use international IP address databases (RIPE) for the location. These location databases are not always accurate and may be outdated. To determine the true location of any VPN server, you need to ping the server from different worldwide locations using the steps in this guide.
If you are using Perfect Privacy with the NeuroRouting feature, you may have different locations for IPv4, IPv6, and DNS requests, which depends on the leak test website. (Different locations are not leaks.)
Advanced VPN tests
The best method for identifying VPN leaks is to create a testing suite for your operating system and then run a barrage of tests to analyze traffic for leaked packets.
Creating a testing suite to capture and analyze traffic can be somewhat complex depending on the operating system you are using. Thankfully, ExpressVPN released and advanced VPN testing suite, which they use internally to leak-proof all of their VPN apps.
ExpressVPN’s leak-testing tools are free, open source, and available on GitHub here.
This level of testing should effectively identify any leaks with Windows, Mac OS, and Linux.
If you are serious about security and online anonymity, you will want to run your VPN through these advanced tests to identify any problems, rather than just relying on the basic tests to identify problems.
Quick start – Check out the quick start guide to set up your test machines to identify leaks with your VPN service.
The Domain Name System (DNS) is a system for converting URLs, such as restoreprivacy.com, into a numerical IP address, such as 188.8.131.52.
Without a VPN, this translation process is handled by your internet service provider (ISP). But this can be problematic because your DNS requests are clear text logs of every website you visit. Internet service providers log can easily log these requests to record all browsing history of their customers. In the United States, the data can be sold to advertisers and other third parties. In the UK and Australia, the data is recorded and stored for up to two years and is available to authorities for whatever they want to do with it.
A DNS leak occurs when these translation requests leak out of the VPN tunnel, exposing the IP address (and location) of your ISP, as well as your browsing history. Many VPNs do not provide adequate DNS leak protection, which means your DNS requests are still going to your internet service provider.
- Perfect Privacy DNS Leak Test (This site seems to detect DNS leaks when other websites do not find problems. Below the tests results you can also find a detailed explanation of DNS leaks.)
- IP/DNS Test at ipleak.net (This is another DNS leak test tool that also includes IP address leak results.)
Connecting to a VPN server outside your country makes detecting DNS leaks easier. You can see above there are two DNS requests leaking out while connected to a VPN server in the United States.
A DNS leak does not expose your IP address, but instead the IP address and location of your internet service provider (which can be linked back to you). Additionally, this exposes your browsing history (DNS requests).
Solution to DNS leaks: Find a VPN that uses its own secured and encrypted DNS resolvers. Below are three VPNs that use only their own secure DNS resolvers and did not have any leaks that I could find:
- Perfect Privacy (based in Switzerland; read review)
- ExpressVPN (based in the British Virgin Islands; read review)
- VPN.ac (based in Romania; read review)
You can also manually configure your DNS requests to use other third-party options. Here’s a list of alternative DNS options from WikiLeaks.
IP address leaks (IPv4 and IPv6)
Solution for IP leaks: The best solution is to simply get a VPN that does not leak (see below).
Another option is to manually create firewall rules that block all non-VPN traffic, but this can be a hassle. IPv6 can also be manually disabled on most operating systems, but the gradual transition to IPv6 is well underway.
A WebRTC leak test is important for anyone using Firefox, Chrome, or Opera browsers. As explained here, the WebRTC issue is essentially a vulnerability with the browser – although there are some VPNs that protect against this. A WebRTC leak occurs when your IP address leaks out via WebRTC APIs.
Here are three different WebRTC leak tests:
- Perfect Privacy WebRTC Test (This tool will test to see if you have a WebRTC leak, while also providing a detailed explanation of WebRTC leaks at the bottom of the page.)
- BrowserLeaks WebRTC Test (Another WebRTC test that works well, also includes helpful WebRTC information.)
Solution for WebRTC leaks: Follow the steps in this WebRTC guide to disable or block WebRTC in your browser.
Two VPNs that offer full WebRTC leak protection are:
VPN speed test
If you’re looking to test VPN speed, here are three options:
What affects VPN speed?
There are many factors affecting speed that you should consider when testing. Here are a few:
- Distance between you and the VPN server – This is usually the biggest factor affecting speed. The further the distance, the slower the speed.
- Number of users on the VPN server – With so many VPNs over-selling their services, “popular” VPNs often have overloaded servers which results in slow speeds and dropped connections. Look for a VPN that provides a server status page with real-time bandwidth information. Two examples of this are VPN.ac (see VPN Nodes Status at the top of the page) and Perfect Privacy’s server status page.
- Regional bandwidth restrictions – Many countries have poor bandwidth infrastructure, which will limit your speed, regardless of how fast your ISP or VPN server is. A few examples of this are Germany and Australia. Another regional consideration is how many people are online at a given time of the day. High usage times can slow down speeds for everyone.
- Internet Service Provider – No matter how fast a VPN server is, it won’t be faster than the speed provided by your ISP. The only exception to this rule is if your ISP is throttling (limiting) your bandwidth. They sometimes do this if you’re doing something they don’t like (such as torrenting). A VPN can potentially help with this issue by encrypting your connection and hiding your online activity from your ISP.
- Processing Power – Whenever you’re using a VPN, your computer is working in the background to encrypt and decrypt packets of information. This takes processing power. The faster your internet speed when using a VPN, the more processing power is needed. So even if your ISP and VPN are fast, your CPU may be limiting your full speed potential (but this mainly applies to very high speeds).
VPN malware tests
Malware embedded in mobile VPN applications is a major problem to be aware of.
There has been an explosion of various free VPN apps available in the Google Play and Apple Stores. Just like with other free products, such as Gmail and Facebook, the platform is monetizing the user by collecting and selling your data to third parties.
Test for malware – To test for malware, simply upload the software file to VirusTotal. The database will scan the file using over 60 different Antivirus tests. While there is a chance for false positives, researchers define a malicious app as one having four or more positive test results.
VPNs with the best leak protection
There are two VPNs that I have found to do the best job of protecting users against leaks in all types of scenarios including, reconnections, network interruptions, and VPN crashes. These two VPNs offer the best built-in leak protection features:
- ExpressVPN – Offers advanced leak protection settings and a great selection of apps for different devices. The standard price is $8.32 per month, but you can get it for $6.67 per month with this discount coupon (applied at checkout page).
- Perfect Privacy – Offers very advanced leak protection settings along with full IPv6 support, but it’s somewhat expensive at €8.95 ($10.50) per month.
Whichever VPN you decide to use, it’s a good idea to periodically check for leaks and other issues, especially after new updates.