You pay for a VPN monthly and assume it’s protecting your traffic. But VPN companies are not immune to configuration errors, and many VPNs have critical flaws: DNS leaks revealing browsing history, WebRTC leaks exposing real IP addresses, IPv6 leaks bypassing encryption entirely, and kill switches that don’t trigger.

This guide walks through eight verification tests you can run right now to confirm your VPN is actually working. No technical background required. All tools are free.

Table of Contents

• Test 1 - DNS Leak Detection (Most Common)
• VPN Security Model - What You’re Testing
• Prerequisites
• Advanced - Monitoring VPN Leaks (Automated)
• Troubleshooting

Test 1 - DNS Leak Detection (Most Common)

What it tests - Whether DNS queries go through the VPN or leak to ISP.

• On Mac - System Preferences > Network > IPv6 > Off.
• Better alternative (no download): 1.
• • Use only servers: where kill switch verified.

VPN Security Model - What You’re Testing

A VPN tunnels all traffic through an encrypted pipe to a VPN server, which forwards requests to the internet. Your ISP sees encrypted data; your ISP cannot see what sites you visit.

However, misconfigurations break this model:

• DNS leak: VPN sends traffic through encrypted tunnel, but DNS queries go to ISP’s DNS server. ISP sees every site you visit.
• WebRTC leak: Browser’s WebRTC protocol bypasses VPN tunnel, exposing real IP address directly.
• IPv6 leak: You have an IPv6 address outside the VPN tunnel while using IPv4 inside it. Attackers can identify you via IPv6.
• Kill switch failure: Internet connection remains active if VPN disconnects. Real IP address becomes visible.

These are not theoretical; they’re common. A 2016 study found 38% of VPNs leaked DNS. Grab a free testing tool and verify your VPN today.

Prerequisites

Before you begin, make sure you have the following ready:

• A computer running macOS, Linux, or Windows
• Terminal or command-line access
• Administrator or sudo privileges (for system-level changes)
• A stable internet connection for downloading tools

Step 1: Test 1 - DNS Leak Detection (Most Common)

What it tests - Whether DNS queries go through the VPN or leak to ISP.

How to test:

1. Before VPN: Visit ipleak.net in browser (VPN disabled).
   • Note the “Your DNS servers” entries (typically ISP addresses like 1.1.1.1, 8.8.8.8).

2. Connect VPN: Turn on your VPN, choose a server location.

3. After VPN: Revisit ipleak.net.
   • DNS servers should change to VPN provider’s servers.
   • If DNS servers are still ISP addresses, you have a DNS leak.

• Before VPN: DNS = 71.252.0.0 (Comcast ISP)
• After VPN: DNS = 10.8.0.1 (VPN provider)
• PASS

If you see a leak:

• On Windows - Settings > Network > VPN > Advanced > DNS settings. Disable NRPT (Name Resolution Policy Table) or use manual DNS.
• On Mac - System Preferences > Network > VPN > Advanced > DNS. Ensure VPN DNS is listed first.
• On Linux - Edit /etc/resolv.conf to use VPN DNS, or use resolvectl to override system DNS.

ipleak.net verification: Free, no signup. Takes 30 seconds.

Step 2 - Test 2: WebRTC Leak Detection (Browser Vulnerability)

What it tests - Whether browser’s WebRTC protocol leaks your real IP address even with VPN connected.

How to test:

1. Before VPN: Visit ipleak.net/webrtc (VPN disabled).
   • Note the “Your IP addresses” listed (your real IP).

2. Connect VPN.

3. After VPN: Revisit ipleak.net/webrtc.
   • “Your IP addresses” should only show VPN server IP.
   • If your real IP appears, you have a WebRTC leak.

• Before VPN: IP = 203.0.113.45 (your real address)
• After VPN: IP = 185.199.108.200 (VPN server)
• PASS

If you see a leak:

• Chrome/Brave - Disable WebRTC in chrome://flags (search “webrtc”, toggle to disabled). May break video conferencing.
• Firefox - Enter about:config, search “media.peerconnection.enabled”, set to false.
• Safari - WebRTC leaks are common in Safari; disable if privacy is critical, use Firefox instead.
• Electron apps (Discord, Slack): No direct WebRTC control; these apps are at risk. Consider using web versions instead.

test: ipleak.net has a more thorough WebRTC test. Click “Show my IPv4 + IPv6 + DNS + WebRTC leak status”. but slower.

Step 3 - Test 3: IPv6 Leak Detection

What it tests - Whether you’re leaking an IPv6 address outside the VPN tunnel.

How to test:

1. Disable VPN. Visit ipleak.net/ipv6.
   • Note if an IPv6 address is displayed.
   • If no IPv6 is shown, your network doesn’t support IPv6; skip this test.

2. Enable VPN.

3. Revisit ipleak.net/ipv6.
   • If an IPv6 address is shown, you have an IPv6 leak.
   • IPv6 should be blocked or routed through VPN.

• Before VPN: IPv6 = 2001:db8::1 (your real IPv6)
• After VPN: IPv6 = (no address) OR IPv6 = 2001:db8::vvv (VPN’s IPv6)
• PASS

If you see a leak:

• Most VPNs don’t properly route IPv6. Solutions:
• Disable IPv6 on your system (simplest). On Windows - Device Manager > Network adapters > IPv6 > disable. On Mac - System Preferences > Network > IPv6 > Off. On Linux - echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6.
• Use VPN kill switch: If VPN doesn’t fully support IPv6, kill switch should block all IPv6 traffic.

Step 4 - Test 4: Real IP Address Leak (IP Geolocation Check)

What it tests - Whether your real IP address and location are visible.

How to test:

1. Disable VPN. Visit ipify.org or whatismyipaddress.com.
   • Note your IP address and city/country.

2. Connect VPN to a server in a different country (e.g., if you’re in US, choose Japan server).

3. Revisit the site.
   • IP should change to VPN server IP.
   • City/country should match VPN server location.
   • If your real IP or location is visible, you have a leak.

• Before VPN: IP = 203.0.113.45 (Los Angeles, USA)
• After VPN to Japan server: IP = 203.0.114.100 (Tokyo, Japan)
• PASS

If you see your real IP:

• Reconnect VPN.
• Clear browser cookies (Ctrl+Shift+Delete).
• Try a different VPN server location.
• If leak persists, contact VPN provider support.

Step 5 - Test 5: Kill Switch Verification (Critical Test)

What it tests - Whether your kill switch actually blocks all traffic if VPN disconnects.

This test temporarily breaks your internet connection. Save your work first.

How to test:

1. Start a download that will take 30+ seconds (e.g., torrent, large file).
2. Connect VPN.
3. Let download start. Confirm VPN is connected.
4. Disconnect VPN manually or unplug network cable.
   • If kill switch works: Download stops immediately; internet goes dark.
   • If kill switch fails: Download continues on real IP; major security breach.

Better alternative (no download):

1. Connect VPN.
2. Start streaming video on ipleak.net or run continuous ping in terminal.
3. Unplug VPN network interface (if on separate device/VM).
4. Observe:
   • Kill switch ON: Video stops, ping fails. Good.
   • Kill switch OFF: Video continues or ping resumes on real IP. Bad.

macOS Command-Line Test:

While VPN is connected:
ping 8.8.8.8

Stop VPN suddenly and observe ping output
Kill switch ON - Ping fails immediately
Kill switch OFF - Ping continues with high latency (real IP)

If kill switch fails:

• Most VPN apps have kill switch in Settings > Security > “Kill Switch” toggle.
• Enable it.
• Restart VPN.
• Re-test.

Step 6 - Test 6: VPN Disconnection Detection (Browser Leak Test)

What it tests - Whether your browser is aware of VPN disconnection.

How to test:

1. Connect VPN.
2. Open ipleak.net in browser.
3. Force disconnect VPN (unplug network, turn off WiFi, or kill VPN app).
4. Refresh ipleak.net page.
   • If kill switch works, page won’t load (internet is blocked).
   • If kill switch fails, page loads and shows your real IP. Leak.

Alternative - Use BrowserLeaks.com for leak testing. It tests:

• IP address
• WebRTC
• DNS
• Browser fingerprinting

All in one test. Very reliable.

Step 7 - Test 7: DNS Leak Over Time (Passive Test)

What it tests - Whether DNS leaks occur intermittently.

How to test:

1. Connect VPN.
2. Open Command Prompt / Terminal.
3. Run DNS query test repeatedly:

Windows:

nslookup google.com
nslookup google.com
nslookup google.com

macOS/Linux:

dig @8.8.8.8 google.com
dig @8.8.8.8 google.com
dig @8.8.8.8 google.com

1. Observe response times.
   • Consistent fast response: Likely going through VPN DNS cache.
   • Intermittent slow response: Possible fallback to ISP DNS.

Advanced - Use Wireshark (packet sniffer) to monitor DNS traffic. If you see DNS queries to non-VPN addresses, you have a leak. Requires technical knowledge; ipleak.net is simpler.

Step 8 - Test 8: Kill Switch Test with Multiple VPN Servers

What it tests - Whether kill switch works across all VPN servers.

How to test:

1. Connect to VPN Server A (e.g., US).
2. Run kill switch test (disconnect VPN, check if internet blocks).
3. Reconnect to Server B (e.g., Japan).
4. Repeat kill switch test.
5. Try a third server.

Why - Some VPNs have server-specific issues. Kill switch might work on US servers but fail on Japanese servers.

If you see variance:

• Contact VPN support with specific server locations.
• Use only servers where kill switch verified.

Step 9 - VPN Brands: Known Leak Issues (2026)

Generally safe (rare leaks):

• Mullvad VPN (independent audit, IPv6 support)
• IVPN (transparent, based in Gibraltar)
• ProtonVPN (owned by Swiss company Proton, audited)

Known issues:

• NordVPN: WebRTC leaks reported 2020, 2022 (likely fixed, still verify)
• ExpressVPN: DNS leaks in some regions
• CyberGhost: IPv6 leaks reported
• Windscribe: Kill switch occasionally fails (known issue)

Always verify your specific VPN. Don’t trust brand reputation alone.

Step 10 - Quick Test: 5-Minute Verification

If you only have 5 minutes:

1. Open ipleak.net in browser (VPN disconnected). Note ISP DNS and IP.
2. Connect VPN. Revisit ipleak.net.
3. Confirm DNS changed to VPN provider’s DNS.
4. Confirm IP changed to VPN server IP.
5. Disable VPN suddenly (unplug network). Try to refresh page.
6. If internet blocks, kill switch works. PASS.

That’s 90% of VPN verification in 5 minutes.

Advanced - Monitoring VPN Leaks (Automated)

If you want continuous monitoring:

Option 1 - CyberGhost’s leak test (desktop app):

• Built-in leak test in CyberGhost VPN app.
• Runs automatically on connect.
• Shows results in app dashboard.

Option 2 - VPN leak monitoring service:

• VPN Leak Test API (vpnleaktest.com/api)
• Automated checks via cron job.
• Alerts if leak detected.

Option 3 - Custom monitoring (Linux):

#!/bin/bash
Monitor for DNS leaks hourly

while true; do
  echo "Testing for DNS leaks..."
  curl -s https://ipleak.net/json | jq '.dns_leak'
  sleep 3600  # Check every hour
done

Step 11 - Verdict: Trust But Verify

VPN providers are not adversarial, but they’re also not immune to mistakes. A DNS leak, WebRTC leak, or kill switch failure is a single bug away.

Run these tests monthly. More often if you change VPN providers or update your OS.

A VPN is only as good as its actual implementation. Test it.

Troubleshooting

Configuration changes not taking effect

Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.

Permission denied errors

Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.

Connection or network-related failures

Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.

Frequently Asked Questions

How long does it take to verify vpn is working correctly?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles

• Verify VPN is Actually Working: DNS, WebRTC, IPv6 Leak Test
• How to Verify a VPN Is Actually Encrypting Your Traffic
• Verify That Your VPN Is Actually Working and Not Leaking
• How to Verify Your VPN is Not Leaking DNS Requests in 2026
• Verify Your VPN Is Actually Bypassing Censorship (Not
• AI Code Suggestion Quality When Working With Environment Built by theluckystrike. More at zovo.one