How to Check Your VPN for Leaks: A Complete Guide

By Ava McKinneyOnline Safety

How to Check Your VPN for Leaks

Welcome, readers! This is Pavluu & Vergil, and you’re reading the final article in our VPN series. Today, we’ll show you how to make sure all your traffic is routed through your VPN tunnel and how to comprehensively test your VPN for leaks.

Why Test Your VPN for Leaks?

Even if everything looks fine after enabling your VPN, what happens if your computer goes to sleep and wakes up, if your network connection drops, or if you switch Wi-Fi networks? What if you connect to a network that fully supports IPv6? This guide will walk you through a thorough VPN leak test.

Setting Up: Confirm Your VPN Tunnel

  • Windows: Open Command Prompt and run ipconfig /all. Look for an ethernet adapter labeled “WireGuard Tunnel” or “TAP-Windows Adapter V9”. The IPv4 address should look like 172.x.y.z or 10.x.y.z.
  • macOS/Linux: Open Terminal and run ifconfig. On macOS, the VPN tunnel adapter is usually utun0; on Linux, it’s wg0 or tun0.

Browser Fingerprinting and IPv6 Leak Risks

The only way to know if all your traffic is using the VPN tunnel is to test it. However, testing for VPN leaks comes with risks. The sites you use for testing can see your browser fingerprint both from your ISP-assigned IP and your VPN exit IP. If an attacker learns your browser fingerprint, they can identify you even if you use VPN or Tor, as long as you use the same browser.

According to a recent W3C draft: “It is implausible to claim that browser fingerprinting can be prevented solely by widely deployed technical means.”

WebGL fingerprints and IPv6 leaks are even more serious. WebGL uses your GPU via the OS graphics driver, so all browsers with WebGL enabled on a system will have the same WebGL fingerprint. We recommend blocking WebGL when using VPN services. For example, in Firefox, go to about:config and set webgl.disabled to true. In NoScript, check “Forbid WebGL” under the “Embeddings” tab.

Systems using the same graphics driver may have identical WebGL fingerprints, even across different OSes. For example, VirtualBox VMs with the default virtual GPU will have the same WebGL fingerprint on Debian and Lubuntu. However, the host and VM use different GPUs, so their fingerprints don’t overlap.

VPN clients often leak IPv6 traffic, which is serious because IPv6 addresses are usually device-specific. It’s best to disable IPv6 in your OS and router, use VPN clients that block IPv6, or block IPv6 in your firewall. Always check for IPv6 connectivity when connecting to a new local or Wi-Fi network.

WebGL fingerprinting is especially important when using multiple VMs. You can block WebGL in browsers, but it’s also wise to separate VMs with different WebGL fingerprints. Whonix is a good option, as its Tor Browser is hardened to block WebGL fingerprinting completely.

Testing for VPN Leaks

During leak testing, you can use tcpdump to check for traffic not using the VPN tunnel. On Windows, you’ll need Wireshark and wintee. Place them in your user folder. List network interface numbers:

  • Windows: tshark -D
  • macOS: sudo tcpdump -D
  • Linux: sudo tcpdump -D

You need the physical network interface, usually “1”. To start capturing:

  • Windows: tshark -i 1 -n -T text -w "C:\tshark-capture.log" -f "not host a.b.c.d" 2>&1 | wtee tcpdump.log
  • macOS: sudo tcpdump -n -i 1 not host a.b.c.d 2>&1 | tee tcpdump.log
  • Linux: sudo tcpdump -n -i 1 not host a.b.c.d 2>&1 | tee tcpdump.log

Replace a.b.c.d with your VPN server’s IP. While running the following tests, keep the capture window open and look for packets with addresses outside your local or Wi-Fi network.

Step-by-Step Leak Test

  1. Check your IP address. The safest way is to use your VPN provider’s website. If they don’t show your IP, try check.torproject.org. You should see your VPN exit IP.
  2. You need a constant source of network traffic. In a second terminal window, run:
    • Windows: ping -t a.b.c.d 2>&1 | wtee ping.log
    • macOS: ping -n a.b.c.d 2>&1 | tee ping.log
    • Linux: ping -n a.b.c.d 2>&1 | tee ping.log
  3. If you want timestamps:
    • Windows: ping -t a.b.c.d | cmd /q /v /c "(pause&pause)>nul & for /l %a in () do (set /p "data=" && echo(!time! !data!)&ping -n 2 localhost>nul" 2>&1 | wtee ping.log
    • macOS: ping -n a.b.c.d | while read pong; do echo "$(date): $pong"; done 2>&1 | tee ping.log
    • Linux: ping -D -n a.b.c.d 2>&1 | tee ping.log
  4. If your VPN client blocks pings, try pinging a.b.c.1 or 38.229.82.25 (torproject.org). In the capture window, there should be no packets with addresses outside your LAN or Wi-Fi network.
  5. Disconnect your machine from the network. In Windows, you’ll see “Request timed out”. On macOS and Linux, ping output will stop. Reconnect to the network. If all is well, ping replies should resume, and your IP check site should still show your VPN exit IP. The capture window should still show no non-local traffic. For a thorough check, review tcpdump.log in a text editor.

Handling Connection Interruptions

Connection issues can cause several problems. For example, with OpenVPN, the process may terminate after losing network connectivity. After reconnecting, your IP check site may show your ISP-assigned IP, and you’ll see non-local traffic in the capture. Linux’s Network Manager is prone to this, so it’s best avoided.

Sometimes, the VPN client reconnects after network restoration, and your IP check site still shows your VPN exit IP. However, you may have leaked non-local traffic during the interruption. Even a single leaked packet can reveal your real IP.

OpenVPN may fail to reconnect after a long network outage. While OpenVPN is running, all traffic is routed through the VPN gateway, which is down, so there’s no network connection. Pings will fail, and you won’t see captured traffic. Default routing isn’t restored until you kill the OpenVPN process. You can close sensitive apps, kill OpenVPN, and reconnect, or just reboot—but these steps are tedious and error-prone.

You can use similar methods to see how your VPN client handles other disruptions: sleep/wake cycles, switching Wi-Fi networks, or using a fully IPv6-enabled network. Reviewing tcpdump.log and ping.log should reveal any leaks.

If your VPN client leaks, try another provider and test their client. In Linux, you can easily block leaks using vpn-firewall by adrelanos. Use it with the built-in OpenVPN service, not Network Manager. It allows all apps to use the VPN tunnel and blocks everything else on the physical interface except connections to the VPN server. You can apply similar firewall logic in Windows (using Windows Firewall) and macOS (using IceFloor, a GUI for the OpenBSD PF firewall).

Other Types of Leaks

  • DNS Leaks: Even if all traffic goes through the VPN, DNS requests may go to a server controlled by your ISP. If the VPN server uses the same IP for entry and exit, correlation is trivial, and an attacker can see which sites you visit.
  • HTML5 Geolocation API: This can leak your location if you’ve allowed it in your browser, especially on Wi-Fi or mobile devices. However, if only your IP is available, this isn’t a major issue.
  • WebRTC: If enabled, this HTML5 feature can reveal your local IP address, and if IPv6 is active, your local IPv6 address (which is device-specific). To prevent WebRTC leaks, install the “WebRTC Control” browser add-on, disable IPv6 in your OS, and block all IPv6 traffic in your firewall.
  • TTL Analysis: Sites can estimate which sites you visit by inspecting SYN packet TTL values, which vary by OS and decrease with each router hop. The browser’s User-Agent string identifies your OS, and the difference between expected and observed TTL reveals the number of intermediate routers.

If you use third-party sites for leak testing, we recommend the Tor Browser, as it blocks WebGL fingerprinting and reports the same fingerprint for all users. However, you probably don’t want to use Tor when testing your VPN. Download the Tor Browser for your OS (while connected to your VPN), extract and launch it, accept default settings, go to advanced network settings, and select “No proxy”. In about:config, set extensions.torlauncher.start_tor and network.proxy.socks_remote_dns to false. Visit check.torproject.org—you should see a message that you’re not using Tor and your VPN exit IP.

You can’t use Tor Browser to test WebGL and other fingerprints. If you use other browsers, be careful: all browsers with WebGL enabled on the same system will have the same WebGL fingerprint. Avoid using the same system with and without VPN, or with different VPN services, unless you’re okay with linking them. If you use VMs, don’t use related OSes with and without VPN, or with different VPN services.

Summary: Key Tests and Expected Results

  • IPv6 address test: No IPv6 addresses detected
  • IP address test: Expected IPs with and without VPN
  • Geolocation test: Browser does not support geolocation API
  • Java test: Not found or disabled
  • WebGL test: WebGL blocked by NoScript
  • WebRTC test: Not enabled
  • Panopticlick: Browser protected from fingerprinting
  • DNS Leak Test (extended): Different DNS servers with and without VPN

Authors: Pavlu & Vergil

Onion Market – a free P2P exchange on Telegram.

Leave a Reply