VPNRank.io
How-To Guides

How to Test If Your VPN Is Actually Working: IP, DNS, WebRTC and Kill-Switch Checks

A five-minute self-audit that tells you whether your encrypted tunnel is really hiding what you think it is — and how to read every result correctly.

Diego PereyraBy Diego PereyraPublished 8 min read

vpnrank.io is reader-supported: we may earn a commission if you buy through links in this article. This never affects our rankings.

Illustration of a laptop running a VPN diagnostics dashboard with IP, DNS and connection-status indicators.

A VPN app showing "Connected" tells you almost nothing about whether it is actually protecting you. The real proof is four quick tests: an IP check, a DNS leak test, a WebRTC leak test and a kill-switch test. Together they take about five minutes and reveal whether your real address, your browsing lookups or your browser are quietly leaking around the tunnel.

Why "connected" is not the same as "protected"

The green status icon in your VPN app only means the app negotiated a session with a server. It does not confirm that every packet your device sends is travelling inside that encrypted tunnel. Several categories of traffic — DNS lookups, WebRTC requests, IPv6 packets — can slip out on a separate path while the icon still glows reassuringly green.

That gap matters because the whole point of a VPN is to replace one specific fact about you — your real IP address, and by extension your approximate location and your internet provider — with the address of a server somewhere else. If even one of these side channels exposes the original, the protection you paid for has a hole in it. The good news is that every one of those holes is testable in a browser tab.

Before you start, do two quick preparation steps. First, note your real IP address before connecting, so you have a baseline to compare against. Second, make sure any privacy features you rely on — a kill switch, DNS leak protection — are actually toggled on in the app's settings rather than assumed. Then connect to a server and run the four checks below in order.

Test 1: The IP address check

This is the foundational test and the one everything else builds on. The idea is simple: your public IP address should change the moment you connect, and it should keep showing the VPN server's location rather than your own for as long as you stay connected. If it doesn't change at all, nothing else is worth testing yet.

Run it as a before-and-after comparison. With the VPN off, open a "what is my IP" page and write down the address and the city or country it reports. Then connect to a server — ideally one in a different country — and reload the same page. You are looking for two things to change together:

  • The IP address itself should be different from your baseline.
  • The reported location should match the country of the server you chose, not the place you are physically sitting.

There is a subtle trap here called an IPv6 leak. Many networks now assign both an older IPv4 address and a newer IPv6 address, and some VPNs only route the IPv4 traffic while letting IPv6 escape untouched. A page that shows both addresses will reveal this: if your IPv4 changes to the server's but a real IPv6 address still appears, your true address is leaking through the second protocol. If you see that, either enable IPv6 handling in your VPN or disable IPv6 in your operating system's network settings. Our VPN speed-test tools point to reputable leak checkers that display both address types side by side.

One reassuring note: if you are checking a streaming use case rather than pure privacy, a changed IP that matches your chosen country is usually all you need to confirm before testing whether a service loads. Our can-I-watch checker and the broader streaming VPN guide cover that side of things.

Test 2: The DNS leak test

Every time you type a web address, your device asks a DNS server to translate that name into a numeric IP. A DNS leak happens when those lookups travel to your internet provider's DNS servers instead of the VPN's — which means your provider, or whoever runs those servers, can still see a list of every site you visit even though your traffic is otherwise encrypted.

The test works by having a website fire off several DNS queries from your browser and then report back which servers actually answered them. You do not need to install anything; it runs in a tab and finishes in seconds. Here is how to read what comes back:

  • If the servers listed belong to your VPN provider (or a private resolver your VPN assigns), your DNS is protected. That is the result you want.
  • If any of the servers listed belong to your own internet provider — or show your home city and ISP name — you have a DNS leak, even if your IP address looked correct in Test 1.

A leak here is sneaky precisely because the IP test can pass while the DNS test fails. Your traffic looks like it is coming from Amsterdam, but the record of which sites you asked for is still flowing to your provider at home. In 2026 this is increasingly caused by browser DNS-over-HTTPS settings that route lookups to a public resolver outside the tunnel, so the fix is usually to turn on the VPN's built-in DNS leak protection (sometimes labelled "use VPN DNS only") and re-run the test. If you want a fuller explanation of the mechanism, we keep a plain-language entry in the DNS leak glossary.

Test 3: The WebRTC leak test

WebRTC is the browser technology behind in-page video calls, voice chat and peer-to-peer file transfers. To set those connections up, your browser has to discover its own real network addresses and can share them with a third-party STUN server — and a website running the right few lines of JavaScript can read those addresses in a fraction of a second, sometimes straight past your VPN.

This is the leak that surprises people most, because it is a browser behaviour rather than a VPN failure, and it can expose your genuine public IP while every other test passes cleanly. It most often bites browser-extension VPNs and improperly configured system VPNs that don't intercept the STUN request. Run a WebRTC leak test with your VPN connected and read the results carefully, because they are easy to misinterpret:

  • Local addresses are normal. If the test shows something starting with 10.x, 192.168.x, or a long alphanumeric IPv6 string marked as local, that is just your device's address on your own home network. It is not a leak and it cannot identify you.
  • A real public IP is the problem. If the WebRTC section displays your actual public IPv4 or IPv6 — the same one you noted before connecting — that is a genuine WebRTC leak, and websites can see it regardless of your VPN.

How you fix it depends on your browser. Firefox lets you disable WebRTC directly by setting the media.peerconnection.enabled flag to false in about:config. Chrome is best handled with a reputable extension rather than manual tinkering, since editing the wrong setting can break other sites. Safari and Brave largely handle this themselves and rarely leak by default. We keep the technical detail in the WebRTC leak glossary for anyone who wants to go deeper.

Test 4: The kill-switch test

A kill switch is the safety net that cuts your internet the instant the VPN connection drops, so your real IP is never exposed during the gap while the app reconnects. It is the one feature you hope never activates — which is exactly why it is worth confirming it actually works before you rely on it. Testing it means deliberately forcing a disconnect and watching what happens.

First make sure the kill switch is enabled in your app's settings; it is often off by default. One caveat worth knowing: some vendors design the kill switch to trigger only on accidental drops, not on disconnects you initiate yourself — so a graceful disconnect may not test it faithfully. Use one of these approaches to force a drop while watching a live IP page:

  1. 1Connect to the VPN, open an IP-check page and confirm it shows the server's address. Then toggle airplane mode on and off, or briefly disable your network adapter, to simulate a dropped connection.
  2. 2For a stricter test, force-quit the VPN process from your task manager rather than using the app's Disconnect button — a graceful disconnect can mask problems that a real crash would expose.

Now read the outcome. A working kill switch means that during the gap you see no internet at all — a blank page, a "no connection" error, or a DNS failure — and when the VPN reconnects, the page reloads showing the server's IP without your real address ever appearing. If, even for a second, your true IP flashes up on the page, the kill switch is not doing its job and you should not trust that setup for anything sensitive.

When your leaks are really about who can watch you

For a lot of readers these tests are a chore before something fun — confirming a server works before a match or a show. But if your reason for using a VPN is privacy rather than access, the DNS and WebRTC tests are the ones that matter most, because they are where a technically "connected" VPN most often betrays you without any visible sign.

If you fall into that camp, it is worth running these checks after every major browser update and after switching networks, not just once. Browser vendors change WebRTC behaviour regularly, and a resolver that was private on your home Wi-Fi can behave differently on a café or office network. For the wider picture on choosing a genuinely leak-resistant provider, our privacy-focused VPN guide walks through what to prioritise, and the main VPN rankings factor these audits into their scoring.

It is also worth remembering that a free VPN is more likely to leak, log or throttle than a paid one, simply because the economics push it that way. If you are weighing that trade-off, read our honest take in the free VPN guide before you commit any real browsing to one.

Putting it all together: reading your full result set

None of these four tests is meaningful in isolation. A VPN can pass the IP check and still fail the DNS test; it can pass both and still leak through WebRTC; and it can pass all three while a broken kill switch leaves you exposed the moment the connection wobbles. Only a clean sweep across all four tells you the tunnel is genuinely watertight.

Here is the quick summary of what a fully passing setup looks like:

  • IP check: your address and location both changed to the server's, with no stray real IPv6 showing.
  • DNS test: only VPN or private resolvers answered — none belonging to your internet provider.
  • WebRTC test: only local (10.x / 192.168.x) addresses appear; no real public IP.
  • Kill-switch test: forcing a disconnect killed your internet entirely, with your real IP never surfacing.

If every line above is true, your VPN is doing what it promises. If any one fails, you now know exactly which setting to change — and you can re-run just that test in under a minute to confirm the fix. Bookmark the four checks and re-run them whenever you install a new VPN, switch to a new device or update your browser, and you will never have to take that green "Connected" icon on faith again.

Frequently asked questions

How often should I test my VPN for leaks?

Run the full four-test check whenever you install a new VPN, set it up on a new device, switch to an unfamiliar network, or after a major browser update. WebRTC behaviour and DNS handling can change with those events. For casual streaming use, a quick IP check before each session is usually enough; for privacy-critical use, test more thoroughly and more often.

My IP address changed but I still failed the DNS test. Is my VPN working?

Partly. A changed IP means your traffic is being routed through the VPN server, but a DNS leak means the record of which sites you request is still going to your internet provider's servers. Your provider can see your browsing even though your IP looks hidden. Turn on your VPN's DNS leak protection setting and re-run the DNS test to close the gap.

Is a WebRTC leak the VPN's fault or the browser's?

It is primarily a browser behaviour. WebRTC is designed to discover your real network addresses to set up peer-to-peer connections, and it can do so on a path that bypasses the VPN. Some VPNs and browser extensions block it, but the underlying cause lives in the browser. Firefox, Chrome, Safari and Brave each handle it differently, so the fix depends on which one you use.

What do the local IP addresses in a WebRTC test mean?

Addresses starting with 10.x, 192.168.x, or a local IPv6 string are your device's private address on your own home network. They are completely normal and cannot be used to identify or locate you, so seeing them is not a leak. Only worry if the test displays your real public IP — the same one you saw before connecting to the VPN.

How do I properly test a VPN kill switch?

Enable the kill switch in settings, connect, and confirm an IP page shows the server's address. Then force a disconnect by toggling airplane mode or, for a stricter test, force-quitting the VPN process rather than using the Disconnect button. A working kill switch cuts your internet entirely during the gap, so your real IP never appears before the VPN reconnects.

What is an IPv6 leak and how do I stop it?

Many networks assign both an IPv4 and a newer IPv6 address. Some VPNs only route IPv4 traffic, letting your real IPv6 address escape the tunnel and expose your location. Use a test page that shows both addresses; if a real IPv6 appears after connecting, either enable IPv6 handling in your VPN or disable IPv6 in your operating system's network settings.

Are online leak-test websites safe to use?

Yes. Reputable DNS, WebRTC and IP leak testers run entirely in your browser — there is nothing to download or install. They simply make the same kinds of requests a normal website would and then show you which servers and addresses responded. That is exactly why they are useful: they reveal what any ordinary site could already see about you.

The best VPNs of 2026, ranked

Now you know how — here are the VPNs we recommend, independently tested and ranked for speed, streaming, privacy and value. Any of them works for everything in this guide.

Editor’s Choice — Best VPN 2026
Visit ExpressVPN
1GET 79% OFF + 4 months FREE
ExpressVPN logo
9.9
Outstanding

ExpressVPN Ultra fast & secure. Great for privacy, downloads, and everyday browsing on all your devices. 24/7 live chat support.

3,000+ servers in 105 countries
Proprietary Lightway protocol
Works with all popular platforms, apps & services
Try risk free for 30 days
Visit IPVanish
2GET 83% OFF
IPVanish logo
9.8
Excellent

IPVanish Fast speeds with unlimited device connections. Strong no-logs privacy and 24/7 live chat support. Great for families.

3,200+ servers in 112+ countries
Unlimited simultaneous connections
Company-owned server network
Try risk free for 30 days
Visit NordVPN
3GET 74% OFF
NordVPN logo
9.7
Excellent

NordVPN Excellent speeds with one of the largest server networks. Strong security features and easy-to-use apps. 24/7 live chat support.

7,400+ servers in 118 countries
NordLynx protocol for top speeds
10 simultaneous devices
Try risk free for 30 days
Visit Proton VPN
4GET 70% OFF
Proton VPN logo
9.6
Excellent

Proton VPN Swiss-based VPN with strong privacy focus. Audited no-logs policy and open-source apps. Great for privacy-conscious users.

15,000+ servers in 120+ countries
Swiss-based — strongest privacy laws
Open-source & independently audited
Try risk free for 30 days
Visit CyberGhost
5GET 86% OFF + 2 months FREE
CyberGhost logo
9.5
Great

CyberGhost Fast speeds and strong privacy tools. Simple apps, automatic WiFi protection, and 24/7 live chat support.

Servers in 100 countries
Automatic WiFi protection
No activity logs & no IP/DNS leaks
Try risk free for 45 days
Cheapest VPN
Visit TotalVPN
6GET 80% OFF
TotalVPN logo
9.4
Great

TotalVPN Affordable VPN with strong privacy and reliable speeds. Easy-to-use apps for all major devices. No-logs policy.

Servers in 50+ countries
Fast & secure connections
Strict no-logs policy
Try risk free for 30 days
Visit Private Internet Access
7GET 85% OFF + 2 months FREE
Private Internet Access logo
9.3
Great

Private Internet Access High-speed VPN with a large server network and advanced security settings. Ad blocker included and 24/7 live chat support.

Servers in 91 countries
Ad & tracker blocker included
No activity logs & no IP/DNS leaks
Try risk free for 30 days
Visit Surfshark
8GET 88% OFF + 3 months FREE
Surfshark logo
9.2
Great

Surfshark Unlimited device connections at a budget-friendly price. Includes ad blocker and strong privacy tools. Great value for money.

3,200+ servers in 100 countries
Unlimited simultaneous connections
CleanWeb ad & malware blocker
Try risk free for 30 days

Rankings are based on our independent testing methodology. We evaluate speed, privacy, security features, and value for money. We may earn affiliate commissions from links on this page, which helps fund our testing — this does not influence our rankings.