A VPN changes your IP address. That is the one thing it does reliably. Everything else, including your DNS queries, your real timezone, your browser fingerprint, and whether you are logged into Google, remains fully visible to anyone watching. The viral X post with 370K views that got people talking about this was not alarmist. It was accurate.
Most people buying a VPN subscription believe they are invisible online. They are not. They have shifted one layer of their exposure while leaving six others completely open. This guide covers exactly which leaks exist, how to confirm whether you have them, and the specific tools and settings that actually close them.
What a VPN Actually Hides
Your VPN does three things well. It encrypts traffic between your device and the VPN server, so your ISP cannot read the contents of your requests. It replaces your real IP address with the server’s IP, so websites see a different location. And it prevents your ISP from logging which domains you visit, since that traffic now goes through the encrypted tunnel first.
That scope is narrower than most VPN marketing suggests. If you are using a VPN to prevent your ISP from seeing that you visited a particular site, it works. If you are using one to achieve meaningful anonymity online, you need to understand where the model breaks down.
The 6 Leak Types That Expose You
1. DNS Leaks
DNS leaks are the most common VPN failure. When you type a URL, your browser sends a DNS query to resolve the domain name into an IP address. Under normal VPN operation, that query travels through the encrypted tunnel and exits through the VPN provider’s DNS servers. A DNS leak happens when your operating system bypasses the tunnel and sends the query directly to your ISP’s DNS resolver instead.
This exposes every domain you visit to your ISP in real time, even though the page content is encrypted. On Windows, the main cause is the Smart Multi-Homed Name Resolution feature, which queries multiple DNS servers simultaneously for speed and uses whichever responds first. That first responder is often your ISP. Test at dnsleaktest.com and check whether the servers shown belong to your ISP or your VPN provider.
2. WebRTC Leaks
WebRTC is the browser protocol that powers video calls, screen sharing, and peer-to-peer file transfers. To establish a direct connection between two peers, WebRTC performs something called an ICE (Interactive Connectivity Establishment) process, which discovers all available network interfaces on your device. This includes your real IP address, not the one assigned by your VPN.
Websites can trigger WebRTC requests using JavaScript without your knowledge or consent. Your real IP gets sent to the remote peer during connection negotiation, and that process happens at the browser level, below the VPN tunnel. Chrome, Firefox, and Edge all have WebRTC enabled by default. Test at browserleaks.com/webrtc to see whether your real IP is visible.
3. IPv6 Leaks
Most VPNs were built around IPv4. IPv6, which is increasingly common at the ISP level, often bypasses the VPN tunnel entirely because the VPN client has no rules for routing it. If your ISP assigns you an IPv6 address and the site you are visiting supports IPv6, your connection may go directly out over IPv6 with your real address exposed.
IPv6 leaks are especially insidious because they are invisible in most standard leak tests. You need to explicitly test for them at ipleak.net or ipv6leak.com. The simplest fix is to disable IPv6 in your network adapter settings, or to use a VPN that routes IPv6 traffic through the tunnel and blocks it if the tunnel drops.
4. Timezone Header Leaks
Your browser sends your system timezone to websites via the JavaScript Intl.DateTimeFormat API and HTTP headers. This is not blocked by any VPN. If your VPN gives you a US IP address but your device is set to UTC+2 (Eastern Europe), any site running basic fingerprinting scripts knows immediately that something does not add up.
Timezone data alone rarely de-anonymizes you completely, but it is a high-confidence signal that gets combined with other data points. Correlation attacks, where an adversary lines up timezone, language settings, screen resolution, and IP to narrow down a pool of candidates, are standard practice for anyone doing serious traffic analysis.
5. Browser Fingerprinting
Browser fingerprinting does not need your IP address at all. It builds a profile from the combination of your installed fonts, screen resolution, graphics card, browser version, plugin list, canvas rendering output, and a dozen other attributes. The EFF’s Panopticlick research found that 83.6% of browsers tested had a unique fingerprint. That was years ago; the techniques have only gotten more precise.
No VPN touches your fingerprint. Changing your IP while keeping the same browser setup is like putting on a hat and calling it a disguise. The fingerprint follows you across sessions, across different IP addresses, and across incognito mode. Test your fingerprint at coveryourtracks.eff.org to see how unique your browser is.
6. Account Login De-Anonymization
This one is not a technical leak. It is a behavioral one. If you use a VPN and then log into your Google account, you have told Google exactly who you are. The VPN IP becomes associated with your identity in Google’s systems. The same applies to Facebook, Amazon, any service where you have an account.
Login-based de-anonymization means that any site sharing data with those platforms, via ad pixels, login buttons, or embedded widgets, can correlate your VPN session to your real identity. You can pair this risk with a strong password managers compared strategy to maintain separate account identities for sensitive browsing, but account separation has to be deliberate and consistent.
How to Test Every Leak Type Right Now
Run these four tests with your VPN connected before making any changes. Screenshot the results so you have a baseline to compare against after applying fixes.
DNS leak test: Go to dnsleaktest.com, run the extended test, and look at the server names and ISP column. They should show your VPN provider, not your actual ISP.
WebRTC leak test: Go to browserleaks.com/webrtc. Look at the “Public IP Address” field. If it shows your real IP instead of the VPN IP, you have a WebRTC leak.
IPv6 leak test: Go to ipleak.net. Scroll to the IPv6 section. If you see an address that resolves to your ISP’s network, you have an IPv6 leak.
Fingerprint test: Go to coveryourtracks.eff.org and click “Test Me.” A result of “Your browser has a unique fingerprint” means you are identifiable across sessions regardless of IP.
Timezone check: Go to browserleaks.com/javascript, look at the “Timezone” row, and compare it to the location your VPN claims to be in. A mismatch is a problem.
How to Fix Each Leak
Fixing DNS Leaks
The most reliable fix is to use a VPN client that forces all DNS queries through its own servers and blocks outside DNS requests at the firewall level. Mullvad does this by default; its client blocks all DNS traffic that does not go through its resolver. ProtonVPN uses its own DNS servers and provides a kill switch that blocks all traffic if the tunnel drops.
For manual control on Windows, open Network Settings, go to your network adapter properties, set the DNS servers to your VPN’s DNS addresses (or a privacy-respecting resolver like 1.1.1.1 over DoH), and disable Smart Multi-Homed Name Resolution via Group Policy or the registry. On macOS, set DNS servers per-interface in System Preferences and flush the DNS cache after connecting.
Fixing WebRTC Leaks
In Firefox, type about:config in the address bar, search for media.peerconnection.enabled, and set it to false. This disables WebRTC entirely, which breaks video calling but eliminates the leak.
In Chrome and Edge, WebRTC cannot be fully disabled without an extension. The WebRTC Leak Prevent extension (by agnat) and uBlock Origin with the WebRTC IP leak prevention option both work. Brave browser handles this natively; it randomizes local IP addresses exposed by WebRTC without breaking call functionality.
Fixing IPv6 Leaks
The cleanest solution is to disable IPv6 on your network interface. On Windows, go to Network Adapter Settings, open the properties of your active adapter, and uncheck “Internet Protocol Version 6 (TCP/IPv6).” On macOS, go to System Preferences, Network, Advanced, TCP/IP, and set IPv6 to “Link-local only.”
Alternatively, choose a VPN that explicitly handles IPv6. Mullvad routes IPv6 through the tunnel and blocks it if the tunnel is down. ProtonVPN disables IPv6 on the adapter while connected, preventing the leak at the application level.
Reducing Timezone Exposure
The most effective method is to match your system timezone to the VPN server’s location before connecting. On Windows and macOS, set the timezone manually rather than using automatic detection. Some VPN clients can do this automatically; Mullvad Browser (built on Firefox) spoofs the timezone based on your VPN exit location.
If you use Firefox, the extension Time Zone Changer sets a spoofed timezone at the browser level without affecting system-wide settings. Combined with correct VPN server selection, this closes the timezone correlation vector.
Reducing Browser Fingerprint Uniqueness
Full fingerprint resistance requires either browser-level randomization or deliberately matching a common fingerprint profile. Mullvad Browser was designed specifically for this. It is a hardened Firefox fork that randomizes canvas fingerprints, blocks third-party cookies by default, and is tuned so that all users of the browser look identical to tracking scripts. The goal is not to hide that you have a fingerprint but to make your fingerprint indistinguishable from thousands of others.
Tor Browser achieves similar results but routes traffic through the Tor network, which adds significant latency. For users who want fingerprint resistance without Tor’s speed penalty, Mullvad Browser combined with ProtonVPN or Mullvad VPN covers most of the attack surface.
On the extension side, uBlock Origin in advanced mode blocks fingerprinting scripts that load from known tracking domains. It does not prevent browser-native fingerprinting (canvas, WebGL) but it removes many third-party scripts from the equation.
If you are also concerned about account security across the different browser profiles you use, read how password managers compared against each other for generating and storing credentials per compartmentalized identity.
Handling Login De-Anonymization
The fix here is behavioral, not technical. Use separate browser profiles, each with its own set of accounts, for different activities. Never log into personal accounts during a VPN session you intend to be anonymous. Use VPN-only accounts that are registered with separate email addresses and never linked to your real identity.
Firefox’s Multi-Account Containers extension and Brave’s profile system both make this manageable. The discipline required is the hard part. No tool enforces the separation for you.
Which VPNs Handle These Best
Mullvad is the benchmark for technical rigor. It accepts anonymous payment methods including cash by mail and cryptocurrency. Its client blocks IPv6, routes all DNS internally, includes a multi-hop option, and its companion browser was built specifically to address the fingerprinting problem. The Mullvad website publishes the results of independent security audits, the latest of which confirmed no logs are kept and no traffic analysis vulnerabilities were found.
ProtonVPN is the strongest alternative, especially for users who want a full-featured client with an integrated kill switch, DNS leak protection, and Secure Core (multi-hop routing through privacy-jurisdiction servers). Proton’s open-source clients have been independently audited, and its Swiss jurisdiction means it cannot be compelled to cooperate with US or EU law enforcement requests without significant legal friction.
Free VPNs, regardless of their marketing claims, are not viable for leak-free operation. If you want to understand why, the evidence is in the audit results, or lack thereof, that free VPNs with no-log policies actually produce when scrutinized. The pattern is consistent: free products monetize user data one way or another.
One area where VPNs sometimes get unfairly blamed: gaming latency. A properly configured VPN through a nearby server does not automatically destroy your ping. The actual data on this is more nuanced, as covered in our VPN and gaming ping tested article.
The Honest Summary
A VPN is a useful tool for a specific set of problems: hiding your traffic from your ISP, masking your IP from websites, and encrypting your connection on public Wi-Fi. It is not an anonymity solution, and it was never designed to be one.
The six leak types covered here, DNS, WebRTC, IPv6, timezone, browser fingerprint, and login-based de-anonymization, all exist outside the scope of what a VPN tunnel protects. Closing them requires a combination of VPN client selection, browser settings, extensions, and behavioral discipline. None of it is particularly complex once you know what you are fixing.
Start with the DNS and WebRTC tests. They affect the most people and have the simplest fixes. Then work through the rest based on your actual threat model. Someone avoiding ISP surveillance needs different controls than someone trying to maintain full anonymity from ad networks.
Frequently Asked Questions
Does a VPN stop all DNS leaks automatically?
No. Many VPN clients route DNS through the tunnel by default, but Windows’ Smart Multi-Homed Name Resolution can still send queries to your ISP’s DNS servers simultaneously. Always run a DNS leak test after connecting, and choose a VPN client that enforces its own DNS and blocks external requests at the OS level.
Can a website see my real IP address through a VPN?
Your real IP is hidden from the website if the tunnel is working correctly. However, if you have a WebRTC leak, the site can recover your real IP via a JavaScript request during the WebRTC connection process. Disable or restrict WebRTC in your browser to prevent this.
Does browser fingerprinting work even in incognito mode?
Yes. Incognito mode clears cookies and browsing history after the session but does not change your browser’s fingerprint. Your screen resolution, installed fonts, GPU, and canvas rendering output are identical in incognito and regular mode. Fingerprint-resistant browsers like Mullvad Browser are designed to address this specifically.
Which VPN has the best protection against all six leak types?
Mullvad handles the most leak vectors natively: it blocks IPv6, enforces its own DNS, offers multi-hop routing, and its companion browser addresses fingerprinting and timezone exposure. ProtonVPN is the strongest alternative with audited open-source clients and Swiss jurisdiction. Neither is a complete solution without the browser-level and behavioral fixes described above.
