The VPN icon being green in your status bar means the VPN app is running. It does not mean your real IP address is hidden. These are two different things, and most VPN guides do not explain the difference.
This is the exact 5-step test we run on every VPN reviewed on Privaroo. It takes about 5 minutes and requires no technical knowledge.
Why the VPN icon is not enough
A VPN creates an encrypted tunnel between your device and a VPN server. Your traffic exits the internet from the VPN servers IP address instead of your own. But the tunnel can have holes:
- Your DNS queries can bypass the tunnel and go to your ISPs servers (DNS leak)
- Your IPv6 traffic can go out unprotected alongside the IPv4 tunnel (IPv6 leak)
- Your browser can expose your real IP via WebRTC even when the tunnel is active (WebRTC leak)
- If the VPN connection drops, your traffic may briefly revert to your real IP before the app reconnects (kill switch failure)
In our tests of 14 VPNs, nine had at least one of these failures on real networks. The VPN icon was green on all of them during the leak.
The 5-minute leak test
Step 1: Record your real IP (VPN off)
Before connecting to your VPN, go to ipleak.net. Note your IP address, your DNS servers (shown in the DNS Address Detection section), and whether an IPv6 address appears. This is your baseline, what you look like to the internet without any VPN.
Step 2: Connect your VPN and check your IP
Connect to your VPN server. Reload ipleak.net without clearing your cache. Your IP address should now show the VPN servers IP, not your real one. If your real IP still appears, your VPN has a fundamental failure.
Step 3: DNS leak check
On the same ipleak.net page, scroll to the DNS Address Detection section. The DNS servers listed should belong to your VPN provider, not your ISP. If you see your ISPs DNS servers, your DNS queries are bypassing the VPN tunnel. Websites and services can see what you are looking up even though your IP is masked.
You can also run a more thorough DNS test at dnsleaktest.com, Extended Test. All servers listed should be from your VPNs infrastructure.
Step 4: IPv6 leak check
Back on ipleak.net, look at the IPv6 section. If an IPv6 address appears, and it matches your real IPv6 address from Step 1, you have an IPv6 leak. Your real network identity is visible to any service that checks IPv6.
A well-configured VPN will either tunnel IPv6 through the VPN (showing the VPNs IPv6 address) or disable IPv6 entirely (showing no IPv6 address at all). Both are acceptable. Your real IPv6 address appearing is not.
Step 5: Kill switch test
This step requires briefly disconnecting from the VPN while traffic is active. The safest way: open a continuous ping in a terminal or command prompt (ping -t google.com on Windows, ping google.com on Mac), then disconnect from the VPN server (not the app, just the server connection).
Watch what happens:
- Pass: The ping stops immediately and does not resume until you reconnect to the VPN. The kill switch cut traffic.
- Fail: The ping continues briefly on your real IP before the VPN reconnects. Your real IP was briefly exposed.
If you cannot run a ping test, visit whoer.net in a browser tab, disconnect from the VPN server, and watch whether your real IP flashes in before the kill switch activates.
The WebRTC leak test
WebRTC is a browser technology for real-time communication (video calls, voice calls). It can expose your real IP address even when a VPN is active, because WebRTC bypasses the VPN tunnel in some configurations.
To test: connect your VPN, open your browser, go to browserleaks.com/webrtc. If your real IP address appears in the WebRTC section, your browser is leaking your IP to any site that uses WebRTC.
Fix options:
- Use a VPN app with built-in WebRTC blocking (NordVPN extension, ExpressVPN extension, Mullvad browser)
- Install uBlock Origin and enable WebRTC leak prevention in its settings
- Disable WebRTC in Firefox via
about:config,media.peerconnection.enabled, false
What passing all 5 tests actually means
A VPN that passes all five tests is doing what it claims: your real IP is not visible to the sites you visit, your DNS queries are private, and the protection does not drop when the connection fluctuates. This is the baseline we require for a recommended VPN on Privaroo.
The VPNs that passed all five in our most recent testing: Mullvad, ProtonVPN (paid), ExpressVPN, NordVPN and Private Internet Access. See the full results:
- Top 5 best VPNs to hide your IP in 2026, full leak test results for all 14 VPNs we tested
- Mullvad VPN review 2026, the highest-scoring VPN in our test
- Best VPN 2026 overview, our picks by use case
Want plain-English privacy explainers in your inbox every Friday? Subscribe to the Privaroo newsletter, no spin, no spam.
What to do if a test fails
Failing one or more tests does not necessarily mean your VPN is useless. It means a specific protection layer has a gap. Here is how to fix each failure:
If Step 1 fails (IP address visible)
Your VPN tunnel is not active or is misconfigured. First, disconnect and reconnect. If the IP is still visible, check that you are connected to a server (not just the app being open), and that the protocol is not set to a mode that bypasses the tunnel (some apps have a smart or auto mode that skips the VPN on trusted networks).
If Step 2 fails (DNS leak detected)
Your device is sending DNS queries outside the VPN tunnel. Try switching VPN protocols: WireGuard has fewer DNS leak cases than OpenVPN on some platforms. On Windows, disable Smart Multi-Homed Name Resolution in Group Policy. On iOS, make sure the VPN has Full Tunnel mode enabled, not Split Tunnel.
If Step 3 fails (IPv6 leak)
The simplest fix is to disable IPv6 entirely on your device if your VPN does not support it. On Windows: Network Adapter Settings, uncheck IPv6. On macOS: System Settings, then Network, then your adapter, then Details, then TCP/IP, then set Configure IPv6 to Off. Most consumer routers also allow you to disable IPv6 in the admin panel.
If Step 4 fails (kill switch not catching drops)
Enable the kill switch in your VPN app settings — it is almost always off by default. On desktop apps, look for Network Lock, Internet Kill Switch, or Block internet if VPN disconnects. On iOS, the system-level kill switch is in Settings, then VPN, then your connection, then toggle Connect On Demand.
If Step 5 fails (WebRTC leak in browser)
Install uBlock Origin (free, open source) and go to its Dashboard, Settings, enable Prevent WebRTC from leaking local IP addresses. This fixes WebRTC leaks without breaking video calls. Alternatively, switch to Mullvad Browser, which disables WebRTC by default.
How the VPNs we tested compare on these 5 tests
We ran this exact test sequence on 14 VPNs. Here are the results for the top performers on Privaroo:
| VPN | IP Hidden | DNS Clean | IPv6 Blocked | Kill Switch | WebRTC Safe |
|---|---|---|---|---|---|
| Mullvad | ✓ | ✓ | ✓ | ✓ | ✓ (own browser) |
| ProtonVPN | ✓ | ✓ | ✓ | ✓ | ✓ |
| ExpressVPN | ✓ | ✓ | ✓ | ✓ | ✓ (extension) |
| NordVPN | ✓ | ✓ | ✓ | ✓ | ✓ (extension) |
| Surfshark | ✓ | ✓ | ✓ | ✓ | Partial |
| PureVPN | ✓ | ✗ (DNS leak) | ✗ | ✓ | ✗ |
The 9 VPNs that failed one or more tests included common names found in app store top charts. Passing all five tests is not a given — it is a threshold only the most carefully engineered apps clear consistently.
Frequently asked questions
How often should I run these tests?
Run the full 5-step test once after installing a new VPN, after a major app update, and after switching protocols. For daily use, a quick IP check (Step 1 only) takes 30 seconds and catches the most common failure mode.
Can my VPN pass all tests on desktop but fail on mobile?
Yes. iOS and Android handle VPN tunnels differently from macOS and Windows. IPv6 leak behavior is especially inconsistent across platforms. Always test on the specific device and operating system you use most. Several VPNs that passed our macOS tests failed the IPv6 test on iOS.
Does using a VPNs browser extension count as protection?
No. Browser extensions only protect traffic inside that browser. Your other apps — email clients, torrent software, system updates — remain unprotected. Full-device protection requires the native VPN app to be active and connected. Extensions are useful for adding WebRTC blocking on top of the app, not as a replacement.
What does it mean if ipleak.net shows a different country than expected?
This is normal. Geolocation databases are not always synchronized with VPN server locations. If ipleak.net shows Netherlands when you connected to a German server, the IP masking is still working — the geolocation data for that IP range is just outdated. What matters is that your real home IP address does not appear anywhere on the results page.
Will these tests work if I use a VPN on my router?
Yes, but with a caveat: router-level VPNs often do not have a kill switch. If the VPN drops at the router level, all devices on your network will revert to your real IP simultaneously with no alert. Step 4 of this test becomes especially important if you rely on router-level VPN protection.