What "Working Properly" Actually Means for a VPN

Most people install a VPN, see the "Connected" screen, and assume they're protected. That assumption is often wrong. A VPN can show a green checkmark while quietly leaking your real IP address, exposing your DNS queries, or failing to encrypt a chunk of your traffic through a WebRTC vulnerability.

Working properly means four things simultaneously: your real IP is hidden, your DNS requests go through the VPN tunnel (not your ISP), WebRTC can't expose your local IP, and your traffic is actually encrypted. If any one of those fails, the VPN is providing a false sense of security — which is arguably worse than using nothing at all, because you think you're covered.

This guide walks you through testing each one, with specific tools and exact steps.

Quick Visual Checks: How to Tell Your VPN Is Connected Right Now

Before running any tests, start with the obvious stuff.

  • Check the VPN app itself. A connected state should show a server location, a kill switch indicator (if you have one enabled), and ideally a connection timer. Apps like ExpressVPN, NordVPN, and Mullvad all show this clearly. If the timer is stuck at 0:00 or the server shows "Connecting…" for more than 30 seconds, something's off.
  • Check your system network settings. On Windows, open Settings → Network & Internet → VPN. On macOS, go to System Settings → Network. You should see the VPN listed as connected. If the app says connected but the OS doesn't agree, that's a conflict worth investigating.
  • Check for a kill switch status. If your VPN has a kill switch and it's firing constantly — disconnecting your internet every few minutes — the underlying connection is unstable.

These checks take 60 seconds and catch the obvious failures. The subtle ones require the tests below.

Signs Your VPN May Not Be Protecting You

Some red flags are easy to spot if you know what to look for:

  • Websites are showing ads or content targeted to your real city or region
  • Your streaming service (Netflix, BBC iPlayer, etc.) recognizes your real location and blocks the content you're trying to access
  • Your internet speed is identical to what you normally get without a VPN — counterintuitively, no slowdown at all can mean the VPN tunnel isn't actually handling your traffic
  • You're seeing your ISP's name in browser-based location tools
  • The VPN connects and disconnects repeatedly without explanation

Any one of these warrants a deeper look.

How to Check Your IP Address (And What to Look For)

This is the most direct vpn ip leak test you can run.

  1. First, disconnect your VPN and go to whatismyip.com or ipleak.net. Write down your real IP address and your ISP's name.
  2. Reconnect your VPN and reload the same page.
  3. The IP address should now be completely different — it should match the country or city of the server you selected. The ISP listed should be your VPN provider (or a data center, not your home ISP).

If the IP shown after connecting matches your real IP from step one, your VPN is not routing your traffic at all. Try switching servers, restarting the app, or reinstalling it.

One nuance: if you're using a VPN server in Germany but the IP check shows a German IP that's not your home IP, you're fine. The IP just needs to be different from your real one and traceable to the VPN's infrastructure.

How to Run a DNS Leak Test in Under 2 Minutes

Your DNS requests are essentially a log of every website you visit. Even if your IP is masked, if those requests go through your ISP's DNS servers rather than your VPN's, your ISP can still see your browsing history. This is called a DNS leak.

The fastest way to check: go to dnsleaktest.com with your VPN connected and click Extended Test. It takes about 90 seconds.

What you're looking for in the results: the DNS servers listed should belong to your VPN provider, not to your ISP. If you see Comcast, Verizon, BT, or your local telecom listed as the DNS resolver, you have a DNS leak.

A vpn dns leak check should be part of every initial setup, especially if you're running your VPN through a router or using split tunneling. Split tunneling — where only some apps route through the VPN — can accidentally exclude DNS traffic even when it shouldn't.

Fix: In your VPN app, look for a setting called "DNS leak protection" or "Use VPN DNS." Enable it. NordVPN and ExpressVPN both have this on by default. Mullvad uses its own DNS servers and is particularly strong here. If you're on a manual OpenVPN or WireGuard config, you may need to explicitly set the DNS server in the config file.

How to Run a WebRTC Leak Test (The Hidden Vulnerability Most People Miss)

WebRTC is a browser technology used for video calls, peer-to-peer sharing, and real-time communication. The problem: it can bypass your VPN entirely and reveal your real local IP address, even when everything else looks fine.

This isn't theoretical. Browsers like Chrome and Firefox have WebRTC enabled by default, and it communicates directly with STUN servers — routing around your VPN tunnel.

To test: go to browserleaks.com/webrtc with your VPN connected. Look at the "IP Addresses detected by WebRTC" section.

  • Public IP shown there should match your VPN IP, not your home IP.
  • Local IP (usually something like 192.168.x.x) is less critical — it's your internal network address — but if you see your real public IP, that's a problem.

Fix options: - In Firefox: type about:config in the address bar, search for media.peerconnection.enabled, and set it to false. - In Chrome: install the extension WebRTC Leak Prevent or uBlock Origin (which has WebRTC blocking built in via settings). - Use the Brave browser — it has WebRTC blocking built in at the browser level. - Some VPN apps (Mullvad's browser, ProtonVPN's desktop app) handle this automatically.

How to Test for IPv6 Leaks

Most VPN discussions focus on IPv4, but IPv6 leaks are increasingly common. If your ISP has given you an IPv6 address and your VPN doesn't properly handle IPv6 traffic, your real address can leak through even while your IPv4 is masked.

Test at ipv6leak.com or use the IPv6 section of ipleak.net.

If you see an IPv6 address that traces back to your ISP, you have a leak. The fix is usually in your VPN app's settings — look for "IPv6 leak protection" and enable it. If your VPN doesn't have this option (many cheaper or older ones don't), you can disable IPv6 at the OS level:

  • Windows: Go to Network Adapter settings, find your active adapter, open Properties, and uncheck "Internet Protocol Version 6 (TCP/IPv6)."
  • macOS: System Settings → Network → your connection → Details → TCP/IP → set "Configure IPv6" to "Link-local only."

Speed Tests: How Much Slowdown Is Normal vs. A Red Flag?

A VPN will always slow your connection somewhat. Encryption takes processing, and routing through an extra server adds latency. But how much is acceptable?

Reasonable slowdowns: - 10–30% speed reduction on a good connection - 5–20ms additional latency on a nearby server

Red flags: - More than 50% speed reduction on a server in your own country - Latency above 100ms on a local server - Speed that fluctuates wildly every few seconds

To test: use fast.com or speedtest.net with and without the VPN. Run it three times and average the results.

If you're on NordVPN or ExpressVPN and seeing 60–70% drops, try switching protocols. WireGuard (called NordLynx on NordVPN and Lightway on ExpressVPN) is significantly faster than OpenVPN. Switching protocols alone can take a 60% drop down to 15%.

How to Verify Your Traffic Is Actually Encrypted

This one's for the technically inclined. You can use Wireshark (free, available at wireshark.org) to capture your network traffic and visually confirm it's encrypted.

With your VPN connected, open Wireshark, select your active network interface, and start a capture. Browse a few websites. In the packet list, you should see encrypted traffic tagged as TLS or the protocol your VPN uses (WireGuard packets, for example, look like UDP traffic to port 51820). You should not be able to read cleartext HTTP requests or see your DNS queries going out unencrypted.

If you see plaintext HTTP requests with readable URLs in a Wireshark capture while connected to your VPN, your tunnel has failed completely.

For most people, the IP and DNS leak tests above are sufficient. Wireshark is for when you want absolute certainty.

What to Do If Your VPN Isn't Working Properly

Start with the least disruptive fixes and escalate:

  1. Disconnect and reconnect to a different server — often fixes transient connection issues.
  2. Switch protocols. WireGuard and OpenVPN behave differently. Try both.
  3. Toggle the kill switch off and on — occasionally resets the network routing tables.
  4. Update the VPN app. Outdated apps frequently have bugs that cause leaks.
  5. Uninstall and reinstall — clears corrupted config files that cause silent failures.
  6. Check for conflicting software — antivirus tools, firewalls (especially ZoneAlarm or Bitdefender), and other VPNs installed simultaneously can conflict.
  7. Contact support. NordVPN and ExpressVPN both have 24/7 live chat. Give them the specific leak test results — they can often diagnose the problem immediately.

When to Switch VPNs vs. When to Troubleshoot Your Current One

Troubleshoot if: the issue is a specific server, a specific protocol, or a recent app update broke things. These are solvable.

Switch if: you're seeing persistent DNS or IP leaks across multiple servers, the provider doesn't have IPv6 leak protection, the app hasn't been updated in 6+ months, or the speeds are consistently terrible regardless of server or protocol.

Worth considering: Mullvad ($5/month, no account needed, very strong on privacy), ProtonVPN (free tier available, excellent for privacy-conscious users), and NordVPN (~$4/month on annual plans, best balance of speed and features for most people). If you're on a free or ultra-cheap VPN and it's failing these tests, that's not a bug — it's the product.

A Simple 5-Minute VPN Health Check Routine to Run Every Month

Pick the first of every month. Takes five minutes.

  1. Go to ipleak.net with VPN connected. Confirm your IP and DNS are showing VPN servers, not your ISP.
  2. Go to browserleaks.com/webrtc. Confirm no real IP is showing in the WebRTC section.
  3. Run a quick speed test at fast.com. Compare to your base speed without VPN.
  4. Check that your VPN app has updated recently — go to the app's "About" section.
  5. If you use split tunneling, open the settings and confirm only the apps you intended are excluded from the tunnel.

That's it. Save the results somewhere, so if something goes wrong next month, you have a baseline to compare against. A VPN that passed all tests three months ago and suddenly starts leaking your DNS today tells you something changed — an app update, a new browser extension, a Windows update — and gives you a starting point to diagnose it.

Don't wait for a breach to find out your VPN wasn't doing its job.