A VPN is only as secure as its configuration. Even with strong encryption, misconfigurations can cause the operating system to leak DNS queries, real IP addresses, or IPv6 traffic outside the encrypted tunnel, completely compromising user anonymity and security.
If the OS is configured to use a local ISP DNS server instead of the VPN's internal DNS, queries leak in plaintext. Similarly, if IPv6 is not routed through the tunnel, the endpoint's real IPv6 address is exposed to visited websites.
💡 Pro-tip: Always configure the VPN client to 'Block IPv6' and 'Force DNS' to ensure the OS cannot fall back to local network interfaces for name resolution.
If the returned IP address matches your ISP instead of the VPN exit node, you have a DNS leak caused by the OS bypassing the tunnel for name resolution.
WebRTC is a browser protocol used for P2P video/audio. It actively queries local network interfaces to find the best route, often exposing the user's real local and public IP addresses directly to the web server, bypassing the VPN entirely.
⚠️ WebRTC leaks cannot be fixed by the VPN client software. Users must disable WebRTC in their browser settings or use browser extensions specifically designed to spoof or block WebRTC IP discovery.
| Leak Type | Cause | Mitigation |
|---|---|---|
| DNS | OS uses ISP DNS | Force VPN DNS |
| IPv6 | IPv6 not routed | Disable IPv6 on client |
| WebRTC | Browser P2P discovery | Browser extension / Disable |
Verify exercises to earn ★ 210 XP and unlock next lab level.