Armor now includes SOCKS5 protection. Explore Armor →
TorSentinel TorSentinel
TorSentinel Blog

How to Test Your VPN and Proxy for Leaks (2025 Practical Guide)

TorSentinel Team
Blog / VPN & Proxy Leak Test
Practical Guide Leak Test VPN DNS Privacy

How to Test Your VPN and Proxy for Leaks
2025 Practical Guide

A privacy setup is only as strong as its validation routine. This guide shows how to test a VPN or proxy for common leaks, confirm that DNS follows the intended path, and detect fallback routes after restarts or adapter changes.

TorSentinel Team · Updated 2025 · 6 min read · Intermediate
Dark abstract image of a device verifying secure paths against leak vectors

What you will verify

🌐
Public IP address
The visible IP matches your trusted provider and never flips during the session.
🔍
Resolver path
DNS queries use your intended resolver and don't escape to a default ISP path.
📡
IPv6 policy
Behavior is explicit — either tunnel IPv6 or disable it to avoid surprise routes.
🧩
WebRTC
Browser APIs don't reveal local or alternative addresses outside your tunnel.

DNS leak basics

Diagram of IPv4, IPv6, DNS, and WebRTC leak vectors from a client
Most issues come from resolver mismatch, mixed adapters, or browser-side APIs.
Resolver mismatch
System sends DNS to the default adapter while app traffic is tunneled. Your queries go to your ISP's resolver even though your IP is hidden.
Mixed adapters
Secondary interfaces stay active and handle lookups by mistake — common after VPN disconnects or sleep/resume cycles.
DoH or DoT overrides
A browser or app uses its own encrypted resolver that doesn't match your policy — bypasses your intended DNS path silently.

🔬 Step-by-step verification

1

Quick IP check

Before connecting, record your visible IP using a neutral tool like currentipaddress.com. After connecting your VPN or proxy, refresh the page — the value should change to your trusted provider's range and remain stable throughout the session.

For torrent traffic specifically — use TorSentinel's free torrent IP check which shows what the swarm sees, not just your browser IP. These can differ if your proxy is configured at the app level only.
2

Browser checks

1 Connect the VPN or configure the proxy in the application
2 Open a fresh browser profile or private window to avoid stale state
3 Check your public IP again — confirm it now shows your proxy or VPN range
4 Run a DNS leak test and confirm resolver names or ASN match the trusted path
5 Run a WebRTC leak test — if it shows only local/private addresses with no public alternative, it passes
3

Terminal checks

Resolver results should reference your trusted resolver. Route tables should prefer the VPN or proxy-facing adapter for the tested app.

Windows
# Check DNS resolver and routes
nslookup example.com
ipconfig /all | findstr /i dns
route print
Linux
# Check DNS and routing table
dig +short example.com @your.resolver.ip
resolvectl status
ip route
macOS
# Check DNS cache and routing
dscacheutil -q host -a name example.com
scutil --dns
netstat -rn
4

IPv6 behavior

If tunneling IPv6: confirm public IPv6 changes to your trusted range and DNS AAAA answers follow the same path.
If disabling IPv6: confirm there is no public IPv6 address and AAAA requests do not leak through any interface.

🔁 Repeatable verification routine

Infographic with sequential steps for leak verification
Make the routine short and run it after every update or configuration change.
1 Record public IP before connection
2 Connect and verify public IP changes to trusted range
3 Confirm DNS resolver identity and path using terminal commands
4 Test WebRTC in a clean browser profile
5 Reboot or sleep/resume — repeat all checks to catch race conditions

🛡 Trusted path verification

Concept visualization of a single trusted path with guardrails around alternate routes
Bind apps to a trusted route and add firewall deny outside that path to prevent fallback.

🔧 Common fixes if a test fails

IP still shows my real address after connecting
Bind the app to the proxy-facing interface and deny egress outside that path. For VPNs, confirm the tunnel adapter is the default route. Restart the app after any config change.
DNS leak test shows my ISP's resolver
Pin the resolver to a DNS server reachable only through the trusted path. Check if your browser has DoH enabled independently — Chrome, Firefox, and Edge can override system DNS with their own encrypted resolver.
WebRTC shows a public IP address
Disable WebRTC in the browser or use a browser extension to block WebRTC IP leaks. In Firefox: set media.peerconnection.enabled to false in about:config.
Tests pass but leak after reboot
The app is likely starting before the proxy or VPN tunnel is ready. Delay app startup until the proxy path is confirmed active. Add firewall rules that block the app's egress entirely unless the tunnel adapter is up.
IPv6 leaking even with VPN connected
Your VPN may not tunnel IPv6. Either disable IPv6 on all adapters or confirm your VPN explicitly supports and routes IPv6. Avoid mixed states where IPv4 goes through the tunnel but IPv6 goes direct.
Summary checklist
Confirm public IP before and after connection using a neutral IP page.
Verify DNS resolver identity and route — keep it on the same path as app traffic.
Decide and enforce IPv6 behavior explicitly — avoid mixed tunnel/direct states.
Include WebRTC in browser tests using a fresh profile, then repeat after every reboot.
Check your torrent IP right now

Free torrent leak test — no signup

Most IP checkers show your browser IP. TorSentinel shows what the swarm actually sees — which is what matters for torrent privacy.

Run free torrent IP check Enable 24/7 monitoring