Most VPNs were built around IPv4. If your ISP gives you an IPv6 address and your VPN does not handle it, your real IPv6 address is visible to every site you visit. Here is how it happens and what to check.
7 min read
Every device on the internet needs an IP address. IPv4, the protocol most of the internet has used since the 1980s, supports about 4.3 billion addresses. That ran out. IPv6 was designed to replace it, with an address space large enough that every device on earth could have trillions of unique addresses.1
The transition has been slow. Most ISPs now assign both an IPv4 address and an IPv6 address to residential connections, and most modern operating systems will prefer IPv6 when a site supports it. Chrome, Safari, and Firefox all use IPv6 by default when available.
The important thing for VPN users: IPv4 and IPv6 are separate protocols. A VPN tunnel that handles IPv4 does not automatically handle IPv6. They have to be implemented separately.
When you connect to a VPN, the app creates a virtual network interface and adds routing rules that direct your traffic through it. For IPv4, this is well-established. For IPv6, there are three common outcomes depending on how the VPN handles it:
IPv6 is tunneled: The VPN assigns you a new IPv6 address inside the tunnel and routes all IPv6 traffic through it. The destination sees the VPN's IPv6 address, not yours. This is the correct behaviour.
IPv6 is blocked: The VPN does not tunnel IPv6 but prevents it from leaving through any other interface. IPv6 connections fail entirely. Sites that support both protocols fall back to IPv4, which goes through the tunnel. Your real IPv6 address is never seen. This is a valid and honest approach.
IPv6 is ignored: The VPN only modifies IPv4 routing and leaves IPv6 untouched. Your device still has a working IPv6 address and the OS will happily use it for any site that supports it. That traffic goes directly to your ISP over your real IPv6 address, completely bypassing the VPN tunnel.
The third case is an IPv6 leak. Your VPN indicator shows connected and everything appears normal, but a significant portion of your traffic is going out unprotected with your real address attached to it.2
VPN software was originally built when IPv6 was a future concern rather than an active one. The core tunnel code, the connection management logic, and the routing rule implementations were all written for IPv4. Retrofitting IPv6 support later is real engineering work, and it is easier to ignore than to implement correctly.
The problem is compounded by the fact that the leak is silent. There is no error. Your apps work. Your VPN says connected. The only way to know is to specifically test for it.
This is not a niche edge case. If your ISP provides IPv6 and you connect to any site that supports it, the leak is happening with every request. Major sites including Google, YouTube, Facebook, and most CDNs are IPv6-enabled. A dual-stack user with a leaking VPN is sending a substantial fraction of their traffic in the clear.
With your VPN connected, visit ipleak.net3 or browserleaks.com/ipv6.4 The page will report all IP addresses it can detect for your connection: IPv4, IPv6, and any addresses leaked through DNS or WebRTC.
What you want to see: either no IPv6 address at all (VPN is blocking IPv6), or an IPv6 address that belongs to your VPN provider rather than your ISP.
What a leak looks like: your own ISP-assigned IPv6 address appears in the results. That address is publicly visible to every destination you connect to.
If you find a leak and your VPN does not fix it, you can manually disable IPv6 on your network adapter as a temporary workaround. On Windows: Settings, Network, your adapter, then uncheck IPv6. On macOS: System Settings, Network, your adapter, Details, TCP/IP, then set Configure IPv6 to Off. This is a blunt approach but it stops the leak.
When evaluating whether a VPN handles IPv6 correctly, the key question is not whether they tunnel IPv6 (though that is the better solution) but whether they prevent it from leaking at all. Both tunneling and blocking are acceptable. Silently ignoring it is not.
Look for explicit mention of IPv6 leak protection in the VPN's documentation or feature list. If it is not mentioned, assume it may not be handled. Test it directly regardless.
IPv6 handling should be consistent across all the platforms the VPN supports. A VPN that blocks IPv6 correctly on Windows may not handle it the same way on Android or macOS, since the network stack and available firewall mechanisms differ by platform. Testing on each device you use is worth doing.
This problem also intersects with DNS leaks. If your device is making IPv6 DNS queries and the VPN is not handling them, those queries go to your ISP's IPv6 DNS resolver, exposing the domains you visit regardless of what your IPv4 DNS is doing.
S. Deering & R. Hinden, IETF, July 2017. The current IPv6 standard. Useful for understanding how address assignment and routing differ from IPv4.
T. Narten et al., IETF, September 2007. Describes how IPv6 devices generate temporary addresses, relevant to why IPv6 traffic patterns are harder to predict than IPv4.
Tests for IPv4, IPv6, DNS, and WebRTC leaks simultaneously. The fastest way to check whether your VPN is handling IPv6.
Focused IPv6 leak detection tool that checks for address exposure through the browser.
