TL;DR: A green "connected" badge doesn't guarantee you're protected. A full check takes five minutes and consists of four tests: confirm your public IP changed, that there's no DNS leak, that WebRTC doesn't expose your real address, and that the kill switch works. You should also measure speed. If even one test fails, you have a leak — and your ISP or someone on the network can still see part of your activity. Below are step-by-step instructions, a "test method → what it shows" table, and what to do if you find a leak.
Why "connected" isn't "protected"
Many people assume a VPN works like a light switch: hit "connect" and you're safe. In practice, the tunnel can be established while part of your traffic still flows around it. The reasons vary: misconfigured DNS, browser quirks, a connection drop without a safety net, or simply a sloppy implementation in a cheap app. On the surface everything looks fine — the badge is green, the internet works — but your real location and browsing history stay visible.
A useful analogy: think of a VPN as an envelope for your letter. The green badge only means the envelope is in your hands. But if the sender's address is written on the front (IP leak), if a list of all your correspondents is stapled to it (DNS leak), or if a transparent window in the corner still shows your name (WebRTC), the envelope doesn't help much. The checks in this article are how you confirm the envelope is truly sealed on every side.
That's why you should verify a VPN not by the app's word, but with independent tools that look at your connection "from the outside." All the tests you need are free, run in an ordinary browser, and require no technical knowledge. A leak is when some piece of information about you (IP address, DNS queries, real location) escapes the encrypted tunnel and becomes visible to your ISP or an observer. The goal of all the checks below is to confirm there are no such leaks.
One misconception is worth dispelling: "the internet works, so the VPN must be working." Speed and site availability have nothing to do with privacy. A site can load fast while still seeing your real IP, and your ISP can log every DNS query. A working internet connection and a protected tunnel are two independent things.
Test 1: did your IP address change
The most basic check is confirming your public IP changed. An IP is assigned by your internet provider, and from it one can determine your country, city and provider, while sites switch content access on or off by geography. An unchanged IP means the VPN effectively isn't working.
- Step 1. Disconnect the VPN and visit an IP-check site (such as whatismyip.com). Note your IP address and country.
- Step 2. Connect the VPN, wait for the tunnel to establish, and refresh the page.
- Step 3. The IP and country should change and match the server you selected. If they match your real ones, the VPN isn't working.
If you picked a server in Germany but the IP shows the Netherlands, the provider is likely using a virtual location — not critical, but useful to know. For more, see our guide on how to hide and change your IP address. After you connect, the address doesn't change instantly: the tunnel needs a second or two, so refresh only after the "connected" status and do a hard refresh (Ctrl+F5) to avoid a cached previous result.
Separately, check IPv6. Many networks hand out IPv4 and IPv6 at once, and some VPNs tunnel only IPv4, leaving IPv6 "bare" — so the IPv4 test shows the VPN address while your real IPv6 leaks. If the check site shows two addresses (one starting with digits, the other a long string like 2a00:…), make sure both belong to the VPN server. A reliable client either tunnels IPv6 or blocks it entirely.
Test 2: DNS leak
Even if your IP changed, your DNS queries may still go through your ISP. DNS is the "phone book of the internet": every time you open a site, your device asks a DNS server which IP matches the domain name. If those queries flow around the VPN, your ISP sees the list of every site you visit — despite the encrypted tunnel.
- Step 1. Connect to the VPN.
- Step 2. Go to dnsleaktest.com and click "Extended test."
- Step 3. See which DNS servers your queries go through. If your ISP's servers appear in the list, you have a DNS leak.
Normally the result shows your VPN provider's DNS servers or neutral resolvers like Cloudflare (1.1.1.1) or Google (8.8.8.8), but not your ISP's. This is the most common and most insidious leak — the VPN "works" on the surface while your privacy has a hole. Most often the culprit is your OS settings, which keep using the ISP's DNS; on Windows, also Smart Multi-Homed Name Resolution, which queries several DNS servers in parallel. A quality client closes both loopholes automatically. A detailed breakdown is in our guide on testing and fixing a DNS leak.
Why is this dangerous in practice? The IP changed, the app is all green — but if DNS queries flow around the tunnel, your ISP still receives the full list of domains you open: every site, service and app. That's essentially a journal of your online life. A history of visited domains is a valuable commodity for profiling and advertising; unblocking fails when DNS leaks; and worst of all, you get a false sense of security under which you log into sensitive services over public Wi-Fi. Since the contract is tied to your ID, that list links directly to your name — no anonymity at all. So the DNS leak test is just as important as the IP check. More on this in our guide on how a VPN protects you from ISP tracking.
Test 3: WebRTC leak
WebRTC is a technology built into browsers for video calls and real-time data transfer. It exposes your IP not because of a VPN flaw, but because of how browsers are built: it deliberately seeks the shortest path between two call participants, including via local network interfaces, and can request your real IP bypassing the tunnel — even with the VPN on. So the cure is always on the browser side, not the tunnel.
- Step 1. Connect to the VPN.
- Step 2. Go to browserleaks.com/webrtc.
- Step 3. If the site shows your real IP next to the VPN address (especially in the "Local" or "Public IP" field), you have a WebRTC leak.
This leak is sneaky because it bypasses everything else you did right: your IP changed, DNS is clean, the tunnel is up — and yet a single line of JavaScript can ask the browser for your real address and get it. It mainly concerns browser use on a desktop; it's rarer in mobile apps. In Firefox, disable it in about:config (set media.peerconnection.enabled to false); Chrome and Edge have no toggle in settings, so people use an extension (WebRTC Control or uBlock Origin with the matching filter). After any change, re-test at browserleaks.com — sometimes extensions don't fully disable WebRTC.
Test 4: does the kill switch work
A kill switch instantly blocks all internet if the VPN connection drops. Without it, when the tunnel fails, traffic "spills out" onto the open network unencrypted, and you don't even notice.
- Step 1. Connect to the VPN and open an IP-check site; confirm it shows the VPN address.
- Step 2. Artificially break the connection — end the VPN app's process via Task Manager, or just turn Wi-Fi off and on for a couple of seconds (or toggle airplane mode and back). That mimics the natural drop that happens in real life.
- Step 3. Immediately refresh the page. If the kill switch works, the internet is unavailable until the tunnel recovers. If the page loaded and showed your real IP, the kill switch didn't trigger.
We covered in detail why this feature matters and how to configure it in our article on what a VPN kill switch is.
How checking on a phone differs from a computer
Most LiMP users connect from an iPhone or Android, while online guides are more often written for the desktop. Checking IP and DNS on a smartphone works exactly the same: open whatismyip.com and dnsleaktest.com in the mobile browser. The classic browser WebRTC leak is less relevant on a phone because you reach the internet through apps rather than a browser; but if you work in a mobile Safari or Chrome a lot, run the browserleaks.com check here too.
The kill switch test, however, is fundamentally different: you can't simply "kill" processes on a phone, but both platforms have system mechanisms:
- Android. Enable "Always-on VPN" and "Block connections without VPN" in network settings — that's the system kill switch. To verify, toggle airplane mode: without an active tunnel, the internet should not work.
- iPhone. There's no fully exposed system kill switch, so it's critical that the VPN app itself implements the feature. The check is the same: turn on the VPN, drop the network with airplane mode, restore it, and confirm no traffic flows until the tunnel recovers.
One more nuance — in the first seconds after leaving airplane mode, the system may briefly let traffic through before the VPN comes up. That's why VPN auto-start and a kill switch matter especially on smartphones.
Test 5: speed
This isn't a security question, but an important measure of quality. Measure your speed without the VPN on any speed test, then with the VPN on the nearest server. A loss of 5–20% is normal. A loss over 40% is a reason to change your server, protocol, or provider. We wrote separately about why speed drops in our guide on why a VPN slows down the internet.
Summary table: what each test shows
| Test method | Where to run it | What it shows |
|---|---|---|
| IP address | whatismyip.com | Whether your public IP changed and the country matches your server — whether the VPN works at all |
| DNS leak | dnsleaktest.com → Extended test | Whether DNS queries leak through your ISP — whether it sees the list of sites you visit |
| WebRTC leak | browserleaks.com/webrtc | Whether your browser exposes your real IP bypassing the tunnel |
| Kill switch | break the VPN manually | Whether the internet is blocked when the tunnel drops |
| Speed | any speed test | Connection quality: whether the speed loss is acceptable |
Free online tools to test a VPN
All the checks above are free and require installing nothing — a browser is enough:
- whatismyip.com / ipinfo.io. Show your current public IP, country, and provider.
- dnsleaktest.com. The reference DNS-leak test, always with Extended test mode.
- browserleaks.com. Separate pages for WebRTC, DNS, browser fingerprint, and geolocation — all in one place.
- ipleak.net. Shows IP, DNS, and WebRTC on a single page.
- Any speed test (speedtest.net). For measuring speed loss.
Check yourself on several services, not just one: sometimes one says "all clear" while another catches a leak. If two independent tools agree, you can trust the result. And don't enter any personal data on these sites: their job is simply to show what the network sees about you.
A regular VPN checkup checklist
Leaks appear unexpectedly — after updates, network changes, or new settings. Run through this list on each of the events below:
- After installing the VPN on a new device — a full run of all four tests.
- After every major update of the VPN app or OS.
- When switching networks — for example, from home Wi-Fi to mobile data.
- After a device reboot, if the VPN isn't set to auto-start.
- When connecting to a new server or changing location.
- Every couple of months as a preventive check.
- Right after any important task on a public network (banking, work email).
- After reinstalling or updating your browser — WebRTC settings may have reset.
The first time, run all the tests in about five minutes; after that the whole procedure takes under a minute: open two or three tabs and glance at the result.
What to do if you find leaks
If a test fails, most leaks are fixed in a couple of minutes in settings:
- IP leak: confirm the VPN is actually connected, reconnect, or change the server. If the IP stubbornly stays real, reinstall the app and contact support.
- DNS leak: enable "Use VPN server DNS" or "DNS leak protection." If there's no such option, manually set a safe DNS (1.1.1.1 or 8.8.8.8) — but it's better to switch to a VPN that closes the leak itself.
- WebRTC leak: install an extension to disable WebRTC, or turn it off in about:config (Firefox). This concerns the browser, not the VPN.
- Kill switch not working: enable it in settings. On Android, the system "Always-on VPN" feature with "Block connections without VPN" helps.
- IPv6 leak: enable the IPv6 block or tunnel option in VPN settings.
If a test stubbornly fails, the cause is almost always the client itself: cheap and free apps cut corners precisely on leak protection. In that case the smartest move is not to patch holes by hand but to switch to a service that passes all four checks by default.
LiMP and leak protection
A good VPN should pass all four tests out of the box, with no manual tweaking — because the vast majority of users never open settings or run tests. LiMP includes built-in leak protection: DNS queries go through its own servers, the kill switch is on by default, and the WireGuard protocol provides a reliable tunnel. It's iOS and Android, 100 ₽/month, and no logs of your activity. Terms and sign-up are on the pricing page. WireGuard also hides which services you reach from your ISP — more in our guide on how a VPN protects you from ISP tracking.
That said, don't take our word for it — run LiMP through the same four checks: turn on the tunnel, open whatismyip.com, dnsleaktest.com, and browserleaks.com, break the network, and watch the kill switch. A good service isn't afraid of an independent check.
Conclusion
Turning on a VPN isn't enough. To be truly protected, confirm your IP changed, DNS queries aren't leaking, WebRTC doesn't expose your real address, and the kill switch is ready to act. All four tests take five minutes and run free in your browser. Your network, device and apps change constantly, and each change is a potential new crack, so repeat the check after updates and network changes. A good VPN takes most of this work off your hands by closing leaks automatically — but you still run the final check yourself, and now you know how.
Frequently asked questions
How do I know my VPN actually works?
Run four checks: confirm your public IP changed (whatismyip.com), that there's no DNS leak (dnsleaktest.com), that WebRTC doesn't expose your real address (browserleaks.com/webrtc), and that the kill switch triggers when the tunnel drops. If all four pass, the VPN genuinely protects you — not just shows a green badge.
Should I check the VPN if the badge shows "connected"?
Yes. A green badge only means the app established a tunnel; it doesn't guarantee there's no DNS or WebRTC leak or kill-switch failure. Part of your traffic can flow around the tunnel while the VPN is formally "working." An independent browser check is the only way to confirm you're truly protected.
The VPN is connected but my IP doesn't change — why?
Most often it's a connection glitch: the tunnel shows "connected" but isn't actually established. Reconnect, change the server, or restart the app. If the IP stubbornly stays real even after reinstalling, the problem is in the VPN itself or your system network settings — contact support.
How often should I check my VPN?
After installing on a new device, after major app or OS updates, when switching networks, after a reboot, and when connecting to a new server. As prevention — every couple of months. Leaks appear unexpectedly, so a one-time check isn't enough.
Will switching VPNs help if I already caught a leak on a free service?
You can change settings, but switching the service itself is more durable. Free apps cut corners precisely on leak protection, and manual workarounds (a third-party DNS, disabling IPv6 in the system) create a fragile setup that breaks with the next OS update. A service with default protection passes all four tests without intervention.
Which DNS servers should appear in the results if there's no leak?
Your VPN provider's DNS servers or neutral resolvers — Cloudflare (1.1.1.1), Google (8.8.8.8). Your internet provider's servers should not appear in the list: their presence is exactly the sign of a DNS leak.
