Why You Should Regularly Test Your VPN
VPNs are not set-and-forget tools. Connections drop. Servers go down. Protocols fail silently. A 2024 study by VPNMentor found that 24% of VPN apps tested leaked DNS queries under certain conditions, and 18% exposed the user's real IP address via WebRTC. Even well-configured VPNs can develop leaks after OS updates, network changes, or app updates. Testing takes 10 minutes and removes the assumption that you are protected.
For a detailed look at how DNS leaks work and why they happen, read our complete guide to VPN encryption.
7 VPN Tests: What to Check and Which Tools to Use
| # | Test | What It Checks | Recommended Tool | Time |
|---|---|---|---|---|
| 1 | IP Address Leak | Whether your real IP is exposed | ipleak.net, whatismyip.com | 1 min |
| 2 | DNS Leak | Whether DNS queries bypass the VPN | dnsleaktest.com | 2 min |
| 3 | WebRTC Leak | Whether browser leaks local IP addresses | browserleaks.com/webrtc | 1 min |
| 4 | Kill Switch | Whether traffic stops when VPN drops | Manual disconnect + network monitor | 3 min |
| 5 | Speed | VPN throughput vs. baseline speed | speedtest.net, fast.com | 3 min |
| 6 | Malware/Adware | Whether the VPN app itself is clean | VirusTotal, Exodus Privacy | 3 min |
| 7 | Encryption | Whether traffic is actually encrypted | Wireshark, tcpdump | 5 min |
Test 1: IP Address Leak Test
What it checks: Whether your real IP address is exposed to the websites you visit. This is the most fundamental VPN test — if it fails, nothing else matters.
How to run it: Open ipleak.net or whatismyip.com before connecting your VPN and note your real IP address and approximate location. Connect to your VPN and refresh the page. The displayed IP should be different — matching your VPN server's location, not your actual location. If the site shows your real IP or your true ISP name, your VPN is leaking. Some sites like ipleak.net show both IPv4 and IPv6 addresses; check that both are masked.
What to look for: The IP should belong to your VPN provider's address range, the location should match the server you selected, and your real ISP name should not appear anywhere on the results page. If you see your home IP address listed alongside a VPN IP, you have an IPv6 leak — common on networks that support both IPv4 and IPv6 when the VPN only routes IPv4 traffic.
Test 2: DNS Leak Test
What it checks: Whether your DNS queries — the lookups that translate domain names into IP addresses — are going through your VPN's encrypted tunnel or leaking to your ISP's DNS servers. DNS leaks are the most common VPN failure, often caused by OS-level DNS settings overriding the VPN's configuration.
How to run it: Go to dnsleaktest.com and click "Extended Test." The site will query a series of unique subdomains and report which DNS servers resolved them. Every DNS server listed should belong to your VPN provider. If you see DNS servers belonging to your ISP (Comcast, AT&T, Verizon, BT, Deutsche Telekom, etc.), your DNS is leaking.
What to look for: Ideally, every DNS resolver in the list should be operated by your VPN provider. If you see even one ISP-owned DNS server, the leak is partial but real. Some VPN providers run their own DNS servers; others route queries through third-party privacy DNS services. Either is acceptable as long as the queries are not going to your ISP. For a deeper explanation of why DNS leaks happen, see our upcoming guide on DNS leak prevention.
Test 3: WebRTC Leak Test
What it checks: WebRTC (Web Real-Time Communication) is a browser API used for video calls, voice chat, and P2P file sharing. The problem: WebRTC can reveal your real local and public IP addresses even when you are connected to a VPN, because it bypasses the VPN tunnel at the browser level. This affects Chrome, Firefox, Brave, Edge, and Opera.
How to run it: Visit browserleaks.com/webrtc while connected to your VPN. If any IP address displayed under "Public IP" or "Local IP" matches your actual IP or your home network range (e.g., 192.168.x.x), you have a WebRTC leak. The page should show only your VPN-assigned IP address.
How to fix a WebRTC leak: In Firefox, type about:config in the address bar and set media.peerconnection.enabled to false. In Chrome and Brave, install an extension like WebRTC Leak Prevent or uBlock Origin (which includes WebRTC blocking). Shield VPN includes built-in WebRTC leak protection on Android.
Test 4: Kill Switch Verification
What it checks: Whether your device stops all internet traffic the moment the VPN connection drops. Without a kill switch, a momentary VPN disconnection can expose your real IP and unencrypted data to every site you are visiting. This is especially critical for torrenting, accessing sensitive accounts, or using public WiFi.
How to run it: Connect to your VPN and start a continuous ping to a public server (open a terminal and run ping -t 8.8.8.8 on Windows or ping 8.8.8.8 on Mac/Linux). While watching the ping output, manually disconnect the VPN. With a working kill switch, the ping responses should stop immediately. If the ping continues responding after the VPN drops, your kill switch is not working — your real IP is exposed. For mobile, open Shield VPN's always-on kill switch in Settings and test by toggling airplane mode.
Test 5: VPN Speed Test
What it checks: How much speed you lose through the VPN tunnel. Some loss is unavoidable due to encryption overhead and routing distance, but a good VPN should retain at least 70-80% of your baseline speed on nearby servers.
How to run it: First, run speedtest.net without your VPN connected. Record your download speed, upload speed, and ping (latency). Connect to your VPN, select the nearest server, and run the test again. Repeat for servers in different regions. Calculate the speed retention: (VPN speed / baseline speed) x 100. For example, if your baseline is 100 Mbps and VPN gives 78 Mbps, you are retaining 78% — that is excellent.
What to look for: Nearby servers should deliver 70-90% of baseline speed. Long-distance servers (cross-continental) may drop to 50-60%. If your VPN consistently delivers under 50% on nearby servers, try switching protocols — WireGuard is generally faster than OpenVPN, and IKEv2/IPSec is optimized for mobile. Read our protocol comparison guide to choose the fastest option for your device.
Test 6: Malware and Adware Check
What it checks: Whether the VPN application itself contains malware, adware, trackers, or excessive permissions. Free VPNs in particular have a troubling track record. A 2023 CSIRO study of 283 Android VPN apps found that 38% contained malware or malvertising, 75% used tracking libraries, and 18% did not encrypt traffic at all despite claiming to do so.
How to run it: Upload the VPN's APK file (for Android) to VirusTotal.com — it scans the file against 70+ antivirus engines. For deeper analysis, use Exodus Privacy (reports.exodus-privacy.eu.org) which analyzes Android apps for trackers and permissions. Enter the app's package name and Exodus will list every tracker embedded in the app. A legitimate VPN should have zero or very few trackers — Shield VPN, for example, includes no third-party trackers.
Test 7: Encryption Verification
What it checks: Whether your VPN is actually encrypting your traffic, and what cipher it is using. Some VPNs claim "military-grade encryption" while using outdated or broken ciphers. This is a more technical test, but it provides the highest level of assurance.
How to run it: Use Wireshark (free, open-source) to capture packets on your network interface while connected to the VPN. Visit an HTTP (not HTTPS) website to generate plaintext traffic. In Wireshark, inspect the captured packets. If the VPN is working, every packet should be unreadable — you should see only the VPN protocol overhead (OpenVPN, WireGuard headers) and encrypted payloads. You should not be able to read any HTTP headers, HTML content, or DNS queries in plaintext. If you can read website content in the captured packets, your traffic is not encrypted.
Alternatively, use tcpdump in a terminal: sudo tcpdump -i any -A port 80 while loading an HTTP site. With a working VPN, this captures nothing readable. Without a VPN, you will see the full HTTP request and response in plaintext.
Setting Up a Monthly VPN Health Check Routine
Run these tests once when you first set up a VPN, then repeat them on a monthly schedule. VPN configurations drift over time — OS updates can reset DNS settings, browser updates can re-enable WebRTC, and app updates can change kill switch behavior. A monthly 10-minute check catches these issues before they expose you.
- IP + DNS leak test — Visit ipleak.net and dnsleaktest.com. Takes 2 minutes.
- WebRTC leak test — Visit browserleaks.com/webrtc. Takes 1 minute.
- Kill switch test — Disconnect VPN while pinging; verify traffic stops. Takes 1 minute.
- Speed baseline check — Run speedtest.net without and with VPN. Takes 3 minutes.
- App permissions review — Check that the VPN app has not requested new permissions since your last review. Takes 2 minutes.
For Android users, combine these checks with the privacy steps in our Android VPN guide for a complete monthly privacy audit.
Test your VPN with confidence
Shield VPN passes every leak test — zero IP leaks, zero DNS leaks, automatic kill switch, and AES-256 encryption verified. One tap to protect.
Download on Google Play