A VPN or proxy can appear to work while still leaking part of the traffic path. This is common on dual-stack networks, where a device receives both IPv4 and IPv6 connectivity. If the client only captures IPv4, websites may still see the local IPv6 address.
Quick answer
VPN IPv6 leaks are usually routing coverage problems, not just bad nodes. The browser or operating system may use IPv6 directly while IPv4 goes through the proxy. A reliable test checks IPv4, IPv6, DNS, WebRTC, and the routing mode of the VPN or proxy client.
What dual-stack means
Dual-stack means a network supports both IPv4 and IPv6. Applications may choose either path depending on DNS answers, operating system policy, latency, and protocol support. A website can load some resources over IPv4 and others over IPv6, so a single “IP changed” result is not enough.
Why IPv6 leaks happen
- The proxy client only sets an HTTP or SOCKS proxy and does not capture system routing.
- The VPN profile handles IPv4 routes but leaves IPv6 routes untouched.
- DNS returns AAAA records and the browser prefers IPv6.
- Split-tunnel rules include IPv4 CIDR ranges but not IPv6 ranges.
- WebRTC or system services bypass normal browser proxy settings.
How to test it
Use a leak test that displays IPv4, IPv6, DNS servers, and WebRTC candidates. Then repeat the test in a normal browser window and a private window. If IPv4 shows the VPN endpoint but IPv6 shows the local ISP, the tunnel is incomplete.
Technical fixes
- Use a client mode that captures system routing, such as TUN mode when available.
- Enable IPv6 handling in the client if the node and protocol support it.
- Add explicit IPv6 default routing or block IPv6 when it cannot be proxied safely.
- Make DNS resolution consistent with the outbound path, especially for AAAA records.
- Limit WebRTC local address exposure in the browser.
DNS leak vs IPv6 leak
A DNS leak exposes where names are resolved. An IPv6 leak exposes where traffic exits. They often appear together, but they are not the same failure. If you are also seeing DNS resolver mismatch, compare this guide with the VPN DNS leak troubleshooting guide.
Best long-term setup
The most stable setup is a client that controls routing, DNS, IPv4, IPv6, and UDP behavior consistently. A browser-only proxy is easier to configure, but it leaves more room for native apps, system services, and IPv6 traffic to bypass the proxy.
FAQ
Can disabling IPv6 fix the leak?
Yes, it can be an effective short-term fix. Long term, using a client that properly handles IPv6 is cleaner.
Does every VPN support IPv6?
No. Some VPN or proxy configurations only support IPv4. In that case, IPv6 should be blocked or disabled.
Why does one website show a leak while another does not?
Different sites use different DNS records and connection methods. A site that tests IPv6 explicitly will reveal problems that a simple IPv4-only checker misses.