Cybersecurity Educational Series

VPN Leak Test: Detect Timezone, DNS & WebRTC Vulnerabilities

A VPN encrypts your traffic, but it cannot rewrite your browser's DNA. Learn how the ICE Protocol and System APIs betray your location.

Test My Connection

Timezone Heuristics

HIGH

Browsers expose system time via JavaScript, which often conflicts with the VPN's IP location.

WebRTC STUN

CRITICAL

Real-time media protocols can punch holes through VPN tunnels to discover local IPs.

IPv6 Bypass

MEDIUM

Many VPNs only tunnel IPv4. If your ISP supports IPv6, traffic may flow outside the tunnel.

1. The Timezone Correlation Attack

While IP geolocation is the standard for tracking, it is easily spoofed. To verify a user's true location, anti-fraud systems (like those used by Stripe, PayPal, and Netflix) use "Correlation Checks."

They compare the IP Geolocation against the JavaScript Environment. The most common vector is the Intl API.

The Vulnerability Code

// This runs locally on your machine, bypassing the VPN server.

const userTime = Intl.DateTimeFormat().resolvedOptions().timeZone;
// Returns: "Asia/Dhaka" or "Europe/London"

If your VPN is set to New York (EST), but your computer reports Asia/Dhaka (BST), the probability of proxy usage approaches 100%. This is often referred to as a "Soft Leak" because the IP is hidden, but the metadata reveals the deception.

2. WebRTC & The STUN Protocol

WebRTC (Web Real-Time Communication) is a browser standard allowing voice and video chat without plugins. To function, it needs to know your actual IP address to establish a peer-to-peer connection.

It does this using STUN Servers (Session Traversal Utilities for NAT), defined in IETF RFC 5389.

Why is this dangerous?

WebRTC requests can bypass the VPN interface entirely. Even if you are connected to a secure server, a website can send a STUN request that forces your browser to reply via your default network adapter (your ISP).

  • The Leak: Your browser replies with your Local LAN IP and your Public ISP IP.
  • The Fix: Standard VPNs cannot block this easily because it happens inside the browser. You must disable WebRTC in your browser settings or use an extension.

3. DNS Leaks & Windows OS

When you type google.com, your computer needs to turn that name into an IP address. This is a DNS Query. A secure VPN should handle this translation inside the encrypted tunnel.

However, operating systems (specifically Windows 10/11) use a feature called "Smart Multi-Homed Name Resolution."

To improve speed, Windows may send the DNS request to both the VPN and your local ISP simultaneously. Whichever responds faster is used. This means your ISP can see every website you visit, even if the data content is encrypted.

4. The IPv6 Bypass

The world is migrating from IPv4 (192.168.x.x) to IPv6 (2001:0db8...). Many older or cheaper VPNs only support IPv4.

If a website supports IPv6 (like Google or Facebook) and your ISP provides it, your browser will prefer the IPv6 connection. If your VPN ignores IPv6 traffic, that connection travels outside the tunnel, completely exposing your identity.

Is your setup leaking?

We built a real-time scanner that checks for Timezone discrepancies and IPv6 leaks instantly.

Run Full Diagnostic →

References & Standards

  • [1] IETF RFC 5245: Interactive Connectivity Establishment (ICE) Protocol.
  • [2] IETF RFC 5389: Session Traversal Utilities for NAT (STUN).
  • [3] ECMA-402: ECMAScript Internationalization API Specification (Intl.DateTimeFormat).
  • [4] "The Piling Work of Browser Fingerprinting" - Electronic Frontier Foundation (EFF).