Quick version: many VPN clients only tunnel IPv4 and pretend IPv6 doesn't exist. If your ISP supports IPv6 (most do now), websites with IPv6 endpoints see your real IPv6 - even when your IPv4 traffic is safely tunneled.
Why this exists at all
IPv6 was designed in the 1990s to replace IPv4 because the world ran out of IPv4 addresses. Adoption was slow until cellular carriers and large ISPs started rolling it out aggressively in the 2010s. Today, around 45% of US Google traffic is IPv6, and that share keeps climbing.
The problem: VPN protocols (OpenVPN, WireGuard, IKEv2) all support IPv6, but a lot of VPN providers' apps don't actually configure IPv6 routes on the system. So your IPv4 traffic goes through the tunnel, but your IPv6 traffic uses the default ISP route - leaking your real IPv6 to every website that supports it.
How the leak shows up
Open Google. Google has both IPv4 and IPv6 endpoints. Your browser will prefer IPv6 if available (this is called "Happy Eyeballs"). Without proper VPN handling, Google logs your real IPv6 address while your VPN provider thinks it's tunneling everything. You appear "in the VPN country" to IPv4-only sites and "in your real country" to IPv6-aware sites.
Streaming services in particular check both. Netflix, BBC iPlayer, and Disney+ all use IPv6. If your IPv6 leaks, geo-restriction fails - you'll get the "you appear to be using a VPN" message even though IPv4 looks clean.
Three ways to fix an IPv6 leak
1. Use a VPN that handles IPv6 properly
The cleanest fix. Pick a VPN that explicitly states what it does with IPv6:
- Tunnels IPv6: Mullvad, ProtonVPN, AirVPN. Best choice if you want IPv6 working through the VPN.
- Blocks IPv6 entirely: NordVPN, Surfshark, ExpressVPN. Slightly less elegant but works - IPv6 traffic just dies, falling back to IPv4 (which is tunneled).
- Ignores IPv6: a long tail of free and small VPN providers. Avoid.
2. Disable IPv6 at the OS level
Works as a stopgap, breaks slowly over time as more services go IPv6-only. Steps:
- Windows 10/11: Settings -> Network -> change adapter options -> right-click Wi-Fi/Ethernet -> Properties -> uncheck "Internet Protocol Version 6 (TCP/IPv6)"
- macOS: System Settings -> Network -> Wi-Fi -> Details -> TCP/IP -> Configure IPv6 -> Link-local only (or Off via terminal:
networksetup -setv6off Wi-Fi) - Linux: add
net.ipv6.conf.all.disable_ipv6=1to/etc/sysctl.confand reboot
3. Block IPv6 at the router
If you control your router, disabling IPv6 at the router level catches every device on the network. Most consumer routers have a toggle under Advanced Settings -> IPv6. The downside is everyone in your house loses IPv6 - usually harmless, occasionally annoying.
Reading our IPv6 row
The "ipv6 test" badge has three states:
- SAFE - api64 returned an IPv4 address. Either your system has no IPv6, your VPN is blocking IPv6, or your VPN is tunneling IPv6 to a non-leaky address.
- EXPOSED - api64 returned an IPv6 address. Your browser is reaching the internet over IPv6, which usually bypasses VPN tunnels. If you have a VPN on, this is a leak.
- N/A - the request failed (network blocked, browser denied, ad-blocker stripped). Treat as inconclusive.
Bottom line
IPv6 leaks were the dirty secret of the VPN industry for years - then streaming geo-checks started using IPv6, the leak got embarrassing, and most reputable providers fixed it. The free and budget tier still hasn't. Run this test, and if it shows EXPOSED, switch providers or disable IPv6 at the OS level until you do.