Why Your VPN Says Connected But Your Data is Still Exposed

The green "connected" indicator in your VPN app means one thing and one thing only: a VPN tunnel has been established between your device and the VPN server. It does not mean all your traffic is protected. It does not mean no data is leaking. And it definitely does not mean you can stop thinking about your privacy. Here are the six most common technical reasons a VPN shows connected while your data remains exposed — and exactly how to fix each one.

Reason 1: Split Tunnelling is Enabled

Split tunnelling is a VPN feature that intentionally routes some of your traffic outside the VPN tunnel. It is designed for convenience — for example, routing your banking app through the VPN while letting Netflix use your direct connection for better streaming speed. The problem arises when split tunnelling is enabled accidentally, configured too broadly, or when you forget it is active.

If split tunnelling is set to exclude your browser, your entire web browsing activity travels unprotected. Your ISP sees everything. The VPN app reports connected because it is — just not for the traffic you think it is protecting.

Fix: Open your VPN app settings and locate the split tunnelling or per-app VPN configuration. Either disable split tunnelling entirely or review every application listed to ensure your browser and other sensitive apps are routed through the VPN, not excluded from it.

Reason 2: WebRTC is Bypassing the VPN Tunnel

WebRTC (Web Real-Time Communication) is a browser API used for video calls, voice calls, and peer-to-peer data sharing. It was designed to establish direct connections between browsers, and to do this it uses a technique called ICE (Interactive Connectivity Establishment) that can discover and expose your real IP address — including your local network IP and your public IP — regardless of your VPN tunnel.

A WebRTC leak means websites can query your browser's WebRTC implementation and receive your real IP address back, even though all other traffic is going through the VPN. This is browser-level and completely bypasses the VPN's IP masking.

Fix: Install the uBlock Origin browser extension. In its settings, enable "Prevent WebRTC from leaking local IP address." In Firefox, navigate to about:config and set media.peerconnection.enabled to false. In Chromium-based browsers, consider using extensions specifically designed for WebRTC control.

Reason 3: IPv6 Traffic is Not Covered

The internet is in the middle of a long transition from IPv4 (the older addressing system, e.g., 192.168.1.1) to IPv6 (the newer system with much larger addresses, e.g., 2001:db8::1). Many VPNs were built primarily for IPv4 and do not properly handle IPv6 traffic. If your network connection uses IPv6 — and increasingly, most modern connections do — your IPv6 traffic may travel completely outside the VPN tunnel.

Websites that support IPv6 will receive your real IPv6 address instead of the VPN's address, directly identifying you. Your ISP can also see this IPv6 traffic. The VPN reports connected because its IPv4 tunnel is working — it simply does not handle IPv6.

Fix: Check your VPN app settings for "IPv6 leak protection" and enable it. Most reputable VPNs now include this. Alternatively, you can disable IPv6 at the operating system level: on Windows, go to Network Adapter settings → Properties and uncheck "Internet Protocol Version 6." On macOS, go to System Preferences → Network → Advanced → TCP/IP and set "Configure IPv6" to Off.

Reason 4: DNS Fallback to ISP Servers

When a VPN connection has a brief interruption or instability, some operating systems and VPN clients fall back to the system's default DNS configuration — typically your ISP's DNS servers. This DNS fallback can happen in milliseconds, making it invisible to the user, but during that window your DNS queries are exposed to your ISP.

More persistently, some VPN configurations simply do not override your device's DNS settings at all. Your device continues using whatever DNS servers were configured before the VPN connected, which in most cases means your ISP's servers.

Fix: Enable DNS leak protection in your VPN settings. Additionally, manually configure your device's network adapter to use privacy-respecting DNS servers (1.1.1.1 for Cloudflare or 9.9.9.9 for Quad9) as a fallback. This ensures that even during brief VPN interruptions, your DNS queries do not go to your ISP.

Reason 5: The Kill Switch is Disabled

A VPN kill switch is a feature that cuts off all internet access if the VPN connection drops unexpectedly. Without it, there is a gap between when the VPN disconnects and when it reconnects during which all your traffic — including your IP address and DNS queries — is exposed in plain sight. On an unstable connection or when a VPN server is under load, these gaps can happen multiple times per session.

Many VPN apps have a kill switch feature but ship with it disabled by default because it creates a more disruptive user experience when the VPN drops. Users often do not realise it is there.

Fix: Find the kill switch option in your VPN app settings (it may be called "Network Lock," "Internet Kill Switch," or "Always-on VPN" depending on the provider) and enable it. On mobile, use your operating system's "Always-on VPN" setting combined with "Block connections without VPN" for the strongest protection.

Reason 6: The VPN Protocol is Misconfigured or Falling Back to an Insecure Mode

Modern VPNs support multiple protocols — OpenVPN, WireGuard, IKEv2, Lightway, and others. Some VPN clients automatically select the "best" protocol, which can mean falling back to older or less secure configurations when network conditions are challenging. In rare cases, a protocol configuration error can result in the VPN tunnel being established but not properly encrypting all traffic.

Additionally, some VPN apps have a "stealth" or "obfuscation" mode that modifies how the VPN tunnel works to bypass VPN blocking. If this mode is activated incorrectly on a network that does not require it, it can sometimes reduce the tunnel's effectiveness.

Fix: In your VPN app, manually select a specific protocol rather than using "automatic." WireGuard and OpenVPN (UDP) are generally the most reliable choices for both security and performance. Disable obfuscation modes unless you are on a network that actively blocks VPN traffic.

How to Know Which Problem You Have

Run our free VPN check immediately after connecting to your VPN. The results will indicate whether your IP is masked, what your detected ISP is, and whether WebRTC is leaking a different IP. For DNS specifically, use a dedicated DNS leak test tool for the most detailed results. Once you identify the type of leak, apply the corresponding fix above.

Recommended VPN Providers

Affiliate Disclosure: We may earn a commission from these links at no cost to you.