Verify your VPN actually works: 5-minute quick check (2026)

The green icon in the corner of your VPN application means one thing only: the software client is connected to the VPN server. It doesn't say your browser goes through the tunnel. It doesn't say your DNS queries are encrypted. It doesn't say WebRTC isn't leaking your real IP via JavaScript. It doesn't say IPv6 isn't bypassing the tunnel directly to your ISP. Here's the check-list to really verify in 2026 — five minutes, five tests, and you know exactly where you stand. It's the express complement to our complete VPN audit in 7 steps for routine verifications.

Test #1 — Your public IP actually changed

The fastest and most visible test. Without VPN, open the My IP tool and note the displayed address and ISP name (Orange, Free, SFR, Bouygues if in France). To understand what your public address actually reveals beyond the basic ISP label, see our deep-dive on what your IP address says about you. Activate VPN, reload the page. The IP must be completely different: not just one last digit changed but a fully new range. The ISP must also change — it must show a datacenter host name (Tefincom for NordVPN, Tata Communications, M247, Datacamp, OVH) and no longer your residential provider.

If the IP hasn't moved: your VPN isn't actually connected, or it's routing traffic without masking IP (rare case linked to corporate proxy neutralizing VPN). Solutions by action order: restart VPN client, change server in the list, retry. If nothing changes even after 3 tries, your VPN simply isn't working — uninstall, reinstall the latest version, or contact the provider's technical support. No other test makes sense as long as this test #1 fails.

Test #2 — Detected country matches selected server

You connected to a "Netherlands"-labeled server in your VPN client. But the site you're browsing detects your geolocation as "Germany" or another country. Not necessarily a panic — IP geolocation databases (MaxMind GeoIP2, IP2Location) are sometimes imprecise to neighboring country, particularly at European borders. But if you target a country-specific streaming catalog, verifying on the final service is necessary.

For Netflix: go to netflix.com without logging in (or with a clean account). The homepage catalog shows content from the country detected by Netflix. If you target Netflix US and see "The Office US", "Brooklyn Nine-Nine", "Parks and Recreation" on the front page, that's good. If you see French or European productions, the detected country isn't what you targeted — change VPN server, clear Netflix cookies, retry. For methodology detail, see our Netflix US from France guide.

For BBC iPlayer, France TV, RTVE, NHK: same principle. A connection bouncing to the service's "international" version signals that your VPN exits in a country not covered by rights — proof that detected geolocation isn't the expected one. Worth noting: even with a perfect VPN exit, your radio-layer hardware fingerprint can give you away on captive networks — see our MAC spoofing on public Wi-Fi walkthrough for the identifier the VPN doesn't mask.

Test #3 — No WebRTC leak from your browser

This is trap #1 and the most critical leak in 2026. WebRTC is a real-time communication API built into all modern browsers (Chrome, Firefox, Safari, Edge). It tries to discover your real IP via STUN servers to enable browser P2P communication (Discord video calls, Google Meet screen sharing, etc.). If your VPN doesn't explicitly block it, a malicious site can read your real IP via JavaScript in under 100 ms, with no visible user-side signal.

Run our DNS Leak Test tool which probes WebRTC in your browser and lists all detected candidate IPs. Three possible interpretations: (1) Local IP (192.168.x.x, 10.x.x.x, 172.16-31.x.x) — normal, that's your internal LAN/Wi-Fi network, reveals nothing external; (2) Public IP matching your VPN exit noted in test #1 — good sign, the VPN tunnels WebRTC correctly; (3) Public IP not matching your VPN — confirmed WebRTC leak, immediate action required.

Solutions by effectiveness: look in your VPN client for a "Block WebRTC" or "WebRTC Leak Protection" option (NordVPN has had it since 2022, ExpressVPN too), install the VPN's official browser extension that natively disables WebRTC, or as last resort manually disable WebRTC in Firefox about:config (variable media.peerconnection.enabled to false) or via uBlock Origin on Chrome (Settings → Privacy → prevent WebRTC from revealing local IP).

Test #4 — DNS resolved via VPN, not via your ISP

DNS queries must go through the VPN tunnel. Otherwise your ISP continues to see the exact list of domains you visit — logs retained 12 months in France per Hadopi 2.0, accessible on judicial request. This is the typical VPN privacy use case that becomes ironic in case of DNS leak.

Quick test: open dnsleaktest.com and launch an "Extended Test" (not insufficient "Standard Test" — it checks ~5 resolvers vs ~30 for Extended). Wait 10-20 seconds for results. The tool lists DNS servers that actually resolved the test queries. Success criterion: all responding DNS servers must belong to the VPN (NordVPN uses its own internal resolvers 103.86.96.X) or to a recognized public resolver (Cloudflare 1.1.1.1, Quad9 9.9.9.9, Google 8.8.8.8). No response from your ISP: that's the absolute criterion. If you see 80.10.246.X (Orange), 212.27.40.X (Free), 109.0.66.X (SFR), 194.158.122.X (Bouygues), it's a confirmed leak.

For technical detail of possible causes and OS-specific fixes (Windows SMHNR to disable, browser DoH to disable, IPv6 to tunnel), see our complete DNS leak test guide.

Test #5 — No IPv6 leak

IPv6 is the most forgotten trap of superficial audits. Many VPNs only route IPv4 in their encrypted tunnel; IPv6 traffic exits directly to your ISP without encapsulation. On sites supporting IPv6 (Google, Facebook, Cloudflare host much of the internet in IPv4+IPv6 dual stack), your real IPv6 remains visible to visited sites while your IPv4 is hidden by the VPN. The site therefore knows your real geolocation despite active VPN.

Go to test-ipv6.com. Two possible outcomes: "No IPv6 detected" means perfect — IPv6 disabled or efficiently blocked by the VPN. Otherwise "Your IPv6 address: 2001:..." is displayed: verify that this address corresponds to the VPN server's IPv6 prefix (different prefix from your residential ISP) and not your real IPv6 prefix. If it matches your ISP (Orange/Free/Bouygues have their own IPv6 ranges), it's a confirmed IPv6 leak.

Solutions: if your VPN doesn't natively manage IPv6 and leaks, either enable the "Disable IPv6" or "Block IPv6" option in the VPN client, or disable IPv6 in your network card system settings (Windows Settings → Network → Adapter → Properties → uncheck IPv6). Technically ugly (you give up IPv6 advantages) but works to block the leak. NordVPN supports native IPv6 tunneling since 2024, ExpressVPN blocks IPv6 by default.

Summary — the practical 5-minute check-list

To quickly apply the check without missing a test, here's the exact sequence to chain in order. Each test takes 30-60 seconds cumulatively.

If you pass all 5 tests, your VPN actually works — not just in its taskbar icon. If even one fails, identify cause and apply appropriate fix before continuing sensitive use (banking, confidential accounts, political browsing). Redo the full sequence after every major update of system, browser, or VPN client.

Difference with the complete 7-step audit

This 5-minute check-list is a quick routine diagnosis, to execute regularly to confirm no silent regression occurred. It doesn't cover all aspects of in-depth verification: kill switch (step 5 of complete audit), speed loss measurement (step 6), and no-log policy verification via independent audit (step 7) aren't included here for speed reasons.

For in-depth annual audit or in case of serious doubt on the used VPN, switch to our complete VPN audit in 7 steps which includes all points. For routine verification (e.g., after Windows update, after installing a new browser, or quarterly), these 5 quick tests suffice largely.

What to remember

The VPN client's green icon is a software connection indicator, not effective protection. Five quick tests — public IP, country, WebRTC, DNS, IPv6 — suffice to confirm that your traffic, DNS, and browser APIs actually go through the encrypted tunnel, without silent bypass on browser or operating system side.

To redo after every update of OS (Windows, macOS), VPN (new client), or browser (Firefox 125 → 126 for example) — because silent regressions exist and no visible signal will tell you. If you seek deeper audit (kill switch, speed, logs), see our complete 7-step audit. For regular routine check, these five tests suffice largely and guarantee your privacy tool is doing its job.

Article published on May 27, 2026, updated on May 28, 2026. Methodology: tests performed on residential Orange 1 Gbps fiber Paris 15th district, Firefox 125 and Chrome 124 up-to-date, with 6 market VPNs (NordVPN, ExpressVPN, Surfshark, ProtonVPN, Mullvad, CyberGhost). Logs and screenshots preserved in internal archives, available on editorial request via contact.