Glossary
What is an IPv6 leak
When IPv6 traffic bypasses a VPN that only tunnels IPv4, exposing your real IPv6 address to sites you visit.
IPv6 is the next generation of internet addressing — 128-bit addresses written as 2001:db8::1 instead of IPv4's 192.0.2.1. Most home ISPs in 2026 assign you both. Most VPN protocols only tunnel IPv4 by default.
This creates a leak. When you load a website that's IPv6-reachable, your browser may prefer the IPv6 address and connect directly through your real interface. The VPN says you're in Frankfurt; the website logs your real IPv6 address from your home ISP.
Why this is a Windows-specific pain
Windows aggressively prefers IPv6 over IPv4 when both are available. The "Happy Eyeballs" algorithm tries IPv6 first, falls back to IPv4 only if IPv6 fails fast. Most major sites (Google, Cloudflare, Akamai, Facebook) are dual-stack — they advertise both. Windows picks IPv6.
When the VPN only tunnels IPv4, IPv6 takes the underlying interface. Your browser opens a connection to YouTube via IPv6, the connection goes through your home router, your real IPv6 address shows up in YouTube's logs.
This isn't theoretical. It's the default on Windows for the last decade. Test by loading test-ipv6.com with the VPN connected — if you see your real IPv6 address, your VPN is leaking.
The two fixes
Fix 1: Tunnel IPv6 too
Some VPN providers route IPv6 through the tunnel just like IPv4. Cleaner solution. Slightly more complex protocol setup. WireGuard supports it natively (allowedIPs ::/0); OpenVPN can do it with the right config; older protocols don't always.
Fix 2: Null-route IPv6 while the tunnel is up
The other approach: when the VPN connects, install a route that sends IPv6 traffic to a local null destination. Effectively disable IPv6 for the duration of the tunnel. The OS keeps trying IPv6 first, fails immediately, falls back to IPv4 through the tunnel.
This is what Fexyn does. It's simpler to get right than tunneling IPv6 through every protocol, and the behaviour is uniform: if the VPN is up, IPv6 doesn't leak — it doesn't go anywhere. IPv4 goes through the tunnel.
What about apps that need IPv6
Most don't. The IPv4 fallback works transparently. The exception is apps that bypass system DNS and connect to IPv6-only hosts directly — rare on consumer networks, common in some self-hosted or enterprise setups.
If you have a specific application that requires IPv6, the workaround today is disconnecting the VPN for that task. Split tunneling for IPv6 isn't currently on the Fexyn roadmap because the threat-model justification is weak — the kinds of users who need IPv6 inside a VPN tunnel are usually running something custom anyway.
How to test
Run Fexyn's DNS leak test — the test pulls both IPv4 and IPv6 information when available and flags mismatches. With Fexyn connected, IPv6 should appear unreachable (null-routed) rather than showing your real address.
For public Wi-Fi and other untrusted networks, the IPv6 leak path is one of the most common ways VPN protection silently fails. Closing it is mandatory, not optional.
Try Fexyn free for 7 days — IPv6 null-routing is on by default; you don't toggle it.
Related terms
Try Fexyn free for 7 days
Windows app available now in Beta. WireGuard, VLESS Reality, and OpenVPN with no browsing-history, DNS-query, or traffic-content logs.
See pricing