Your VPN Might Be Lying — 5 Ways to Check If Encryption Is Real
Your VPN Might Be Lying — 5 Ways to Check If Encryption Is RealThey say “military-grade encryption.” You see a green checkmark. But where’s the proof?
You’re right to be skeptical. VPN marketing is full of buzzwords — “AES-256,” “military-grade,” “bank-level security.” But unless you verify it yourself, you’re trusting a company that profits from your trust. Here’s how to actually prove your traffic is encrypted.
🧠 What You're Actually Testing
VPN encryption has two parts:
| Part | What It Does | What Breaks If It Fails |
|---|---|---|
| Tunnel encryption | Scrambles your traffic between you and the VPN server | Your ISP, hackers on public WiFi, and anyone watching can read your data |
| Leak protection | Prevents your real IP/DNS from escaping the tunnel | Your identity leaks even if encryption is “on” |
Most people only test for leaks. This guide covers both — proving the tunnel itself is encrypted AND checking for leaks.
⚡ Method 1: Wireshark (The Gold Standard)
This is the most reliable test. You’re literally looking at your own traffic and checking if it’s gibberish (encrypted) or readable (exposed).
What You Need
- Wireshark — free, open-source, Windows/Mac/Linux
- Your VPN connected
- 5 minutes
Step-by-Step
- Download and install Wireshark (install Npcap when prompted — it’s required for packet capture)
- Connect to your VPN
- Open Wireshark → select your active network interface (usually “Wi-Fi” or “Ethernet”)
- Start capturing (click the blue shark fin or press Ctrl+E)
- Generate some traffic — browse a website, load a video, whatever
- Stop capture after 30 seconds (Ctrl+E again)
- Analyze the packets
What to Look For
| If You See This | Your VPN Is… |
|---|---|
| Protocol column shows ESP, IKE, WireGuard, or OpenVPN |  Encrypted — these are VPN protocols wrapping your traffic |
| Packet data is random hex/gibberish when you click on it | Encrypted — unreadable = working |
| Protocol shows HTTP and you can read the actual content |  NOT encrypted — your traffic is exposed |
| You see your destination websites in plaintext | NOT encrypted — the tunnel isn’t working |
Pro Tip: Filter for Your VPN Protocol
In Wireshark’s filter bar, type:
openvpn— for OpenVPN connectionsesp— for IPsec/IKEv2 connectionsudp.port == 51820— for WireGuard (default port)
If you see packets matching your VPN protocol, and clicking them shows encrypted gibberish — you’re good.
⚡ Method 2: tcpdump (Linux/Mac Command Line)
Same concept as Wireshark, but terminal-based. Faster if you’re comfortable with command line.
The Test
# Capture traffic on your main interface (replace eth0 with your interface)
sudo tcpdump -i eth0 -X -c 50
What You’re Looking For
Encrypted traffic looks like:
0x0000: 4500 0054 a8b5 4000 4011 8f3e c0a8 0165
0x0010: d83a d8e9 c350 01bb 0040 9f8c 1703 0300
→ Random hex. Unreadable. Good.
Unencrypted traffic looks like:
GET /index.html HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0
→ Readable text. Bad. Your VPN isn’t encrypting.
WireGuard-Specific Test
From this guide:
# Listen on your physical interface while traffic goes through WireGuard
sudo tcpdump -i eth0 -X host YOUR_VPN_SERVER_IP
If you see encrypted hex when browsing → WireGuard is working.
If you see readable HTTP requests → something’s broken.
⚡ Method 3: Check Your VPN's Config File
If you use OpenVPN, the encryption settings are in plain text in your config file.
Find Your Config
- Windows: Usually in
C:\Program Files\OpenVPN\config\orC:\Users\YourName\OpenVPN\config\ - Mac/Linux: Usually in
/etc/openvpn/or~/.config/openvpn/ - VPN app: Look for “Export config” or check the app’s settings folder
What to Look For
Open the .ovpn file in a text editor. Search for:
| Line | What It Means |
|---|---|
cipher AES-256-CBC |
AES-256 encryption (strong) |
cipher AES-256-GCM |
AES-256 with authenticated encryption (stronger) |
cipher AES-128-CBC |
 AES-128 (still good, but not “256-bit” as advertised) |
cipher none |
No encryption at all |
auth SHA256 or auth SHA384 |
Hash authentication (verifies data integrity) |
tls-cipher line with long string |
TLS settings for the control channel |
WireGuard Encryption
WireGuard doesn’t let you choose — it uses a fixed, modern suite:
- ChaCha20 for encryption
- Poly1305 for authentication
- Curve25519 for key exchange
- BLAKE2s for hashing
If you’re on WireGuard, you’re using these. No config to check — it’s hardcoded.
⚡ Method 4: GlassWire (Windows — Easy Mode)
If Wireshark feels intimidating, GlassWire is a simpler alternative with a visual interface.
What It Does
Shows you what apps are using your network and which protocol they’re using.
The Test
- Download GlassWire (free version works)
- Connect to your VPN
- Look for your VPN process in the traffic list:
- OpenVPN: Look for
openvpn.exeorOpenVPN Daemon - WireGuard: Look for
wireguard.exe - Your VPN app: Look for
nordvpn.exe,expressvpn.exe, etc.
- OpenVPN: Look for
- Check the traffic type — should show SSL/HTTPS or the VPN protocol name
If your VPN process is routing traffic and showing encrypted protocols → working.
If you see HTTP traffic going directly from your browser → not working.
🔍 Method 5: Leak Tests (Complement, Not Replacement)
These test whether your real identity escapes the tunnel — not whether the tunnel itself is encrypted. Use these IN ADDITION to the methods above, not instead of them.
| Test | What It Checks | Link |
|---|---|---|
| DNS Leak Test | Is your DNS going through the VPN or your ISP? | dnsleaktest.com |
| WebRTC Leak Test | Is your browser leaking your real IP via WebRTC? | browserleaks.com/webrtc |
| IPv6 Leak Test | Is IPv6 traffic bypassing the VPN tunnel? | ipv6leak.com |
| IP Check | Does your visible IP match the VPN server? | ipleak.net |
Pass all of these AND Wireshark shows encrypted traffic → your VPN is actually working.
📋 Quick Reference: VPN Protocols & What They Should Show
| Protocol | What Wireshark Shows | Encryption Used |
|---|---|---|
| OpenVPN (UDP) | OpenVPN protocol, UDP port 1194 (default) |
AES-256-GCM or AES-256-CBC |
| OpenVPN (TCP) | OpenVPN protocol, TCP port 443 (often) |
AES-256-GCM or AES-256-CBC |
| WireGuard | UDP traffic to port 51820, no readable content | ChaCha20-Poly1305 |
| IKEv2/IPsec | ESP (Encapsulating Security Payload), IKE for handshake |
AES-256 or ChaCha20 |
| L2TP/IPsec | ESP packets, UDP port 500 for IKE |
AES-256 |
| PPTP | GRE protocol |
MPPE (weak, avoid this protocol) |
If you see your VPN’s expected protocol in Wireshark with encrypted payloads → it’s working.
⚠️ Red Flags: Signs Your VPN Might Be Lying
| Red Flag | What It Means |
|---|---|
| No config file or settings access | You can’t verify what encryption is actually used |
| Only PPTP/L2TP available | Outdated protocols with known vulnerabilities |
| “256-bit encryption” but no protocol specified | Marketing without substance — could be anything |
| Wireshark shows HTTP traffic while VPN is “connected” | Tunnel isn’t working at all |
| Readable DNS queries in packet capture | DNS is leaking outside the tunnel |
| VPN app is closed-source with no audit | No way to verify claims independently |
Trustworthy VPNs: Open-source clients, published security audits, support for OpenVPN/WireGuard, let you export/inspect config files.
Trust but verify. If they’re really encrypting, the packets will prove it.
!