WebRTC Leak Testing: Protect Your VPN Privacy
How WebRTC can expose your real IP address even when you are connected to a VPN, and what you can do about it.
What is a WebRTC Leak?
WebRTC (Web Real-Time Communication) is a browser technology that enables peer-to-peer audio, video, and data sharing without plugins. It powers video calls in Google Meet, Discord, and countless other web applications. To establish these peer-to-peer connections, WebRTC needs to discover the IP addresses of the user's network interfaces.
The problem: WebRTC's IP discovery mechanism uses STUN (Session Traversal Utilities for NAT) requests that bypass the browser's normal network stack -- and by extension, any VPN tunnel. Even when all other traffic is routed through a VPN, WebRTC can independently contact STUN servers and reveal the user's real IP address.
This means a website can use a few lines of JavaScript to detect your real public IP address and your local network IP address, completely undermining VPN privacy. This is known as a WebRTC leak.
How the Leak Works
When a browser creates an RTCPeerConnection, it generates ICE (Interactive Connectivity Establishment) candidates. Each candidate contains an IP address and port that could be used for a peer-to-peer connection. These candidates include:
- Host candidates: IP addresses of the local machine's network interfaces (Wi-Fi, Ethernet, VPN adapter). These reveal your private/local IP.
- Server-reflexive candidates: Your public IP as seen by a STUN server. These reveal your real public IP, even if you are behind a VPN.
- Relay candidates: Addresses of TURN servers used when direct connections fail. These do not leak your IP.
The key insight is that STUN requests are UDP packets sent directly from the operating system's network stack. Many VPN implementations only tunnel TCP traffic, or the browser sends the STUN request before the VPN tunnel intercepts it. The result: a website can compare the WebRTC-discovered IP with the HTTP-visible IP, and if they differ, the user's real IP is exposed.
Leak Detection Logic
If the WebRTC-discovered public IP differs from the VPN-assigned IP, the user's real IP address has been exposed.
Who is Affected?
WebRTC leaks primarily affect users who:
- Use a VPN for privacy and expect their real IP to be hidden
- Use a browser that supports WebRTC (Chrome, Firefox, Edge, Opera, Brave)
- Have not specifically configured WebRTC privacy settings
Safari has historically been less vulnerable because it restricts WebRTC to prevent IP leaking by default. Chrome and Firefox are the most commonly affected browsers.
Testing for WebRTC Leaks
You can test for WebRTC leaks using our built-in tool:
- Connect to your VPN as you normally would.
- Open the IP Address Lookup tool.
- Click “Detect My IP” to see the IP address visible to websites (should be your VPN IP).
- Switch to the WebRTC Leak tab and click “Run Leak Test.”
- Compare the results: if WebRTC reveals a public IP different from your VPN IP, you have a leak.
How to Prevent WebRTC Leaks
There are several approaches to prevent WebRTC from leaking your real IP:
Chrome / Chromium-Based Browsers
Chrome does not provide a built-in setting to disable WebRTC. Your options:
- Use a VPN with leak protection: Many VPN clients include WebRTC leak protection that configures the browser to only use the VPN interface for ICE candidates. Check your VPN's settings for this feature.
- Browser extension: Extensions like “WebRTC Leak Prevent” or “WebRTC Network Limiter” can restrict which network interfaces WebRTC accesses.
- Chrome flag: Navigate to
chrome://flags/#enable-webrtc-hide-local-ips-with-mdnsand enable it. This replaces local IPs with mDNS candidates, but does not prevent STUN-based leaks.
Firefox
Firefox provides the most granular control:
- Navigate to
about:configin the address bar. - Set
media.peerconnection.enabledtofalseto completely disable WebRTC. This will break video calls and other WebRTC-dependent features. - Alternatively, set
media.peerconnection.ice.default_address_onlytotrueto limit ICE candidates to the default interface only (typically the VPN interface when connected).
Edge
Being Chromium-based, Edge shares the same WebRTC behavior as Chrome. The same extensions and VPN-level protections apply.
Network-Level Protection
The most reliable prevention is at the network level: configure your firewall or VPN to block all UDP traffic to known STUN servers (ports 3478 and 19302 are common) from bypassing the tunnel. This prevents ICE candidates from reaching external servers regardless of browser settings.
What WebRTC Leaks Do NOT Reveal
It is important to understand the scope of a WebRTC leak:
- It reveals your IP address, not your browsing history or other data.
- It does not bypass HTTPS encryption -- your traffic is still encrypted.
- It does not reveal your DNS queries or the content you are accessing.
- The leaked IP can be used for geolocation, but only to the accuracy that IP-based geolocation provides (typically city-level, not street address).
However, your real IP address combined with your ISP's records can identify your household, which is often sufficient to deanonymize a VPN user.
Test Your Setup
Run a WebRTC leak test right now with our IP Address Lookup tool. The WebRTC Leak tab creates a temporary RTCPeerConnection, collects ICE candidates, and compares the discovered IPs against your public VPN IP. The entire test runs in your browser -- no data is sent to our servers.
Further Reading
- WebRTC Specification — W3C
The official W3C specification for WebRTC, including the RTCPeerConnection API.
- RFC 8445 — Interactive Connectivity Establishment (ICE)
The ICE protocol specification that governs how WebRTC discovers candidate IP addresses.
- RFC 8828 — WebRTC IP Address Handling Requirements
W3C/IETF guidance on how browsers should handle IP address exposure in WebRTC.