What Is a WebRTC Leak?

A quick browser feature built for video calls can quietly hand your real IP address to any website, even while a VPN is running. Here's what's actually happening and how to check for it.

Published Jul 2, 2026
Updated Jul 2, 2026
9 min read
Share
Diagram illustrating how a WebRTC leak exposes a real IP address around a VPN tunnel

You turn on your VPN, the app says connected, and you assume your real IP address is hidden from every site you visit. Most of the time that's true. But there's a browser feature built for something completely unrelated to VPNs, video calling, that can quietly undo that protection without your VPN app ever knowing anything went wrong. That's a WebRTC leak.

This article covers what WebRTC actually is, what "leak" means here, why it happens even with a decent VPN, and how to check whether it's happening to you.

What is WebRTC?

WebRTC stands for Web Real-Time Communication. It's a browser feature that lets two devices set up a direct audio, video, or data connection without installing a plugin. It's the reason Google Meet, Discord's browser version, and WhatsApp Web can do live video calls right inside a browser tab. Every major browser, Chrome, Firefox, Safari, Edge, Brave, has WebRTC built in and turned on by default.

None of that is a problem on its own. WebRTC is genuinely useful, and turning it off entirely breaks a lot of ordinary things people use every day. The issue is a side effect of how it works under the hood, which is what the rest of this article is actually about.

What is a WebRTC leak?

A WebRTC leak is when a website uses WebRTC to discover your real IP address, even though you're using a VPN or proxy that's supposed to hide it. It happens because WebRTC needs to know each device's real network address to set up a direct peer-to-peer connection, and figuring that out involves a step that runs outside your browser's normal, VPN-protected traffic path.

In practice: a site runs a small bit of JavaScript, your browser hands back a list of your device's possible network addresses, and the site now has your real IP even if the address bar, your VPN app, and every other part of your setup looks completely normal.

How the leak actually happens

To set up a direct connection between two browsers, WebRTC uses a process called ICE (Interactive Connectivity Establishment). ICE gathers a list of every network path your device might be reachable on, called candidates, and offers them all to the other side so the two browsers can pick whichever path actually works.

There are three kinds of candidates, and they matter differently:

Host candidate
Your device's local network address, something like 192.168.1.42. Assigned by your router, not unique to you, and shared by millions of other home networks.
Server-reflexive (srflx) candidate
Your real public IP address, discovered by asking a STUN server "what address did you see this request come from?" This is the one that actually matters for privacy.
Relay (TURN) candidate
An address belonging to a TURN relay server, not your device. Generally not a privacy concern on its own.

The srflx candidate is where the leak lives. To generate it, your browser sends a short request over UDP straight to a STUN server (commonly one of Google's or Cloudflare's public ones). That request doesn't go through your browser's usual HTTP(S) traffic path, and depending on how your VPN is set up, it may not go through your VPN tunnel either. The STUN server sees your real connection and reflects your real public IP straight back to the browser, which then hands it to whatever site asked for it. Your VPN app never sees this happen, because from its point of view, nothing about your web browsing changed.

Local IP vs public IP: which one matters

People often panic at the wrong result. If a leak test shows a local IP like 192.168.1.42 or 10.0.0.5, that's your home router's internal addressing, and it's not unique to your device or your ISP. It's a mild fingerprinting signal at most, since modern browsers have masked it by default since around 2020 anyway, replacing it with a randomized .local hostname through a technique called mDNS obfuscation.

The result actually worth worrying about is your real public IP showing up while a VPN is connected. That's your ISP-assigned address, the same one a VPN is specifically supposed to hide, and it's what a site can use to trace your rough location and identify your internet provider. If your VPN's public IP and the address in the WebRTC section of a leak test don't match, that's the leak that matters. Our IP leak test and DNS leak test check the same class of exposure through different paths.

Why your VPN doesn't always stop it

Good VPN apps that route your entire system's traffic, including UDP, generally do stop this. The leak shows up most often for one specific and very common reason: the "VPN" isn't actually a full VPN.

A lot of people use a browser extension labeled "VPN" and assume it works the same way as a desktop or mobile app. It doesn't. Most browser VPN extensions are proxies that reroute your browser's HTTP and HTTPS traffic. They have no way to touch WebRTC's UDP-based STUN requests, because that traffic was never going through an HTTP proxy to begin with. The extension isn't lying when it says "connected". It's just protecting a narrower slice of your traffic than a real VPN client does, and WebRTC lives entirely outside that slice.

Full VPN apps can still leak too, usually from split-tunneling settings, an IPv6 connection the VPN doesn't account for, or a kill switch that doesn't cover traffic already in flight when the VPN reconnects. It's also worth being clear that this is a separate layer from which VPN protocol you're using. Switching between WireGuard and OpenVPN doesn't fix or cause a WebRTC leak on its own; both can leak or both can protect you, depending on how the app around them handles UDP traffic. If you're not sure your provider handles this correctly, our VPN reviews note which ones publish real leak-testing results.

Which browsers are affected

Every major browser ships WebRTC on by default, but they don't all handle the local-IP part the same way, and none of them protect your public IP without help from your VPN.

Browser Local IP protection Public IP protection
Chrome / Edge mDNS obfuscation, on by default since Chrome 91 None built in; depends entirely on your VPN
Firefox mDNS obfuscation, plus manual about:config controls None built in; depends entirely on your VPN
Safari (macOS) mDNS by default; extra flags under Advanced settings None built in; depends entirely on your VPN
Safari (iOS) mDNS by default; no full disable option since iOS 12 None built in; depends entirely on your VPN
Brave mDNS by default, plus a native "WebRTC IP handling policy" setting Can be set to route only through your proxy/VPN interface
Tor Browser WebRTC disabled entirely WebRTC disabled entirely

How to test for it and fix it

01
Test it first, before changing anything
Connect your VPN, note the public IP it's supposed to be showing, then check what WebRTC actually exposes.
Run our WebRTC leak test to see every IP address your browser would hand to a website right now, including which ones are STUN-derived public addresses versus harmless local ones.
02
Confirm you're using a real VPN, not just a browser extension
If your "VPN" is a browser extension and the test shows your real public IP, that's almost certainly the cause. Switch to the provider's full desktop or mobile app, which routes system-level traffic instead of just your browser's HTTP requests.
03
Turn on your VPN's WebRTC leak protection, if it has one
Many paid VPN apps include a specific toggle for this, sometimes labeled "WebRTC protection" or bundled into an "advanced" or "leak protection" settings section. Enable it, reconnect, and retest.
04
Skip the outdated uBlock Origin advice
A lot of older articles tell you to enable a WebRTC-blocking setting in uBlock Origin. That option was removed from the desktop version in 2021, once Chrome and Firefox started handling local-IP masking natively. Looking for it in a current install won't turn up anything, and it wasn't protecting your public IP in the first place.
05
For Chrome or Edge, use a current WebRTC-control extension if needed
Chrome removed its own about:config-style toggle years ago, so if your VPN doesn't have native WebRTC protection, an extension like WebRTC Leak Prevent, set to "use the default public interface only," is the standard workaround for system-level VPN users.
06
Retest after any browser update
Browser updates occasionally reset extension permissions or flip settings back to defaults. If leak protection matters to you, it's worth a quick retest any time your browser updates itself, not just once when you first set things up.

Frequently Asked Questions

Less, but not zero. Without a VPN, your public IP is already visible to every website you visit through normal HTTP traffic, so WebRTC isn't handing over anything new on that front. What it can still expose is your local network layout (device IPs on your home or office Wi-Fi) and a slightly different fingerprinting signal than your regular connection, since ICE candidates come through a separate code path than the rest of the browser. If your main goal is hiding your IP from advertisers or trackers, a VPN plus a WebRTC check matters far more than a WebRTC check alone.

Not in the way most people assume. A local IP in that range (or 10.x.x.x, or 172.16–31.x.x) is assigned by your own router and is not unique to you. Millions of home networks use the exact same range. It doesn't reveal your ISP, your location, or your identity to a website on its own. It's a smaller concern than most guides make it sound, though it can, in theory, help a site correlate multiple sessions from the same device over time. If your test shows a .local hostname instead of a raw number, your browser is already using mDNS to obfuscate it. The address worth actually worrying about is your public one.

Almost always because of what kind of "VPN" it actually is. A full VPN app installed on your device routes all your system traffic, including WebRTC's UDP packets, through its tunnel. A browser extension labeled "VPN" is usually just a proxy that reroutes your browser's regular HTTP and HTTPS requests. It has no way to touch WebRTC's UDP traffic at all, because that traffic never goes through an HTTP proxy in the first place. The extension shows "connected" because your normal browsing is protected; it just isn't lying to you about the part it actually covers. This is one of the most common causes of a WebRTC leak among people who assumed a browser extension gave them the same protection as a full VPN client — see our best VPNs guide for which providers ship a real desktop or mobile client rather than just a browser add-on.

Not anymore, and a lot of older guides still recommend it out of date. uBlock Origin used to include a "prevent WebRTC from leaking local IP addresses" setting, but that option was removed from the desktop version back in 2021 (version 1.38), once Chrome and Firefox started handling local IP obfuscation natively through mDNS. Looking for that toggle in a current install of uBlock Origin will come up empty. It's not a bug, the setting is genuinely gone, because the browser now does that specific job on its own.

It can, and this is a detail most leak-testing guides skip. Browsers apply mDNS obfuscation to hide your local IP mainly during the initial, permission-less candidate gathering that happens before you've granted any media access. Once you approve a camera or microphone request (for a real video call, say), the browser may gather a fuller set of ICE candidates for that connection, and some of that local network detail can become visible again. That's expected behavior for the call to actually work, not a bug. It's just worth knowing that "my browser masks local IPs" isn't an unconditional guarantee once you've said yes to a video call prompt.

Yes, and it's a genuinely common gap. Plenty of VPNs, especially older or budget ones, only tunnel IPv4 traffic and either ignore IPv6 or fail to block it properly. If your ISP assigns you a public IPv6 address (increasingly common) and your VPN doesn't account for it, WebRTC can gather an IPv6 ICE candidate that leaks straight past the VPN entirely, IPv4 protection or not. Testing for this specifically means checking whether a leak test shows any IPv6 address at all while connected, not just checking that your IPv4 address looks right — our IPv6 leak test checks that path directly.