WebRTC can expose your real IP address to websites even when your VPN is active.
This test inspects every ICE candidate your browser reveals — host, srflx, and relay —
and tells you exactly what is leaking. Also run our
full IP leak test
for a combined view.
WebRTC ICE candidate inspector
Reveals every IP your browser exposes via WebRTC STUN/TURN
No data sent to servers
Run the test to check for WebRTC leaks
Click the button above to begin
Public IP
LAN IP
Relay
ICE candidates detected
TypeIP addressPortProtocolVerdict
Click Run Leak Test to inspect your browser’s ICE candidates
WebRTC blocked or not supported
Your browser returned no ICE candidates. WebRTC may be disabled or blocked by an extension.
This is the best possible result.
Scored using our published, open-source methodology. View methodology
ICE candidate types — what each one reveals
LAN leak
host
Local candidate
Your device's own IP addresses — LAN (192.168.x), link-local (169.254.x), and IPv6 (fe80::). Reveals your local network structure. Usually harmless alone but combined with srflx enables fingerprinting.
Real IP leak
srflx
Server-reflexive candidate
Your real public IP as seen by the STUN server — the IP your ISP assigned to you. If this differs from your VPN IP, your real identity is fully exposed. This is the critical WebRTC leak type.
Safe
relay
TURN relay candidate
An IP provided by a TURN relay server — not your real address. When your VPN fully tunnels WebRTC, only relay candidates appear. Seeing only relay candidates means you are protected.
Low risk
prflx
Peer-reflexive candidate
A peer-discovered address observed during connectivity checks. Rarely reveals new IP information beyond srflx. Appears during active peer-to-peer connections, not passive STUN probing.
How WebRTC bypasses your VPN — the 4-step mechanism
Site uses WebRTC
A website calls RTCPeerConnection() — happens on video call sites, screen sharing tools, and some ad networks silently.
Browser contacts STUN
Browser sends UDP packets directly to a STUN server — outside the VPN tunnel, using your real ISP connection.
STUN reveals real IP
STUN reflects your actual IP back to the browser as a server-reflexive candidate — your VPN IP is never used.
Site reads your IP
JavaScript reads ICE candidates via onicecandidate events and extracts your real IP — no special permissions required.
How to fix WebRTC leaks
1
Firefox — disable WebRTC entirely
Navigate to about:config, search for media.peerconnection.enabled and set it to false. Completely blocks all WebRTC — no STUN or TURN candidates can be gathered.
Best Firefox fix
2
Chrome — install a WebRTC control extension
Chrome has no built-in WebRTC toggle. Install "WebRTC Control" or enable the block WebRTC option inside uBlock Origin advanced settings. Most VPN browser extensions also include WebRTC blocking.
Best Chrome fix
3
Use a VPN with built-in WebRTC protection
NordVPN, ExpressVPN, and Mullvad browser extensions block WebRTC leaks automatically. Their extensions intercept RTCPeerConnection and proxy STUN requests through the VPN tunnel — no configuration needed.
Easiest fix
4
Use the Brave browser
Brave has built-in WebRTC leak prevention in privacy settings under "WebRTC IP handling policy." Set it to "Disable non-proxied UDP" to prevent host and srflx candidates from being exposed.
Open source · Secure Core servers · No-logs audited
4.5· 9.2k reviews
No logs
10 devices
Kill switch
Budget pick
Budget pick
Surfshark
Unlimited devices · CleanWeb ad blocker · 3200+ servers
4.3· 6.1k reviews
Unlimited devices
Ad blocker
No logs
Affiliate disclosure: PrivacyTestLab earns a small commission
from purchases made through our links. This never affects our
test results or scores.
Learn more