WebRTC IP Leak: How Browsers Expose Your Real IP

Why WebRTC Leaks Your IP

WebRTC uses a protocol called ICE (Interactive Connectivity Establishment) to find the optimal network path between two peers. ICE gathers "candidates" — all available network addresses — so peers can try multiple paths and pick the best one. This process is called STUN (Session Traversal Utilities for NAT).

When ICE candidate gathering runs in a browser, it enumerates:

• Local LAN IP addresses (192.168.x.x, 10.x.x.x)
• The real public IP address, discovered by querying a STUN server
• VPN interface addresses

The real public IP is discovered by contacting a STUN server — and this STUN request goes out through the system's routing table, which may bypass the VPN tunnel and use the real interface. Even if it goes through the VPN, the STUN response reveals the pre-VPN public IP. Any JavaScript on the page can access all gathered ICE candidates via the RTCPeerConnection API and read every IP address — without any user permission prompt.

The Leak in Practice

A website doesn't need to actually initiate a video call to trigger this. It just needs to:

1. Create an RTCPeerConnection object in JavaScript.
2. Create an offer (which triggers ICE candidate gathering).
3. Listen for onicecandidate events and log the IP addresses.

This runs silently in a background script with no visible indication to the user. The entire operation takes under a second. The result: the page learns your real IP, your VPN IP, and potentially your LAN IP — all from a single JavaScript call.

Who Is Affected

VPN users who browse via Chrome, Firefox, Edge, Opera, or any Chromium-based browser are potentially affected. Safari partially mitigates the leak by not exposing LAN IPs. Tor Browser blocks non-proxied WebRTC connections entirely. Desktop VPN apps (not browser extensions) do not prevent this — the leak happens at the browser level, below where system-level VPNs intervene.

How to Fix WebRTC Leaks

Firefox: Navigate to about:config, search for media.peerconnection.enabled, and set it to false. This disables WebRTC entirely — video calls in Firefox will stop working.

Chrome / Edge / Brave: Chrome has no built-in setting to disable WebRTC. Use an extension such as uBlock Origin (enable "Prevent WebRTC from leaking local IP addresses" in its settings) or a dedicated WebRTC leak prevention extension. Brave has a built-in option: Settings → Privacy and security → WebRTC IP handling policy → Disable non-proxied UDP.

Safari: Safari already limits WebRTC IP exposure — local IPs are not exposed. No additional action needed for most users.

VPN browser extension: Many VPN providers offer browser extensions that intercept WebRTC IP gathering and substitute the VPN IP. Check that your specific extension actually blocks the leak using a WebRTC leak test with the VPN connected.

Testing for WebRTC Leaks

With your VPN connected, visit a WebRTC leak test page. The test will attempt to gather ICE candidates and display all IP addresses found. If you see an IP address that is not your VPN server's IP — particularly your real ISP-assigned IP — you have a WebRTC leak. Your VPN's assigned IP is expected to appear; your real home IP should not.

Frequently Asked Questions

Does disabling WebRTC break video calls?

Disabling WebRTC entirely breaks browser-based video calls (Google Meet, Jitsi). If you need those services, use an extension that suppresses only the local IP leak rather than disabling WebRTC entirely — uBlock Origin's WebRTC leak prevention option does this. Alternatively, use the native desktop app for video conferencing instead of the browser version.

My VPN says it prevents WebRTC leaks — is that true?

Only if the VPN provides a browser extension that intercepts WebRTC at the browser level. The system-level VPN app on your OS cannot prevent browser-level WebRTC leaks. Test with a WebRTC leak test while your VPN and its extension are active to confirm it's actually working.