WebRTC Leak Test — What It Is and How to Fix It
Learn what a WebRTC leak is, why it exposes your real IP address even through a VPN, how to test for it, and the exact steps to fix it in every major browser.
You opened your VPN, connected to a server in another country, and assumed your real IP address was hidden. But WebRTC — a protocol built directly into every major browser — can silently broadcast your real IP address to every website you visit, bypassing your VPN completely.
This is called a WebRTC leak, and millions of VPN users are affected by it without knowing.
What is WebRTC?
WebRTC (Web Real-Time Communication) is an open standard that lets browsers communicate directly with each other for video calls, voice chat, file sharing, and peer-to-peer connections — without needing a plugin or a server in the middle.
It is built natively into Chrome, Firefox, Safari, Edge, and Opera. When you use Google Meet, Discord in the browser, or any web-based video call, WebRTC is what powers it.
To establish a direct peer-to-peer connection, WebRTC needs to know your actual network path. It does this through a process called ICE (Interactive Connectivity Establishment), which queries your device for all available network interfaces — including your real IP address — even if you are connected to a VPN.
What is a WebRTC leak?
A WebRTC leak happens when a website uses the WebRTC API to discover your real IP address (or your local network IP) even though you are connected to a VPN.
Your VPN tunnels your internet traffic through its server — that is what hides your IP from websites. But WebRTC queries your device's network interfaces directly, at the OS level, before the traffic reaches the VPN tunnel. The result: your real IP address gets handed to websites without ever touching the VPN.
What information can WebRTC expose?
| Data type | What it reveals |
|---|---|
| Public IP | Your real internet-facing IP (the one assigned by your ISP) |
| Local IP | Your private network IP (e.g., 192.168.1.x) |
| IPv6 address | Your IPv6 address, even if your VPN only tunnels IPv4 |
| Multiple interfaces | All network adapters on your device (Wi-Fi, Ethernet, VPN adapter) |
The most critical is the public IP — if a website can see it, your VPN provides no anonymity for that session.
Why does this bypass VPNs?
Most VPN clients route all TCP and UDP traffic through their encrypted tunnel. But WebRTC uses STUN (Session Traversal Utilities for NAT) servers to resolve ICE candidates, and the STUN queries can travel outside the VPN tunnel on some configurations. Even when the query goes through the tunnel, your local network IP is still readable directly from the browser's ICE candidate list.
How to test for a WebRTC leak
The fastest way to check is to use the WebRTC Leak Test tool while connected to your VPN.
Here is the full test procedure:
- Disconnect your VPN and visit the test page. Note your real public IP address.
- Connect your VPN and visit the test page again.
- The tool lists all IP addresses your browser exposes via WebRTC ICE candidates.
- If your real IP from step 1 appears in step 3, you have a WebRTC leak.
Reading the test results
| Result | What it means |
|---|---|
| Only VPN server IP shown | No leak — you're protected |
| Only local IPs (192.168.x.x, 10.x.x.x) | Minor — local IPs can't identify you externally |
| Real public IP shown | Leak confirmed — your real IP is visible |
| IPv6 shown | IPv6 leak — disable IPv6 or use a VPN with IPv6 support |
Note: Seeing a 192.168.x.x or 10.x.x.x address is normal — these are private (RFC 1918) addresses only visible within your local network. The dangerous leak is your real public IP.
How to fix a WebRTC leak
Fix 1: Use a VPN with WebRTC leak protection
The cleanest solution. Premium VPN services like Mullvad, ProtonVPN, and ExpressVPN include WebRTC leak protection that blocks STUN requests from bypassing the tunnel. Check your VPN's settings — there is often a "WebRTC leak protection" or "browser WebRTC blocking" toggle.
Fix 2: Disable WebRTC in Firefox
Firefox lets you disable WebRTC natively:
- Open a new tab and type
about:configin the address bar - Click Accept the Risk and Continue
- In the search bar, type
media.peerconnection.enabled - Double-click it to set the value to
false - Restart Firefox
This disables WebRTC entirely. Web apps that require WebRTC (video calls, screen sharing) will stop working. Re-enable it the same way when needed.
Fix 3: Use a browser extension (Chrome / Edge)
Chrome does not expose a built-in WebRTC setting, so you need an extension:
- uBlock Origin — go to Settings → Privacy → click "Prevent WebRTC from leaking local IP addresses"
- WebRTC Leak Prevent (Chrome Web Store) — dedicated extension with per-policy control
- WebRTC Control — toggle WebRTC on/off with a single click
These extensions intercept or restrict which IP addresses WebRTC can expose.
Fix 4: Use a Chromium flag (Chrome / Edge)
In Chrome or Edge, paste this into the address bar:
chrome://flags/#disable-webrtc
Find "WebRTC" and set it to Disabled. This is a hidden flag — it works but may be removed in future browser versions.
Fix 5: Disable WebRTC in Opera
- Go to Settings (or press
Alt + P) - Click Advanced → Privacy & Security
- Under WebRTC, select "Disable non-proxied UDP"
Fix 6: Safari
Safari uses a more conservative WebRTC implementation that does not expose local IP addresses in ICE candidates by default. WebRTC leaks are uncommon in Safari, but you can still run the test to confirm.
To disable WebRTC entirely in Safari:
- Open Safari → Develop menu (enable it in Preferences → Advanced if not visible)
- There is no direct WebRTC toggle in Safari's UI; WebRTC is restricted at the OS level
WebRTC leaks and IPv6
A common variant is the IPv6 WebRTC leak. Many ISPs now assign IPv6 addresses, but older VPNs only tunnel IPv4 traffic. If your system has an active IPv6 address, WebRTC can expose it even when your IPv4 is hidden.
To check: run the WebRTC Leak Test and look for any 2001:, 2600:, or similar IPv6-format addresses in the results.
To fix IPv6 leaks:
Windows:
# Disable IPv6 on all adapters
Get-NetAdapterBinding -ComponentID ms_tcpip6 | Disable-NetAdapterBinding
macOS:
# Disable IPv6 on Wi-Fi (replace en0 with your adapter)
networksetup -setv6off Wi-Fi
Linux:
# Add to /etc/sysctl.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Or use a VPN that natively supports IPv6 tunneling.
Do all VPNs have this problem?
No — but many do. Here is a quick breakdown:
| VPN type | WebRTC leak risk |
|---|---|
| Premium VPN with leak protection | Low (if protection is enabled) |
| Free VPN or browser-based VPN | High — most don't block WebRTC |
| VPN without browser extension | Medium — depends on OS/browser config |
| Tor Browser | Low — WebRTC is disabled by default |
Free VPNs, browser extension VPNs, and older VPN clients frequently leak WebRTC because they do not route STUN traffic through the tunnel.
When does a WebRTC leak actually matter?
WebRTC leaks matter most in these situations:
- Geo-restricted streaming: The service can detect your real location despite your VPN
- Privacy-sensitive browsing: Journalism, legal research, whistleblowing
- Bypassing IP bans: Your real IP is visible even behind the VPN
- Corporate VPNs: Employees on VPN may still expose their office network IP range
For casual browsing where privacy is not critical, a WebRTC leak is less urgent — but if you use a VPN, you should expect it to actually hide your IP.
Frequently asked questions
Is a WebRTC leak dangerous? It depends on your threat model. If you use a VPN purely to access region-locked content and do not care about your IP being known, it has no practical impact. If you use a VPN for privacy (masking your real identity or location), a WebRTC leak defeats its purpose — websites can see your real IP.
Does disabling WebRTC affect web performance? Only for web apps that specifically use WebRTC — video/voice calls, peer-to-peer file sharing, screen sharing. Regular browsing, streaming (Netflix, YouTube), and all server-based communication are unaffected.
Can websites always detect my real IP through WebRTC? Only if they deliberately run JavaScript to query WebRTC ICE candidates. Most websites do not — it requires intentional code. But any website (or ad network, tracker) that wants to can detect it silently.
My VPN says it has leak protection. Do I still need to test? Yes. VPN marketing does not always match implementation. Testing takes 30 seconds and gives you a definitive answer for your specific browser, OS, and VPN combination.
Does a VPN kill switch prevent WebRTC leaks? No. A kill switch cuts your internet connection if the VPN drops. It does not prevent WebRTC from querying local network interfaces while the VPN is active.
Is this only a problem with VPNs? No. Tor Browser disables WebRTC by default to prevent this exact issue. If you use Tor without the Tor Browser (e.g., routing traffic through the Tor SOCKS proxy manually), your browser's WebRTC can still leak your real IP.
Related tools
- WebRTC Leak Test — test your browser for WebRTC leaks right now
- My IP Address — see your current public IP and what websites know about you
- IP Geolocation — look up the location associated with any IP address
- DNS Lookup — check DNS records for any domain
- Ping Test — measure latency to any host