WebRTC Leaks: How Your IP Address Gets Exposed Even with a VPN

What Is WebRTC?

WebRTC (Web Real-Time Communication) is an open-source technology that enables real-time voice, video, and data communication directly between browsers. Many web services — including Google Meet, Discord, and Facebook Messenger — are built on this technology.

The defining feature of WebRTC is its ability to establish P2P (peer-to-peer) connections using nothing but the browser, with no plugins or app installations required. However, the process of establishing this P2P connection harbors a privacy concern.

How WebRTC Leaks Work

When WebRTC establishes a P2P connection, it uses a protocol called ICE (Interactive Connectivity Establishment) to gather candidate IP addresses for communication. The information collected during this process includes:

  • Local IP address (private IP): Internal network addresses such as 192.168.x.x or 10.x.x.x
  • Public IP address: Your external IP address obtained through a STUN server
  • IPv6 address: The IPv6 address assigned to your device

The core issue is that this information gathering can bypass the VPN tunnel. Even when using a VPN, WebRTC may directly access the network interface and retrieve your real IP address.

Why Leaks Occur Even with a VPN

A VPN typically tunnels all traffic through the OS network stack. However, WebRTC operates within the browser and can sometimes send STUN requests outside the VPN tunnel.

Leaks are particularly likely in the following scenarios:

  • The VPN client does not properly route WebRTC traffic
  • Split tunneling is enabled and browser traffic is configured to bypass the VPN
  • IPv6 traffic is not covered by the VPN

When a WebRTC leak occurs, your real IP address — the one your VPN is supposed to hide — becomes accessible to JavaScript on any website. This is a serious risk that undermines the very purpose of using a VPN.

How to Check for WebRTC Leaks

The Kakunin-san homepage displays WebRTC local IP detection results. Check the "WebRTC Local IP" field in the network information card.

If a private IP address (such as 192.168.x.x) is displayed while you are using a VPN, a WebRTC leak is occurring. If it shows "Blocked by browser," the leak is being prevented.

You can also check the "WebRTC IP Leak Risk" item in the security score to verify whether a leak is present.

Countermeasures by Browser

Firefox

Firefox allows you to directly prevent WebRTC IP leaks through its settings.

  1. Type about:config in the address bar
  2. Search for media.peerconnection.enabled
  3. Set the value to false

Note that disabling this setting will prevent services that rely on WebRTC — such as Google Meet and Discord — from working.

Chrome / Edge

Chrome and Edge cannot fully disable WebRTC through browser settings alone. Use one of the following extensions instead:

  • WebRTC Leak Prevent: Blocks WebRTC IP address leaks
  • uBlock Origin: Includes a built-in WebRTC leak prevention feature that must be enabled in settings

Safari

Safari is designed to exclude private IP addresses from WebRTC ICE candidates. While relatively safe, it is not foolproof, so verification is recommended when using a VPN.

Brave

Brave has built-in WebRTC leak prevention. Under "Privacy and Security" settings, you can set the "WebRTC IP Handling Policy" to "Disable non-proxied UDP."

VPN-Side Countermeasures

Many VPN services also offer WebRTC leak protection features.

  • Enable "WebRTC leak protection" in your VPN client settings
  • Use the firewall feature to block WebRTC STUN requests
  • Enable IPv6 leak protection to prevent WebRTC leaks over IPv6

For guidance on choosing a VPN, see our VPN guide. For more on DNS leaks, check out our DNS leak guide as well.