What Is WebRTC

WebRTC (Web Real-Time Communication) is a web standard technology that enables real-time audio, video, and data communication between browsers without plugins. Video calling features in Google Meet, Discord, and Facebook Messenger are built on WebRTC.

For communication efficiency, WebRTC uses a P2P (Peer-to-Peer) approach where browsers connect directly. To establish this direct connection, it uses STUN/TURN servers to communicate your IP address to the other party, which creates a privacy concern.

Role of STUN/TURN Servers

Establishing a WebRTC P2P connection requires first determining your network location. Two types of servers are used for this: STUN and TURN.

Stands for Session Traversal Utilities for NAT. When a client sends a request to a STUN server, the server responds with "your IP address is this." It allows devices behind NAT to discover their public IP address and port number. Google provides stun.l.google.com:19302 for free, and many WebRTC applications use it.

Stands for Traversal Using Relays around NAT. When P2P connections cannot be established due to symmetric NAT or firewalls, the TURN server relays the communication. Since all traffic passes through the server, bandwidth costs are high, making it a last resort for P2P connections.

The privacy concern is that STUN server queries may bypass the VPN tunnel. In this case, your actual IP address, which the VPN is supposed to hide, is sent to the STUN server and becomes accessible via JavaScript.

ICE Candidates and How IP Leaks Occur

WebRTC uses the ICE (Interactive Connectivity Establishment) framework to establish connection paths. ICE collects multiple connection candidates (ICE Candidates) and selects the optimal route.

The ICE Candidate gathering process generates three types of candidates:

Host Candidate: Local IP addresses obtained directly from the device's network interfaces (192.168.x.x or 10.x.x.x). Even during a VPN connection, the physical NIC's IP address may be included
Server Reflexive Candidate (srflx): Public IP address returned by the STUN server. If the STUN query bypasses the VPN, your real IP outside the VPN is exposed
Relay Candidate: The TURN server's address. Low privacy risk

A malicious website can obtain these IP addresses via JavaScript simply by creating an RTCPeerConnection object and initiating ICE Candidate gathering, without actually making a call. Since this can be done with just a few lines of code, it is one of the most common information leak vectors when using a VPN, alongside DNS leaks.

Browser-Specific Countermeasures

Firefox: Type about:config in the address bar and set media.peerconnection.enabled to false to completely disable WebRTC. For finer control, setting media.peerconnection.ice.default_address_only to true exposes only the default network interface's IP, preventing leaks from other interfaces (such as VPN adapters).
Chrome: Cannot be disabled from the settings page. Use extensions like "WebRTC Leak Prevent" to restrict the ICE Candidate gathering policy to disable_non_proxied_udp. This blocks non-proxied UDP traffic, preventing real IP leaks.
Safari: Go to "Settings" → "Advanced" → "WebRTC" to enable ICE Candidate restriction options. Safari has relatively conservative default settings against WebRTC IP leaks.
Brave: WebRTC IP leak prevention is enabled by default. You can verify this under "Settings" → "Privacy and Security" → "WebRTC IP Handling Policy."

Even with a VPN kill switch enabled, WebRTC leaks may not be prevented. Browser-side countermeasures are essential.

Legitimate Uses of WebRTC

While WebRTC's privacy risks receive much attention, it is a powerful technology that enables real-time communication without plugins. Understanding its main uses helps you assess the impact of disabling it.

Video conferencing: Google Meet, Zoom (web version), and Microsoft Teams (web version) all use WebRTC. Disabling it prevents browser-based participation
Voice calls: Discord's web version, Facebook Messenger's calling feature, etc.
P2P file sharing: WebTorrent and direct browser-to-browser file transfer services
Real-time gaming: Used for low-latency communication in browser-based multiplayer games
Live streaming: WebRTC is increasingly adopted for ultra-low-latency (sub-second) live streaming

If you frequently use video conferencing, rather than completely disabling WebRTC, it is more practical to use your VPN provider's WebRTC leak prevention feature or browser ICE Candidate restriction settings.

How to Check for WebRTC Leaks

You can easily check whether your browser has a WebRTC leak using dedicated test sites. Run the test while connected to a VPN; if any IP address other than the VPN server's IP is displayed, you have a leak.

The verification steps are as follows:

Connect to your VPN
Visit a WebRTC leak test site
Check the displayed IP addresses
If any address other than the VPN server's IP appears, there is a leak

Regularly checking alongside browser fingerprint tests helps verify the effectiveness of your privacy settings.

To learn more about this topic, see WebRTC Leaks: How Your IP Address Gets Exposed Even with a VPN.

Common Misconceptions

Using a VPN prevents WebRTC IP leaks: WebRTC can bypass the VPN tunnel and directly access network interfaces, so a VPN alone is not sufficient. You need to either disable WebRTC in your browser or use a leak prevention extension.
Disabling WebRTC makes the internet unusable: Disabling WebRTC does not affect normal web browsing, video streaming, or downloads. Only features that use real-time communication, such as in-browser video calls and P2P file sharing, are affected.

WebRTC