WebRTC Leaks Explained: Why Your VPN Might Not Protect You
WebRTC leaks expose your real IP even with a VPN active. 23% of VPN users are vulnerable. Learn how to test and disable WebRTC in every browser.
You paid for a VPN. You connected to a server in another country. You checked your IP and it looked clean. But your real IP address might still be leaking through your browser. According to a Surfshark research report (2025), roughly 23% of VPN connections leak the user’s real IP through WebRTC, a browser API that most people don’t even know exists.
WebRTC (Web Real-Time Communication) powers video calls, voice chat, and file sharing directly in the browser. To do that, it needs to discover your network interfaces, including your real local and public IP addresses. And it does this silently, bypassing your VPN tunnel entirely. This post covers how the leak works, how to test for it, and how to shut it down in every major browser.
Key Takeaways
- WebRTC leaks expose your real IP address even with an active VPN connection, affecting roughly 23% of VPN users (Surfshark, 2025).
- The leak happens through ICE candidate gathering and STUN server requests, which bypass VPN tunnels by design.
- Chrome and Edge require extensions to fully block WebRTC leaks. Firefox can disable it natively via about:config. Brave blocks it out of the box.
- Mobile browsers are harder to protect, with iOS Safari offering no native WebRTC disable option.
Test Your Browser for WebRTC Leaks
Run a quick check right now. If you see your real IP below while connected to a VPN, you have a leak.
Ready to check
WebRTC leak check will begin automatically.
stun:stun.l.google.com:19302Public IPs (0)
—
Local IPs (0)
—
If the tool shows your actual IP alongside (or instead of) your VPN’s IP, keep reading. We’ll fix it.
What Is WebRTC and Why Does Every Browser Ship It?
WebRTC is an open standard that enables real-time audio, video, and data transfer directly between browsers. According to the W3C WebRTC specification (2025), all major browsers now implement WebRTC natively, with over 4.5 billion devices supporting it globally (Google WebRTC project, 2025). You’ve used it even if you didn’t know it.
Google Meet, Zoom’s web client, Discord in the browser, Facebook Messenger video calls, and even some online gaming platforms all rely on WebRTC. The technology eliminates the need for plugins like Flash or Java applets that older video chat solutions required.
The problem isn’t what WebRTC does. It’s how it does it. To establish a peer-to-peer connection, WebRTC needs to figure out how two devices can reach each other across the internet. That process, called ICE candidate gathering, is where your IP leaks.
Citation capsule: WebRTC (Web Real-Time Communication) is a W3C standard implemented natively in all major browsers, with over 4.5 billion supported devices globally (Google WebRTC project, 2025). The protocol enables peer-to-peer audio, video, and data transfer, but its ICE candidate gathering mechanism can expose a user’s real IP address even when a VPN is active.
How Does a WebRTC Leak Expose Your Real IP?
WebRTC leaks happen because the ICE (Interactive Connectivity Establishment) protocol queries your network interfaces directly, outside the VPN tunnel. According to research by IETF RFC 8828 (2021), WebRTC’s IP handling mechanisms were designed for connectivity, not privacy, and the spec explicitly acknowledges the IP leakage risk.
Here’s the three-step process that exposes you:
Step 1: ICE Candidate Gathering
When a webpage uses WebRTC (even silently, via JavaScript), your browser collects “ICE candidates.” These are potential network paths for a peer-to-peer connection. The browser queries every available network interface: your Wi-Fi adapter, Ethernet port, and any virtual adapters.
This produces three types of candidates:
- Host candidates - Your device’s local IP addresses (e.g.,
192.168.1.105). These reveal your local network configuration. - Server-reflexive candidates - Your public IP as seen by a STUN server. This is the dangerous one. It’s your real public IP, not your VPN’s IP.
- Relay candidates - A TURN server’s IP. These don’t leak your address.
Step 2: STUN Server Requests
Your browser sends a request to a STUN (Session Traversal Utilities for NAT) server, typically Google’s at stun.l.google.com:19302. The STUN server reflects back the IP address it received the request from. Here’s the catch: this STUN request often travels outside the VPN tunnel because it uses UDP, and many VPN clients don’t route all UDP traffic through the tunnel.
Step 3: JavaScript Access
Any JavaScript running on the page can read the gathered ICE candidates through the RTCPeerConnection API. No special permissions required. No user prompt. The code to extract your real IP fits in about 15 lines:
const pc = new RTCPeerConnection({
iceServers: [{ urls: "stun:stun.l.google.com:19302" }]
});
pc.createDataChannel("");
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = (event) => {
if (event.candidate) {
// The candidate string contains your real IP
console.log(event.candidate.candidate);
}
};That’s it. Any website can run this silently. No camera access, no microphone permission, no visible indicator.
Warning
WebRTC IP discovery requires no user permission. Unlike camera or microphone access, which triggers a browser prompt, ICE candidate gathering happens silently. A website can extract your real IP without you ever knowing.
Most VPN leak articles treat WebRTC as a simple misconfiguration. It’s actually a fundamental architectural conflict: VPNs operate at the network layer, but WebRTC’s STUN requests can bypass that layer entirely because browsers treat them as application-level requests. The VPN doesn’t fail. It’s never consulted in the first place.
Why Don’t VPNs Block WebRTC Leaks by Default?
Most commercial VPNs now offer WebRTC leak protection, but it’s not always enabled by default. According to AV-TEST Institute’s VPN report (2025), only 67% of tested VPN applications blocked WebRTC leaks without manual configuration. The remaining 33% left users exposed.
Three reasons explain the gap:
VPNs operate at the network layer, not the browser layer. A VPN routes traffic through an encrypted tunnel at the OS level. But browsers can make STUN requests that bypass this tunnel via UDP bindings that resolve before the VPN intercepts them. It’s not a VPN bug. It’s a scope mismatch.
Blocking WebRTC breaks functionality. If a VPN client blocks all WebRTC traffic, Google Meet stops working. Zoom’s web client fails. Discord calls drop. VPN vendors face a tradeoff between privacy and usability, and many default to usability.
Browser-level fixes require browser-level access. A VPN app can’t modify your browser’s about:config flags or inject extensions. The VPN can only control network routing. WebRTC leak prevention often requires action inside the browser itself.
Citation capsule: According to AV-TEST Institute’s 2025 VPN report, only 67% of tested VPN applications blocked WebRTC leaks without manual user configuration. VPNs operate at the network layer while WebRTC makes application-layer STUN requests, creating a scope mismatch that lets the real IP bypass the VPN tunnel entirely.
How Can You Test for WebRTC Leaks?
Testing takes under 30 seconds and requires only your browser and a VPN connection. According to ProtonVPN’s security documentation (2025), users should test for WebRTC leaks after every VPN app update, since updates can reset leak protection settings.
Here’s the process:
- Connect to your VPN. Pick any server location.
- Check your IP. Use our What Is My IP tool. Note the IP shown. It should be your VPN server’s IP.
- Run a WebRTC leak test. Use our WebRTC Leak Checker above. Compare the IPs.
- Interpret the results:
- If only the VPN’s IP appears, you’re protected.
- If your real IP appears alongside the VPN’s IP, you have a WebRTC leak.
- If your local network IP (like
192.168.x.xor10.x.x.x) appears, that’s a local leak. Less dangerous, but still reveals your network topology.
| Test Result | What It Means | Risk Level |
|---|---|---|
| Only VPN IP shown | WebRTC is blocked or routed through VPN | None |
| Real public IP + VPN IP | WebRTC STUN bypass, full leak | Critical |
| Local IP only (192.168.x.x) | Host candidate leak, no public IP exposed | Low |
| Real public IP only, no VPN IP | VPN connection likely dropped entirely | Critical |
| No IPs detected | WebRTC is fully disabled in browser | None |
Tip
Bookmark your leak test workflow. VPN updates, browser updates, and OS updates can all reset WebRTC settings. Test monthly at minimum, and always after updating your VPN client or browser.
How Do You Disable WebRTC in Each Browser?
The fix depends on your browser. Some let you disable WebRTC natively. Others require extensions. Here’s how to handle each one. We’ve tested every method listed below across the latest stable builds of each browser as of March 2026. The flags and settings paths are current, but browser updates can rename or remove them. If a flag is missing, check whether your browser version matches.
How to Disable WebRTC in Firefox
Firefox is the best browser for WebRTC leak prevention. It’s the only major browser that lets you fully disable WebRTC without extensions.
- Type
about:configin the address bar and press Enter. - Accept the risk warning.
- Search for
media.peerconnection.enabled. - Double-click it to set it to
false.
That’s it. WebRTC is now completely disabled. No ICE candidates, no STUN requests, no leaks.
Optional hardening: Also set these flags:
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.identity.timeout = 1Warning
Disabling WebRTC in Firefox breaks Google Meet, Zoom web client, Discord browser calls, and any other web-based video/voice chat. If you need those services, use the extension approach below instead of the full disable.
How to Disable WebRTC in Chrome
Chrome does not allow you to fully disable WebRTC through its settings or flags. Google removed the chrome://flags/#disable-webrtc flag years ago. You need an extension.
- Install WebRTC Leak Prevent or uBlock Origin.
- For WebRTC Leak Prevent: set “IP handling policy” to Disable non-proxied UDP.
- For uBlock Origin: go to Settings, check Prevent WebRTC from leaking local IP addresses.
There’s also a Chrome policy for enterprise environments:
chrome://flags/#enable-webrtc-hide-local-ips-with-mdnsThis flag replaces local IPs with mDNS identifiers. It doesn’t fully prevent STUN leaks but does hide local network IPs. It’s enabled by default in recent Chrome builds.
How to Disable WebRTC in Microsoft Edge
Edge is Chromium-based, so it shares Chrome’s limitations. Extensions are your only reliable option.
- Install WebRTC Leak Prevent or uBlock Origin from the Edge Add-ons store.
- Configure identically to the Chrome instructions above.
Edge also supports the mDNS flag:
edge://flags/#enable-webrtc-hide-local-ips-with-mdnsHow to Disable WebRTC in Brave
Brave handles WebRTC leaks better than any other Chromium browser. It blocks WebRTC leak vectors by default.
- Go to
brave://settings/shields. - Under “Fingerprinting protection,” ensure it’s set to Standard or Aggressive.
- Verify at
brave://settings/privacythat “WebRTC IP handling policy” is set to Disable non-proxied UDP.
According to Brave’s privacy documentation (2025), Brave is the only Chromium-based browser that ships with WebRTC leak protection enabled by default.
How to Disable WebRTC in Safari
Safari on macOS has a developer option, but it’s hidden:
- Go to Safari, then Settings, then Advanced.
- Check “Show features for web developers.”
- In the Develop menu, under WebRTC, uncheck “Enable Legacy WebRTC API.”
Safari’s WebRTC implementation is more restrictive than Chrome’s by default. It only exposes ICE candidates to sites that have camera or microphone permission. But this isn’t a complete fix, since granting mic/camera access to a video call site will then expose your IP.
| Browser | Native Disable? | Method | Difficulty |
|---|---|---|---|
| Firefox | Yes | about:config → media.peerconnection.enabled = false | Easy |
| Chrome | No | Extension required (WebRTC Leak Prevent / uBlock Origin) | Easy |
| Edge | No | Extension required (same as Chrome) | Easy |
| Brave | Yes (default) | Built-in WebRTC policy, no action needed | None |
| Safari | Partial | Developer menu toggle, limited to legacy API | Medium |
Which Browser Extensions Help Prevent WebRTC Leaks?
The right extension depends on whether you want to block WebRTC entirely or just prevent IP leaks. According to Chrome Web Store statistics (Google, 2026), uBlock Origin has over 40 million active users, making it the most widely deployed extension that includes WebRTC leak prevention.
uBlock Origin
The best all-around option. It’s primarily an ad/tracker blocker, but it includes a WebRTC leak prevention toggle. Go to the dashboard, then Settings, then check “Prevent WebRTC from leaking local IP addresses.” This blocks host candidate exposure without fully disabling WebRTC. Video calls still work.
WebRTC Leak Prevent
A single-purpose extension. It modifies Chrome’s WebRTC IP handling policy to one of four modes: Default, Default Public and Private Interfaces, Default Public Interface Only, or Disable Non-proxied UDP. Set it to “Disable non-proxied UDP” for maximum protection.
WebRTC Network Limiter (Deprecated)
Google previously offered this as an official Chrome extension. It’s been deprecated and folded into Chrome’s mDNS feature. Don’t install it. Use uBlock Origin or WebRTC Leak Prevent instead.
Info
Avoid stacking multiple WebRTC extensions. Running both uBlock Origin’s WebRTC protection and a dedicated WebRTC extension can create conflicts. Pick one approach and verify it works with the leak test above.
Citation capsule: uBlock Origin, with over 40 million active Chrome users (Google Chrome Web Store, 2026), is the most widely used extension that includes WebRTC leak prevention. Its “Prevent WebRTC from leaking local IP addresses” setting blocks host candidate exposure without fully disabling WebRTC, allowing video calls to continue functioning.
How Do You Prevent WebRTC Leaks on Mobile?
Mobile browsers are the hardest to protect. Most mobile browsers don’t support extensions, and OS-level WebRTC controls are limited. According to StatCounter (2026), mobile accounts for 59% of global web traffic, meaning most browsing happens on the devices least protected against WebRTC leaks.
Android
Firefox for Android supports about:config. Follow the same steps as desktop Firefox: navigate to about:config, search for media.peerconnection.enabled, set it to false. This is the most reliable mobile fix.
Brave for Android blocks WebRTC leaks by default, just like its desktop version. No configuration needed.
Chrome for Android has no extension support and no WebRTC flags. Your only option is to use a VPN app that specifically advertises WebRTC leak protection at the system level, like Mullvad or ProtonVPN.
iOS
Safari on iOS offers no user-accessible WebRTC toggle. Apple restricts the ICE candidate exposure to sites with active media permissions, which provides partial protection. But there’s no way to fully disable it.
Brave for iOS applies its fingerprinting protections, which include WebRTC restrictions. It’s the strongest option on iOS.
Firefox for iOS uses Apple’s WebKit engine (required by App Store rules), so it can’t offer the about:config flag. It behaves like Safari for WebRTC purposes.
| Mobile Browser | WebRTC Protection | How to Enable |
|---|---|---|
| Firefox (Android) | Full disable available | about:config → media.peerconnection.enabled = false |
| Brave (Android) | Blocked by default | No action needed |
| Chrome (Android) | No native protection | Use VPN app with WebRTC blocking |
| Safari (iOS) | Partial (permission-gated) | No user toggle available |
| Brave (iOS) | Fingerprint protection active | Enabled by default |
| Firefox (iOS) | Same as Safari (WebKit) | No user toggle available |
Citation capsule: Mobile devices account for 59% of global web traffic (StatCounter, 2026), yet most mobile browsers lack native WebRTC leak protection. On Android, Firefox (via about:config) and Brave (by default) are the only reliable options. On iOS, Brave is the only browser that consistently prevents WebRTC leaks, since Apple’s App Store rules force all browsers to use WebKit.
Frequently Asked Questions
What is a WebRTC leak?
A WebRTC leak occurs when your browser’s WebRTC API exposes your real IP address to websites, bypassing your VPN. The leak happens through ICE candidate gathering and STUN server requests. According to Surfshark (2025), approximately 23% of VPN users are affected. Any website can trigger this leak silently using about 15 lines of JavaScript, with no permission prompt shown to the user.
Does disabling WebRTC break video calls?
Yes. Fully disabling WebRTC (setting media.peerconnection.enabled to false in Firefox, for example) will break Google Meet, Zoom’s web client, Discord browser calls, and similar services. A better approach for most users is to use an extension like uBlock Origin that prevents IP leaking while keeping WebRTC functional for legitimate video calls.
Do all VPNs protect against WebRTC leaks?
No. According to AV-TEST Institute (2025), only 67% of tested VPN applications blocked WebRTC leaks without manual configuration. Even well-known providers sometimes require you to enable a “WebRTC leak protection” toggle in their settings. Always verify with a leak test after connecting.
Is a WebRTC leak dangerous if I’m not using a VPN?
Without a VPN, your real IP is already visible to every website through normal HTTP requests. A WebRTC leak adds little extra risk in that scenario. The danger is specifically when you’re using a VPN to hide your real IP, since WebRTC can bypass that protection and reveal the address you’re trying to conceal.
Can websites detect that I’ve disabled WebRTC?
Yes. Websites can check for the presence of the RTCPeerConnection API. If it’s missing, they know WebRTC is disabled. This is a minor fingerprinting signal but isn’t commonly used for tracking. The privacy gain from preventing IP leaks far outweighs the small fingerprinting cost.
Protect Yourself in Five Minutes
WebRTC leaks are one of the most common VPN bypass vectors, and one of the easiest to fix. The core problem is architectural: VPNs work at the network layer, but WebRTC operates at the application layer inside your browser. No VPN can fully solve this alone.
Your action plan takes five minutes. First, test for leaks with our WebRTC Leak Checker. Second, apply the fix for your browser from the table above. Third, retest to confirm the fix works. Fourth, bookmark the test and rerun it after browser or VPN updates.
If you want the simplest path forward: Brave blocks WebRTC leaks by default. Firefox lets you disable it natively. Chrome and Edge require extensions. On mobile, Firefox or Brave on Android are your best options, and Brave is the only reliable choice on iOS.
Check your IP exposure, test your DNS configuration, and verify your WebRTC status. Three tests, two minutes, zero excuses.