Your VPN Is On. Your Real IP Is Still Visible.
You switched on your VPN, confirmed your IP changed, and figured you were good. But there is a browser-level vulnerability that can expose your actual home IP address to any website you visit — completely bypassing your VPN. It is called a WebRTC IP leak, and it affects Chrome, Firefox, Edge, and Opera by default.
Most people using VPNs have never heard of it. Most VPN providers do not mention it unless asked. And yet it is one of the most reliable ways a website can discover your real IP even when you are behind a VPN.
This guide covers what WebRTC is, exactly why it leaks your IP, how to test if you are affected, and the specific steps to fix it in each browser.
What Is WebRTC?
WebRTC stands for Web Real-Time Communication. It is a set of browser APIs that lets web pages create direct peer-to-peer connections for audio, video, and data — without needing a plugin or separate application.
Google Meet in your browser, Discord's browser app, voice chat on Twitch — these all use WebRTC under the hood. It is genuinely useful technology. The privacy problem is not a bug in WebRTC itself. It is a side effect of how it works.
To establish a direct peer-to-peer connection, WebRTC needs to figure out the best path between two devices. It does this using a protocol called ICE (Interactive Connectivity Establishment), which discovers all the IP addresses available on your machine — including your real local network IP and, critically, your real public IP — and shares them with the other peer to negotiate the connection.
This discovery process uses STUN servers (Session Traversal Utilities for NAT) to find your public IP. The problem: it happens at the browser level, bypassing the network stack that your VPN controls. Your VPN encrypts your internet traffic. It does not prevent the browser from making STUN requests through the unprotected stack.
What Gets Leaked
A WebRTC leak can expose two types of IP addresses:
- Your local IP address — the private IP your router assigned to your device, like
192.168.1.42. This reveals your home network structure and is a fingerprinting signal. - Your real public IP address — this is the serious one. Your actual public IP, the one your ISP assigned, visible even while your VPN shows a different IP. This completely defeats the purpose of using a VPN for privacy.
Some VPNs handle this correctly by routing WebRTC traffic through the VPN tunnel. Many do not. And even good VPNs can slip up in certain configurations or after reconnects.
How to Test If You Have a WebRTC Leak
- Turn off your VPN completely. Visit an IP lookup tool and note your real public IP address.
- Turn your VPN on. Visit the same tool again and confirm it shows the VPN's IP address.
- With your VPN still on, open a WebRTC leak test tool in the same browser. Look for any IP addresses shown in the WebRTC section.
- If you see your real public IP (the one from step 1) in the WebRTC results, you have a leak. Your VPN is not protecting you from WebRTC exposure.
The leak test works by using JavaScript to access the WebRTC API and collect all the ICE candidates your browser discovers. It displays them so you can see what any website could learn about you.
Which Browsers Are Affected
| Browser | WebRTC Enabled by Default | Leaks Real IP by Default |
|---|---|---|
| Chrome | Yes | Yes (without VPN or fix) |
| Firefox | Yes | Yes (but configurable) |
| Edge | Yes | Yes |
| Opera | Yes | Yes |
| Brave | Yes | No — Brave blocks non-proxied WebRTC by default |
| Safari | Partial | Limited — Safari restricts ICE candidate types |
| Tor Browser | Disabled | No |
How to Fix WebRTC Leaks
Firefox — The Easiest Fix
Firefox allows you to disable WebRTC entirely through the about:config page without any extensions:
- Type
about:configin your address bar and press Enter - Click Accept the Risk and Continue
- Search for
media.peerconnection.enabled - Double-click it to set it to
false
This completely disables WebRTC. You will not be able to use browser-based video calling on sites that require it, but your IP will not be exposed through WebRTC.
Chrome and Edge — Use an Extension
Chrome does not let you disable WebRTC cleanly through settings. Use the WebRTC Network Limiter (official Google extension) or uBlock Origin (which has a WebRTC blocking option in its settings dashboard under the Settings tab: check Prevent WebRTC from leaking local IP addresses).
Extensions cannot always block 100% of WebRTC, especially if you grant a site camera or microphone permissions. The most reliable fix for Chrome is a VPN that handles WebRTC at the OS level.
Brave — Already Handled
Brave blocks non-proxied WebRTC connections by default. Verify in Brave Settings > Privacy and Security > WebRTC IP Handling Policy — set to Default public interface only or Disable non-proxied UDP.
VPN Apps with Built-in WebRTC Protection
Some VPN applications route all WebRTC traffic through the VPN tunnel at the OS level. Mullvad VPN and ProtonVPN are known for this. Confirm WebRTC protection is active in the VPN's settings after connecting.
WebRTC Leak vs DNS Leak: What Is the Difference?
| Issue | WebRTC Leak | DNS Leak |
|---|---|---|
| What leaks | Your real public IP and local IPs | Your DNS queries (reveals browsing activity) |
| How it happens | Browser bypasses VPN for ICE negotiation | DNS requests go through ISP instead of VPN |
| Who sees it | Any website you visit | Your ISP's DNS servers |
| VPN fix needed | VPN must route WebRTC or browser must block it | VPN must use its own DNS servers |
| Severity | High — reveals your real IP | Medium — reveals browsing patterns |
Does a VPN Kill Switch Help?
A VPN kill switch cuts your internet connection if the VPN drops. It helps prevent leaks during reconnects. But a kill switch alone does not fix WebRTC leaks — those happen even while the VPN is fully connected. The WebRTC issue is about the browser making direct requests outside the VPN tunnel, not about the VPN disconnecting.
You need both: a kill switch for disconnection leaks and a WebRTC fix for active-session leaks.
Who Should Care About This?
If you use a VPN mainly for geo-restriction bypass (accessing streaming services in other regions), a WebRTC leak is a minor issue — it does not affect whether the streaming service thinks you are in another country, as long as your main traffic routes through the VPN.
If you use a VPN for actual privacy — journalists, activists, people in restrictive countries, anyone who needs to keep their real location hidden — a WebRTC leak is a serious problem. Any site you visit can run WebRTC IP detection in the background and log your real IP address silently, without you knowing.
Common Mistakes People Make
- Assuming their VPN handles it. Most VPN providers do not block WebRTC at the browser level. Always test, never assume.
- Testing with the VPN off, then assuming it is fine. Test with the VPN on. That is when the leak matters.
- Installing a random WebRTC extension without checking it. Some browser extensions claiming to block WebRTC are themselves tracking tools. Use uBlock Origin or officially published extensions.
- Thinking incognito mode helps. Private browsing does not disable WebRTC. Your real IP can still be exposed in an incognito tab.
- Forgetting after browser updates. Browser updates can reset extension settings or change WebRTC behavior. Re-test periodically.
Real-World Scenarios Where WebRTC Leaks Are Used
Advertisers have used WebRTC IP detection to build more accurate user profiles, especially for people rotating proxies or using VPNs for ad evasion. Even if your VPN changes every hour, your real IP exposed by WebRTC stays the same and links your sessions together.
Some streaming services and betting platforms run WebRTC checks to detect VPN users. They show the VPN IP as your regular connection while separately detecting your real IP through WebRTC. If the two do not match, you get blocked even though your VPN appears to be working.
In legal investigations, WebRTC logs from server-side JavaScript have been cited as evidence. Websites running their own analytics can capture WebRTC ICE candidates and log the real IPs, giving investigators a way to identify users who believed they were protected by a VPN.
Checking All Your Browsers and Devices
Most people test on one browser and assume they are covered. If you use multiple browsers, each has its own WebRTC setting. Fixing Firefox does not fix Chrome on the same machine. Your phone's browser is a separate surface — Chrome for Android and Safari for iOS both have WebRTC enabled.
Browser extensions for WebRTC protection only run in that specific browser. They do not apply to other apps that use WebView, which is the embedded browser component many mobile apps use to render web content. WebView inherits system network settings, not your browser's extension settings.
Test every browser you use. A five-minute check across your devices can save you from weeks of thinking you were private when you were not.
Check your IP address now and see exactly what your browser is exposing — including WebRTC.