WebRTC Leaks: How Your Browser Can Reveal Your Real IP
Key points
- WebRTC powers in-browser video calls and can hand your real IP address to websites even with a VPN on.
- Test by checking the WebRTC section of a leak test page in every browser you use.
- Fix it through VPN-level protection, browser settings, or disabling WebRTC if you never make browser calls.
- The leak exposes your address and location, not your traffic content, and retesting after browser updates matters.
On this page
You connect your VPN, confirm the little shield icon, and assume websites now see the server's address instead of yours. Usually that is true. But one browser feature can quietly hand your real IP address to any website that asks, straight past the tunnel. It is called WebRTC, and the resulting exposure is known as a WebRTC leak.
The frustrating part is that WebRTC is not malware or a bug. It is a useful, deliberate feature that powers video calls in your browser. The leak is a side effect of how it works. This article explains the mechanism, shows you how to test yourself in two minutes, and walks through the fixes.
What WebRTC Is For
WebRTC stands for Web Real-Time Communication. It is the technology that lets video calls, voice chats, and screen sharing run directly in a browser tab with no plugin or separate app. When you join a meeting from a link without installing anything, WebRTC is doing the work.
To make calls smooth, WebRTC tries to connect participants directly to each other instead of relaying everything through a distant server. Direct connections mean lower delay and better quality. But to set one up, each browser must figure out every address it can be reached at, and then share those candidates with the other side.
That address-gathering step is where the trouble starts. The feature itself is legitimate and widely used, which is exactly why browsers ship it enabled by default and why simply waiting for it to go away is not a plan.
How the Leak Happens
When a script asks WebRTC to prepare a connection, the browser collects connection candidates. These can include your local network address, like 192.168.1.25, and your real public IP address, discovered by asking a helper server how you appear from outside. The browser collects these even while a VPN is connected, because WebRTC is built to find every possible path.
Here is the problem: a website does not need any call to be in progress. A few lines of script can trigger the gathering and read the candidate list. If your real public address appears in that list, the site now knows it, even though all your normal traffic flows through the VPN. The privacy you wanted from the address swap is undone for that site. Our explainer on what an IP address reveals covers why that matters: rough location, your internet provider, and a stable household identifier.
Whether the leak occurs depends on your browser, its settings, and how your VPN handles WebRTC traffic. That uncertainty is exactly why testing matters more than assuming.
WebRTC Leaks Among Other Leak Types
A VPN tunnel can spring several kinds of leaks, and they have different causes and fixes. Knowing which is which saves troubleshooting time:
| Leak type | What escapes | Common cause | Main fix |
|---|---|---|---|
| WebRTC leak | Your real IP addresses | Browser address gathering for calls | Browser setting or VPN-level blocking |
| DNS leak | The site names you look up | Lookups sent outside the tunnel | VPN-managed DNS, then verify |
| IPv6 leak | Traffic over an unprotected IPv6 path | VPN tunnels only IPv4 | VPN that handles or blocks IPv6 |
| Reconnect gap | Traffic during tunnel drops | No kill switch enabled | Turn on the kill switch |
Each row has its own guide where you can go deeper: the DNS leak guide for the second row, and the kill switch guide for the last one.
How to Test Yourself
The test takes about two minutes per browser:
- Step 1. Note your real public IP address with the VPN off.
- Step 2. Connect the VPN and confirm it shows as connected.
- Step 3. Visit a leak test page that includes a WebRTC section, or use the connection checker described in our guide to testing your VPN connection.
- Step 4. Compare. If the WebRTC section shows the VPN server's address or nothing at all, you are fine. If it shows the address from step 1, you have a leak.
Two notes on reading results. A local address like 192.168.x.x appearing is not the serious problem, since it does not identify you to the wider internet. Your real public address appearing is the leak that matters. And repeat the test in every browser you use, because WebRTC behavior is set per browser, not per device.
Tip: retest after browser updates a couple of times a year. Browsers change their WebRTC defaults between versions, and a setup that passed in January can fail quietly in June.
How to Fix a WebRTC Leak
You have three levels of fix, from gentlest to bluntest:
- Let the VPN handle it. A well built VPN app routes or blocks WebRTC's address discovery so the only public address a site can learn is the server's. This is the best option because video calls keep working. Check whether your app lists WebRTC protection and confirm with a test.
- Tighten the browser. Firefox lets you adjust WebRTC behavior in its advanced settings, and several browsers offer modes that hide local addresses from scripts. Browser extensions can also limit WebRTC, though every added extension is a trade-off.
- Disable WebRTC entirely. This closes the leak with certainty and breaks in-browser calling. Reasonable if you use a separate app for meetings and want one less thing to think about.
Whichever route you take, finish with a retest. The fix you verified is the only fix you actually have. This is the same principle behind the rest of VPN hygiene, like confirming your DNS stays in the tunnel and your kill switch really blocks traffic.
One practical wrinkle: if you use more than one browser, each needs its own attention. A fix applied in Firefox does nothing for Chrome on the same machine, and a privacy extension installed in your main browser does not cover the secondary one you open twice a month. The VPN-level fix is the exception, since it sits below all browsers at once, which is another reason it is the preferred option when your provider offers it.
Keeping Perspective
A WebRTC leak does not expose your browsing content. Your traffic stays encrypted, your internet provider still sees only the tunnel, and your passwords are not at risk from this. What leaks is the identifier you were masking: your real public IP, with the rough location and household link it carries. For some people that is a minor annoyance. For people who chose a VPN specifically to keep their location away from certain sites, it defeats the purpose.
Either way, the fix costs nothing and takes minutes, which makes it one of the best value items in any privacy checklist. If you do not have a VPN to test with yet, the vpn.now free plan gives you a working tunnel to run these checks against before you spend anything.
How to Fix WebRTC Leaks in Each Browser and on Your Phone
There is no single switch that works everywhere, so the fix depends on which browser you use. Before you start, know the trade-off: turning WebRTC off can break web-based video calls, voice chat, and screen sharing inside the browser. If you rely on those tools, you may want to limit WebRTC only on the browser you use for private tasks and leave another browser alone for meetings.
Here is the practical fix for the common browsers on a computer:
- Chrome and other Chromium browsers (such as Edge and Brave): there is no built-in off switch. The usual approach is to add a trusted extension that limits WebRTC and blocks it from exposing local addresses. Stick to a well-reviewed extension, since it can see browser activity.
- Firefox: type
about:configin the address bar, accept the warning, search formedia.peerconnection.enabled, and set it to false. This is built in and needs no extension, but it can break video calls that run inside Firefox. - Safari: it is generally more conservative about handing out your local network address, so it leaks less by default. You can still test it to be sure.
Phones are harder. Mobile browsers and the in-app browsers inside other apps all behave differently, and many give you no setting to change. Because of that, the safest move on a phone is not a per-browser tweak. Run the full vpn.now app so it covers the whole device, including every browser and in-app browser at once. That way a single WebRTC slip in one app is far less likely to hand out your real IP, and you do not have to manage a different fix for each browser.
Summary
The essentials on WebRTC leaks:
- WebRTC powers in-browser video calls and gathers your device's IP addresses to set up direct connections.
- A website script can read those addresses, which can expose your real public IP even with a VPN connected.
- Test by comparing the WebRTC result on a leak test page against your real address, in every browser you use.
- Fix it through VPN-level protection, browser settings, or disabling WebRTC if you never make browser calls.
- The leak exposes your address and location signals, not your traffic content.
- Retest after browser updates, since defaults change between versions.
