WebRTC (Web Real-Time Communication) is an open-source standard that enables web browsers to establish direct, peer-to-peer (P2P) connections for video calls, voice chat, and decentralized file sharing. While it powers seamless, plugin-free applications like Discord, Zoom, and Google Meet, WebRTC features a major privacy vulnerability: it can leak your real IP address, even if you are using a VPN.
This vulnerability allows third-party websites to bypass your encrypted VPN tunnel to read both your public and local IP addresses.
How WebRTC Bypasses Your VPN
To understand how a WebRTC leak occurs, we must look at how browsers establish peer-to-peer connections. Because peer connections must bypass local firewalls and routers, the browser uses a protocol called Interactive Connectivity Establishment (ICE).
ICE candidates are generated by querying external STUN (Session Traversal Utilities for NAT) servers.
[Browser] --- (Queries STUN Server) ---> [Google STUN Server]
[Browser] <--- (Returns Public IP) <--- [Google STUN Server]During this query, WebRTC opens a direct socket connection to the STUN server. Because this socket is established at the OS network level, many web browsers bypass the default routing tables set by VPN virtual network interfaces.
As a result, the STUN query resolves your actual, underlying public IP address (provided by your local ISP) alongside your local network addresses (such as 192.168.1.15).
The WebRTC IP Extraction Script
Websites do not need special permissions to read your WebRTC ICE candidates. A simple script can create an empty PeerConnection, trigger candidate gathering, and parse the resulting IP addresses:
const pc = new RTCPeerConnection({
iceServers: [{ urls: "stun:stun.l.google.com:19302" }]
});
pc.createDataChannel("");
pc.createOffer().then(offer => pc.setLocalDescription(offer));
pc.onicecandidate = (event) => {
if (event.candidate) {
const candidate = event.candidate.candidate;
// Regex extracts IPv4 and IPv6 addresses from the candidate string
const match = candidate.match(/([0-9a-f.:]+)/i);
if (match) console.log("Detected IP:", match[1]);
}
};Any tracker embedded in an ad network can run this script silently in the background of a web page and log your real location in under 100 milliseconds.
How to Test for WebRTC Leaks
To verify if your privacy setup is leaking your network configuration:
- Enable your VPN or proxy.
- Visit BrowserProbe's WebRTC Leak Test.
- Check the "Leaked IPs" field.
- If you see your home ISP IP address or local IP addresses (like
10.x.x.xor192.168.x.x), your browser is actively leaking your real network identity.
Step-by-Step Mitigation Guide
To secure your connection, you must instruct your browser to block ICE candidate enumeration or disable WebRTC altogether.
1. Mozilla Firefox (Native Control)
Firefox is the only browser that allows you to disable WebRTC entirely without third-party extensions:
- Type
about:configin the Firefox address bar and accept the risk warning. - Search for the flag:
media.peerconnection.enabled. - Double-click the flag to change its value from
truetofalse.
*Note: This will prevent WebRTC-based video calling services from running in your browser.*
2. Google Chrome & Microsoft Edge
Chromium browsers do not expose a native toggle to turn off WebRTC, but you can configure WebRTC routing policies.
- Install the WebRTC Leak Prevent extension from the Chrome Web Store.
- Configure the extension to use the policy "Disable non-proxied UDP". This forces all WebRTC traffic through your configured VPN/proxy interface, ensuring only the proxy's IP is revealed.
3. Brave Browser
Brave includes native WebRTC controls in its Shields settings.
- Open Brave Settings and navigate to Shields.
- Find the WebRTC IP Handling Policy dropdown.
- Select Disable Non-Proxied UDP or Default Public Interface Only to lock down ICE candidate leaks.
By configuring these routing settings, you can enjoy VPN security without completely breaking compatibility with web conferencing tools.