By: Katia Belokon · Updated June 2026
What is WebRTC?
WebRTC (Web Real-Time Communication) is an open standard that allows browsers to establish peer-to-peer connections directly — without a server in the middle — for video calls, voice calls, file sharing, and other real-time applications. It is built into all major browsers: Chrome, Firefox, Safari, Edge, and Brave.
To establish a peer-to-peer connection, WebRTC uses a process called ICE (Interactive Connectivity Establishment). ICE collects a list of "candidates" — network addresses that each peer can use to connect. These candidates include your local network IP (e.g., 192.168.1.x), your public ISP IP, and sometimes addresses from STUN servers that help peers locate each other through NAT.
What is a WebRTC IP leak?
A WebRTC leak occurs when a website uses the browser's WebRTC API to collect your ICE candidates and thereby discover your real IP address — even if you are connected to a VPN. Because the ICE candidate collection happens inside the browser process and queries network interfaces directly, the VPN's IP masking does not prevent the browser from finding and reporting your real public IP.
The leak typically exposes two types of addresses:
- Local IP: Your internal network address (e.g., 192.168.1.100). This reveals your home or office network configuration to any website that queries WebRTC.
- Public IP: Your real ISP-assigned public IP address, distinct from the VPN exit IP. Any website can read this via a simple JavaScript snippet without any user interaction or permission.
Why VPNs do not block WebRTC leaks by default
VPN clients route traffic at the operating system network layer — they intercept IP packets and redirect them through the encrypted tunnel. WebRTC's ICE candidate collection works differently: the browser's internal APIs query the OS for network interface addresses and communicate those addresses within the WebRTC protocol negotiation, rather than sending them as regular IP packets that the VPN can intercept.
The result is that the VPN can successfully mask your IP for all normal browsing and requests, while simultaneously the browser can read and expose your real IP address to any site that calls the WebRTC API. The two systems operate independently.
How to test for a WebRTC leak
- Without your VPN connected, run MyIPScan's WebRTC Leak Test. Note your real public IP shown in the WebRTC candidates section — this is your baseline.
- Connect your VPN.
- Run the WebRTC Leak Test again in the same browser session.
- If you see your real ISP public IP in the WebRTC candidates alongside (or instead of) the VPN IP, you have a WebRTC leak.
Note: Seeing a local IP (192.168.x.x or 10.x.x.x) in WebRTC candidates is normal and does not reveal your public identity. The concern is if your real public IP — the one your ISP assigned — appears alongside or instead of the VPN IP.
How to disable or restrict WebRTC
The approach depends on your browser:
- Firefox: In the address bar, type
about:config, search formedia.peerconnection.enabled, and set it tofalse. This fully disables WebRTC. - Chrome / Edge: Install a WebRTC control extension. uBlock Origin in advanced mode includes a WebRTC blocking option. Alternatively, use your VPN's official browser extension, which typically handles this.
- Brave: Go to Settings → Privacy and security → WebRTC IP handling policy and select "Disable non-proxied UDP." Brave offers this natively without extensions.
- Safari: Safari has limited WebRTC support and restricts ICE candidate collection by default in most configurations. It is less vulnerable to this leak than Chromium-based browsers.
- VPN browser extensions: Most reputable VPN providers' browser extensions include a WebRTC IP leak prevention option. Enable it in the extension settings.
Frequently asked questions
What is a WebRTC leak?
A WebRTC leak is when the browser's WebRTC API exposes your real IP address — including local network IPs and your public ISP IP — to websites, even when connected to a VPN. It happens because WebRTC's ICE candidate collection operates at the browser level, bypassing VPN tunneling.
Why do VPNs not block WebRTC leaks by default?
VPNs route traffic at the OS network layer. WebRTC's ICE candidate collection happens inside the browser process and queries network interfaces directly through browser APIs — it does not route through the OS IP stack in a way that the VPN client can intercept. The browser can therefore read and expose your real IPs independently of the VPN.
How do I test for a WebRTC leak?
Connect your VPN, then run MyIPScan's WebRTC Leak Test. If your real ISP public IP appears in the WebRTC candidates alongside or instead of the VPN IP, you have a leak. Establish a baseline by running the test without a VPN first.
How do I disable WebRTC in my browser?
Firefox: set media.peerconnection.enabled to false in about:config. Brave: set WebRTC IP handling policy to "Disable non-proxied UDP" in Privacy settings. Chrome/Edge: use a VPN browser extension or uBlock Origin in advanced mode. Your VPN's own browser extension is usually the simplest option.
Does WebRTC only leak IPs when using a VPN?
No. WebRTC can expose your local network IP to any website even without a VPN. Without a VPN it also reveals your public IP, which is already visible anyway. The problem is most significant on VPNs because it defeats the purpose of IP masking — a website can read your real IP even though you believe the VPN is hiding it.