MyIPScan
Browser session check

WebRTC Leak Test: Check Browser IP Exposure and VPN Leaks

Run a WebRTC leak test to see whether ICE candidates reveal public, local, private, limited, or mDNS-masked address signals from your current browser session.

WebRTC behavior depends on your browser, settings, extensions, operating system, network, and VPN configuration. Local or limited candidates are not the same as public IP exposure, and this test does not prove all WebRTC risk is absent.

WebRTC exposure

Current Result

Inconclusive
Run the test to see what WebRTC exposes in this browser session.
Public IP candidates
None observed
Local/private candidates
None observed
Masked candidates
None observed
Browser support
Not checked
Verdict first Safe Copy Candidate details below

Short answer

A WebRTC leak matters when the browser exposes an unexpected route

Modern browsers may show mDNS or local candidates that are not the same as a public IP leak. The higher-risk signal is a public candidate that matches your real ISP, mobile carrier, office, or non-VPN route while you expected VPN traffic.

Run WebRTC Test Chrome guide Firefox guide Safe Copy
Observed candidateWhat it usually meansWhat to compare
mDNS masked hostOften normal modern browser behavior.Compare Chrome/Firefox and VPN state.
Local/private candidateMay reveal local network shape but not necessarily public IP.Check browser privacy settings and app requirements.
Public VPN candidateThe browser may expose the VPN-facing route.Document the route and run DNS/IPv6 checks.
Public ISP candidateHigher-priority review while VPN is connected.Check VPN split tunnel, proxy extension, IPv6, and browser profile.

WebRTC test checklist

How to run a WebRTC leak test with a VPN or private browser profile

Run the WebRTC leak test in the same browser profile you actually use, then repeat it after changing VPN, proxy, extension, or browser privacy settings. The important signal is whether WebRTC exposes a public candidate that differs from the route you expected.

Compare the candidate type

mDNS-masked and local candidates are common in modern browsers. Public ISP or mobile-carrier candidates deserve closer review when a VPN is connected.

Retest after one change

Change one browser, extension, VPN, or split-tunnel setting at a time so the before/after result is easy to trust.

Exposure estimate and receipt limits

A WebRTC flag means the browser surfaced a visible signal in this session. Receipt copy, share, and PNG export use safe categories and remove raw candidate strings before export. Read the methodology.

See what Safe Copy includes before sharing or saving a result.

Want the full picture? Run the Privacy Exposure Report.

Combine IP, WebRTC, IPv6, DNS leak, fingerprint, user-agent, and related privacy signals in one report.

Run report

Result meanings

How to read the result

No WebRTC IP exposure detected

WebRTC ran without exposing literal public or local IP candidates. The browser may have masked host candidates with mDNS.

Local/private IP visible

Only private, local, link-local, or carrier-grade NAT candidates appeared. These can still reveal network shape to websites.

Public IP exposed

A public IPv4 or IPv6 candidate was visible. Compare it with your expected VPN or network route and retest after changes.

WebRTC unavailable

The browser did not provide RTCPeerConnection, or a policy or extension blocked the API before the test could begin.

Inconclusive

The browser supported the API, but candidate gathering timed out, errored, or returned too little data to classify reliably.

Browser fixes

Reduce WebRTC IP exposure

Settings and policy names change over time, so treat these as a checklist to verify in your current browser, VPN app, and operating system.

Chrome

Check privacy extensions or enterprise policy controls for WebRTC local IP handling, then restart the browser and rerun this test. For the browser-specific path, open the Chrome WebRTC leak test.

Edge

Edge uses Chromium WebRTC behavior. Review browser privacy settings, managed WebRTC local IP policies, and VPN leak-protection settings.

Firefox

Advanced users can review about:config WebRTC preferences such as media.peerconnection.enabled. Disabling WebRTC can break calls and peer-to-peer apps.

Brave

Open Brave privacy settings and review the WebRTC IP handling policy. Choose a stricter option when you do not need local network discovery.

Safari

Keep Safari and the operating system updated, review website permissions, and retest after VPN or network changes. Safari exposes fewer direct WebRTC toggles.

Android browsers

Review the specific browser's site permissions, VPN app leak protection, split-tunneling settings, and private DNS settings, then test again on mobile data and Wi-Fi.

iOS Safari limitations

iOS browsers rely on WebKit behavior and have fewer extension-level WebRTC controls. Test each browser profile after changing VPN, relay, or network settings.

Methodology

How this WebRTC test works

The page creates a temporary RTCPeerConnection, opens a data channel, and asks the browser to gather ICE candidates using stun:stun.l.google.com:19302. MyIPScan classifies literal public candidates, private or local candidates, and mDNS-masked candidates locally in the browser.

This does not inspect VPN traffic outside the browser, does not audit every app on the device, and can change with browser, OS, VPN, network, and STUN behavior. For the broader diagnostic model, read the MyIPScan methodology.

Related tools

Continue the privacy check

VPN Leak TestCombine IP, DNS, WebRTC, IPv6, and browser signals. DNS Leak TestRun the limited DNS privacy check and read its limitations. Chrome WebRTC Leak TestUse the Chrome-specific troubleshooting flow after browser or extension changes. Firefox WebRTC Leak TestCompare Firefox profile, private window, and browser preference behavior. WebRTC Leak TestReturn to this browser IP exposure check. IPv6 Leak TestCheck whether IPv6 is visible in your browser session. Browser Fingerprint TestSee browser signals a VPN usually does not hide. What Is My IPCompare your public IP with WebRTC candidate results. MethodologyRead how MyIPScan classifies browser privacy diagnostics.

Related guides

Learn the signals

What Is a WebRTC Leak?Understand why browsers expose ICE candidates. WebRTC Leak Topic HubFollow the WebRTC cluster for browser candidates, VPN checks, and Chrome/Firefox troubleshooting. Chrome WebRTC Leak Test GuideFollow the Chrome-specific check if this tool reports visible candidates. How to Hide Your IP AddressCompare VPNs, Tor, proxies, and privacy tradeoffs. Proxy vs VPN vs TorLearn what each routing tool can and cannot hide. DNS Leak GuideCheck another common VPN privacy signal. How to Check Your IPv6 AddressReview IPv6 exposure alongside WebRTC results. Guides HomeOpen the MyIPScan blog for newer privacy guides.

Before / after privacy flow

Compare one browser or VPN change at a time

This page is focused on public, local, private, limited, and mDNS-masked WebRTC candidates. Run the WebRTC candidate check first, then use Public Exposure Report to compare it with IP, DNS, IPv6, and fingerprint signals. Results are visible browser/session signals, not a certification.

1. BaselineRun the focused check before changing VPN, DNS, browser, profile, or network settings.
2. Change one thingConnect or switch VPN, change Secure DNS, adjust WebRTC/fingerprint settings, or move networks.
3. RetestRun the same check again in the same browser/session when possible.
4. CompareReview changed and unchanged IP route, DNS, WebRTC, IPv6, fingerprint, and User-Agent signals.
5. Safe receiptUse Safe Copy or the Safe Privacy Receipt instead of sharing raw identifiers.

Status language

Use conservative result labels

These labels keep the result understandable without implying a VPN, browser, device, or account is safe.

Visible

A browser/session signal was visible and should be compared with what you expected.

Expected

The observed signal appears consistent with the stated route or browser behavior.

Review

The signal may need closer review before relying on this setup for the current session.

Limited

The check ran, but this page cannot cover every app, device route, server, or future connection.

Not detected

The tested signal was not observed in this browser/session.

Not checked

The signal has not run yet or the browser did not provide enough data.

Fix checklist

Where to review settings after a signal needs attention

Settings names change. Treat this as a route to verify, then rerun the focused check and the Public Exposure Report.

ChromeReview Secure DNS, WebRTC policy/extensions, profile state, and site permissions.
EdgeReview Chromium privacy settings, managed policies, Secure DNS, and VPN split tunneling.
FirefoxReview Enhanced Tracking Protection, DNS over HTTPS, and advanced WebRTC preferences when appropriate.
BraveReview Shields, fingerprinting protections, and WebRTC IP handling policy.
SafariReview website permissions, iCloud Private Relay context, and operating-system privacy settings.
iOSRetest after VPN profile, relay, mobile data, or Wi-Fi changes. Browser controls may be limited.
AndroidReview per-app VPN, Private DNS, browser permissions, and Wi-Fi versus mobile data behavior.
WindowsReview VPN adapter DNS, split tunneling, IPv6, browser Secure DNS, and firewall/proxy rules.
macOSReview VPN profile order, DNS settings, iCloud Private Relay context, and browser-specific privacy controls.
Public Exposure ReportDefault next step for a combined route map and Safe Privacy Receipt. Is My VPN Working?Before/after VPN workflow for visible browser/session signals. What Websites Can See About MePlain-language map of signals websites may read from this browser/session. Check My Browser PrivacyFocused path for fingerprint, WebRTC, IPv6, User-Agent, and browser settings.

Check WebRTC

What this checks

Browser ICE candidate behavior, including public candidates, local/private candidates, IPv6 candidates, and mDNS-masked candidates surfaced in this session.

Limits

What this cannot check

It cannot audit every app, VPN route, browser extension, OS network rule, STUN behavior, or future session outside this browser test.

Read results

How to interpret results

A good result means no unexpected public WebRTC candidate appears for the non-VPN route you were trying to avoid. Local and mDNS-masked candidates need context before concern.

Warnings

What a warning means

A warning means the browser exposed a candidate that may deserve review, especially if it matches an ISP, office, mobile, or non-VPN route.

Fix path

What to do next

Compare the result with the VPN and DNS tests, then review browser WebRTC settings, extensions, VPN leak protection, and profile-specific behavior.

Retest

When to retest

Retest after browser updates, extension changes, VPN reconnects, network switches, or WebRTC privacy setting changes.

Related tools

Continue with the closest checks

Public Exposure ReportFull browser-session report with Safe Copy, issues, fixes, and clear limits. VPN Leak TestCompare visible IP, DNS, WebRTC, IPv6, and browser signals. DNS Leak TestLimited resolver-signal check with before/after review. IPv6 Leak TestIPv6 visibility alongside IPv4 in the current session. MethodologyReview how MyIPScan labels signals, limitations, and Safe Copy output.