WebRTC (Web Real-Time Communication) is a browser feature that enables direct peer-to-peer connections between browsers β used for video calls, voice chat, and file sharing. It has a side effect: it can expose your real IP address to websites, even when a VPN is connected.
What it's for
Before WebRTC, browser-based video calls required a relay server to forward audio and video between participants β expensive for the service operator and slow due to the extra hop. WebRTC lets browsers connect directly to each other, saving cost and reducing latency.
Today WebRTC powers:
- Google Meet, Whereby, Jitsi (video conferencing).
- Discord voice channels in the browser.
- WhatsApp Web video calls.
- Peer-to-peer file sharing (Snapdrop, ShareDrop).
- Browser-based games and collaboration tools.
The leak
For two browsers to connect directly, they need each other's IP addresses. WebRTC uses a protocol called STUN to discover all the IPs your device has β including your real public IP, even if your traffic is currently routed through a VPN.
The discovery happens inside the browser via OS-level APIs. A JavaScript on any web page can then read those IPs and send them anywhere. Result: the site can learn your real IP despite the VPN.
Per-browser mitigations
- Chrome / Edge: install WebRTC Network Limiter extension, or enable uBlock Origin's "Prevent WebRTC leaks" toggle.
- Brave: built-in Privacy and Security β Fingerprinting β "Disable Non-Proxied UDP."
- Firefox:
about:configβmedia.peerconnection.enabledβ false. - Safari: stricter by default, less mitigation needed.