πŸŒ™ LATE NIGHT MODE ACTIVATED β€” THE CLOWN IS WATCHING πŸŒ™
Home β†’ Resources β†’ Security β†’ WebRTC Leaks

WebRTC IP
Leaks.

Your browser can expose your real IP address through a feature called WebRTC β€” even when your VPN is connected. Here's why it happens and how to stop it.

⚠️ The short version

WebRTC is a browser feature that lets video calls and peer-to-peer apps work directly between users without a central server. To do that, it asks your device for its IP addresses β€” including the real public IP that your VPN is supposed to hide. If a malicious or curious site uses WebRTC's JavaScript API, it can read that IP. A VPN does not stop this on its own because the leak happens inside the browser, not on the network.

What WebRTC is

WebRTC (Web Real-Time Communication) is a browser API standardized around 2011. It powers:

  • Video calls in browsers (Google Meet, Discord, Jitsi, Whereby, browser-based WhatsApp calls).
  • Peer-to-peer file transfers (Snapdrop, ShareDrop).
  • Browser-based games and collaboration tools that need direct peer connections.
  • Voice features on platforms like Discord, Slack huddles, etc.

The reason WebRTC matters is that it allows browser-to-browser communication without an intermediate relay server. That saves the application provider money and reduces latency.

Why WebRTC leaks IPs

For two browsers to connect directly, they need to know each other's IP addresses. WebRTC uses a protocol called STUN (Session Traversal Utilities for NAT) to discover all the IPs your device has β€” local network IPs, public IPs, and IPv6 IPs.

The discovery happens inside the browser, via OS-level APIs. The browser asks the operating system "what network interfaces does this device have, and what are their IPs?" The OS answers truthfully β€” including your real public IP, even if traffic is currently routed through a VPN.

Then, a JavaScript API on any web page can read those IPs. A site can simply create a peer connection (using RTCPeerConnection), look at the candidates generated, and extract every IP your browser knows about.

Result: the site knows your real public IP, even though all your normal HTTP traffic is going through the VPN. From the site's perspective, the "WebRTC IP" can be very different from the "HTTP IP."

How to detect a WebRTC leak

  1. Connect to your VPN.
  2. Visit browserleaks.com/webrtc.
  3. Look at the "Public IP Address" section. If it shows your real IP (which you can verify at /tools/what-is-my-ip/ with VPN disconnected), the leak is real. If it shows the VPN server's IP or nothing β€” you're protected.

The "Local IP" section will usually show something like 192.168.x.x or 10.x.x.x β€” these are private network IPs and aren't a meaningful leak. They tell observers you're on a home network with NAT, but they don't identify you publicly.

Per-browser fixes

Chrome / Edge / Brave

Chrome's WebRTC implementation can't be disabled through standard settings. Your options:

  • WebRTC Network Limiter β€” official Google extension that prevents WebRTC from binding to non-tunnel interfaces. Recommended if you want WebRTC to still work but only through the VPN.
  • uBlock Origin β€” its "Prevent WebRTC from leaking local IP addresses" toggle (in advanced settings) does the job for most leaks.
  • Brave β€” has a built-in setting under Privacy and Security β†’ Fingerprinting β†’ WebRTC IP Handling. Set to "Disable Non-Proxied UDP" for maximum protection.

Firefox

Firefox lets you disable WebRTC at the engine level:

  1. Open about:config in the URL bar.
  2. Accept the warning.
  3. Search for media.peerconnection.enabled.
  4. Set to false.

This kills WebRTC entirely β€” calls and peer connections won't work anymore. If you need WebRTC for some sites, install an extension like Disable WebRTC that toggles it on demand.

Safari

Safari's WebRTC implementation is less leaky by default β€” recent versions don't expose your real public IP to web pages without explicit user permission (typically through a "allow microphone/camera access" prompt). If you don't grant those permissions, the leak surface is narrow.

For extra protection: Develop menu β†’ Experimental Features β†’ disable WebRTC features. Note this affects many video-call sites.

Mobile browsers

iOS Safari and Chrome on iOS follow Safari's stricter model (Apple controls the rendering engine). Less leak surface by default.

Android Chrome behaves like desktop Chrome but our Android VPN service captures all UDP traffic including STUN, so even if WebRTC tries to leak, the packets are tunneled.

What's the actual risk?

For most people: low to moderate. A WebRTC leak exposes your real public IP to whatever site you're visiting. That tells the site:

  • Your real ISP and approximate city (via IP geolocation).
  • That you're using a VPN (because the HTTP IP and WebRTC IP differ).
  • Enables targeted-ad re-identification if the site can correlate the leaked IP with prior visits.

For sensitive use cases (journalists, dissidents, researchers handling private data, anyone who depends on IP-level anonymity for safety), the risk is high β€” the entire reason for using a VPN is undermined by the leak.

For routine privacy use, it's mostly an annoyance. Sites can identify you despite the VPN, but the underlying activity (page content, account behavior, etc.) is still encrypted.

Related reading

πŸŽͺ FAQ

How do I know if my browser leaks via WebRTC?
Visit browserleaks.com/webrtc with your VPN connected. The page shows the IPs WebRTC reveals. If you see your real public IP listed under 'Public IP Address' instead of the VPN server's IP β€” you have a WebRTC leak. Note: 'Local IP' (like 192.168.1.x) is usually private-network and not a meaningful leak; the public one is the concern.
Why doesn't a VPN fix WebRTC leaks automatically?
Because WebRTC is a browser-level feature that calls operating system APIs to enumerate network interfaces. It can ask 'what IPs does this device have?' and get answers that include your real public IP β€” which the browser then offers to peers. The VPN can't intercept the API calls inside the browser itself; the leak happens inside the application.
Will disabling WebRTC break anything?
It will break video calling features that rely on it: Discord voice/video in browser, Google Meet in browser, WhatsApp Web video calls, some peer-to-peer file sharing tools (e.g., Snapdrop), and a few games. Most other browsing is unaffected. If you need WebRTC for some apps but not others, use a browser extension that toggles it per-site.
Does ClownVPN's Android app have a WebRTC leak risk?
Less of one. WebRTC leaks are primarily a desktop browser issue, where browsers run with broad network access. On Android, our VPN service captures all UDP traffic including the STUN packets WebRTC tries to send, which prevents the leak from reaching outside the tunnel. Mobile browsers do still have the API, but the traffic routing constrains where leaked IPs can actually be sent.
Is WebRTC a security flaw or working as intended?
It's working as intended for its use case β€” WebRTC needs to learn your IP to set up peer-to-peer calls without going through a relay server (which costs the application provider money). The 'leak' is a side effect of how STUN works for NAT traversal. The W3C is aware of this and has discussed mitigations, but the protocol's design fundamentally requires IP discovery for direct peer connections.

πŸŽͺ Check Your IP

Compare your HTTP IP and WebRTC IP. Find leaks.

πŸ”’ What Is My IP