whatsmy.fyiYour digital footprint
What Is a WebRTC Leak and Does Your VPN Protect You?
Privacy & Security

What Is a WebRTC Leak and Does Your VPN Protect You?

A WebRTC leak exposes your real IP address even when you're using a VPN. Learn how WebRTC leaks work, how to test for them, and how to fix them.

6 min readΒ·

A WebRTC leak occurs when your browser reveals your real IP address through the WebRTC protocol, even if you are using a VPN. It is one of the most common privacy vulnerabilities for VPN users. You can test for a WebRTC leak right now on whatsmy.fyi β€” the result appears instantly.

What Is WebRTC?

WebRTC (Web Real-Time Communication) is an open standard and browser API that enables peer-to-peer audio, video, and data sharing directly in the browser β€” without plugins. It powers video calling in Google Meet, browser-based VoIP, file sharing tools, and online gaming.

For two browsers to communicate directly, they need to discover each other's IP addresses. WebRTC uses a protocol called ICE (Interactive Connectivity Establishment) to gather a list of "candidates" β€” possible network addresses β€” and these candidates include your real IP address.

How Does a WebRTC Leak Happen?

When a website triggers a WebRTC connection (even a dummy one), the browser's ICE process enumerates all available network interfaces: your VPN's tunnel address, your local network address, and critically, your real public IP address. This enumeration happens outside the normal HTTP request flow.

Most VPNs route HTTP traffic through the VPN tunnel β€” so your HTTP requests appear to come from the VPN server's IP. But WebRTC's ICE gathering bypasses this routing and queries the operating system's network stack directly. If the VPN does not specifically block WebRTC IP gathering, your real IP leaks.

A website can use a few lines of JavaScript to trigger WebRTC ICE gathering, receive the candidate list, and extract your real IP β€” all silently, without any visible indication to you.

What Does a WebRTC Leak Reveal?

A WebRTC leak can expose:

  • Your real public IP address: The IP assigned by your actual ISP, not the VPN server. This defeats the purpose of using a VPN for anonymity.
  • Your local (private) IP address: Your 192.168.x.x or 10.x.x.x address. This is less dangerous but can still be used in fingerprinting.
  • IPv6 address: If you have IPv6 connectivity and your VPN does not tunnel IPv6, your IPv6 address (which is typically unique to your device) may be exposed.

How to Test for a WebRTC Leak

The simplest test:

  1. Connect to your VPN and verify it is active (the VPN app shows connected).
  2. Visit whatsmy.fyi.
  3. Check the WebRTC Leak Test card. If it shows your VPN server's IP or "No WebRTC leak", you are safe. If it shows your real home ISP's IP, you have a leak.

You can also cross-reference: the IP shown at the top of whatsmy.fyi should match the IP in the WebRTC card if your VPN is working correctly.

How to Fix a WebRTC Leak

There are several approaches, depending on your setup:

  • Use a VPN that blocks WebRTC: Quality VPN providers (Mullvad, ProtonVPN, ExpressVPN) configure their clients to prevent WebRTC from leaking. Check your VPN's documentation for a "WebRTC leak protection" or "DNS leak protection" setting.
  • Disable WebRTC in Firefox: Navigate to about:config, search for media.peerconnection.enabled, and set it to false. This completely disables WebRTC, which may break video calling apps.
  • Use a browser extension: Extensions like "WebRTC Leak Prevent" or "uBlock Origin" (with WebRTC blocking enabled) can prevent leaks in Chrome and Firefox.
  • Use the Tor Browser: Tor Browser disables WebRTC by default.

Note: you cannot fix a WebRTC leak in Chrome without an extension or VPN-level fix. Chrome does not expose a setting to disable WebRTC through the UI.

WebRTC Leaks and Privacy Score

whatsmy.fyi's Privacy Score takes WebRTC leak status into account. A detected WebRTC leak immediately drops your score to C or D, depending on your TLS version. Fixing the leak and re-running the test will update your score.

Frequently Asked Questions

Does every VPN have WebRTC leaks?

No. Well-configured VPNs block WebRTC IP gathering. However, lower-quality or misconfigured VPNs often do not. Always test your VPN with a WebRTC leak test after connecting.

Can a WebRTC leak happen in incognito mode?

Yes. Incognito/private browsing mode does not affect WebRTC behaviour. Your real IP can still be leaked through WebRTC in private mode.

Does disabling WebRTC break websites?

It breaks browser-based video calling (Google Meet, Jitsi, Discord web) and any app that relies on peer-to-peer connections in the browser. If you use these services, a VPN with WebRTC protection is a better solution than disabling WebRTC entirely.

References

  1. [1]W3C: WebRTC 1.0 Specification
  2. [2]MDN: WebRTC API
  3. [3]RFC 8829 β€” JavaScript Session Establishment Protocol (JSEP)
  4. [4]Wikipedia: WebRTC
  5. [5]Cloudflare: WebRTC leak test

Check your IP address, location, and privacy score β€” instantly.

Zero logs. Zero tracking. Zero external APIs.

Run the check now β†’

Related articles

What Is a DNS Leak and How Does It Expose You?
Privacy & Security

What Is a DNS Leak and How Does It Expose You?

A DNS leak occurs when your DNS queries bypass your VPN, revealing your browsing activity to your ISP. Learn how DNS leaks happen and how to prevent them.

6 min read

How to Check If Your VPN Is Working (3 Tests)
Privacy & Security

How to Check If Your VPN Is Working (3 Tests)

Not sure if your VPN is actually protecting you? Learn three tests to verify your VPN is working correctly β€” including IP, WebRTC, and DNS leak checks.

6 min read

How to Hide Your IP Address: VPN, Tor, and Proxies Explained
Privacy & Security

How to Hide Your IP Address: VPN, Tor, and Proxies Explained

Learn the most effective ways to hide your IP address, including VPNs, Tor, and proxy servers β€” and the trade-offs between them.

7 min read

← Back to Blog
What Is a WebRTC Leak and Does Your VPN Protect You? | whatsmy.fyi