WebRTC Leak: What It Is and How to Prevent It (2026)
WebRTC (Web Real-Time Communication) is a browser feature that enables video calls, voice calls, and P2P file sharing directly in the browser. Its design can expose your real IP address even when connected to a VPN — this is called a WebRTC leak. It's not a VPN bug; it's a browser-level exposure that a VPN can't prevent without browser-side changes.
Why WebRTC leaks your IP
WebRTC uses ICE (Interactive Connectivity Establishment) to find the best path for a direct connection. As part of this process, it requests all network interfaces on your device — including your real public IP, local IP, and any VPNs. The browser provides this information to websites using WebRTC. Even with a VPN active, WebRTC can report your pre-VPN (real) IP address to any site that requests it via JavaScript.
WebRTC IP leaks can be triggered by any website — not just video call sites. A single line of JavaScript is enough to read all ICE candidates including your real IP.
How to test for a WebRTC leak
- Connect to your VPN
- Open your browser while connected to your VPN and search 'WebRTC leak test'
- Look for your public IP address in the 'WebRTC detected IP addresses' section
- If you see your real home IP (not the VPN IP): you have a WebRTC leak
- Local IPs (192.168.x.x, 10.x.x.x) in the list are normal and not a privacy risk
How to fix WebRTC leaks
- Firefox: Type 'about:config' in address bar → search 'media.peerconnection.enabled' → set to 'false'. This disables WebRTC entirely.
- Chrome/Chromium: Install 'WebRTC Control' or 'uBlock Origin' extension. In uBlock Origin: Settings → Privacy → Prevent WebRTC from leaking local IP addresses.
- Brave: Settings → Privacy and security → WebRTC IP handling policy → select 'Disable non-proxied UDP'
- Safari: WebRTC leak protection is built in on iOS. Desktop Safari has limited WebRTC implementation with lower exposure.
- VPN apps: Some VPN apps (ExpressVPN, NordVPN) handle WebRTC leak prevention at the app level on mobile.
The trade-off: disabling WebRTC
Fully disabling WebRTC breaks video calling in browsers — Google Meet, Jitsi, Discord web, and other WebRTC-based services will stop working. Options:
- For maximum privacy: Disable WebRTC. Use native apps for video calls instead of browser.
- For balance: Use a browser extension that restricts WebRTC to only expose the VPN IP (not the real IP) — uBlock Origin does this.
- For convenience: Accept the trade-off and use WebRTC; most privacy scenarios are unaffected by IP exposure to sites you visit.
Frequently asked questions
Do VPN apps prevent WebRTC leaks?
Not automatically. WebRTC is a browser feature, not a network feature. A VPN encrypts your traffic but the browser still exposes IPs via WebRTC APIs. Some VPN browser extensions (from NordVPN, ExpressVPN, etc.) handle WebRTC leak prevention. The VPN desktop app alone cannot prevent browser-level WebRTC leaks.
Is a WebRTC leak dangerous?
For most users, no. WebRTC leaks expose your real IP address to websites that request it via JavaScript. If you're using a VPN specifically to hide your IP from websites (say, for geo-restriction bypass or privacy from sites), a WebRTC leak undermines that. For ISP-level privacy, WebRTC is less relevant.
Does Tor Browser have WebRTC leaks?
No. Tor Browser disables WebRTC entirely by default, preventing any IP leaks through this vector. It also blocks most other fingerprinting techniques.