WebRTC (Web Real-Time Communication) is the browser technology that powers video calls, voice chat, and peer-to-peer file sharing directly in your browser, without needing a separate app or plugin. Google Meet, Discord in-browser, file transfer tools, and basically anything that connects to other devices — all of them depend on it.
It sounds excellent, and it is, but for a long period, your VPN was probably interacting with it completely wrong and leaking your IP address without alerting you. You wouldn’t really get a warning or notification, but your carefully planned privacy plan could be undone just because of a network interface issue.
So, it’s time to make sure this browser API isn’t doing you dirty and leaking your data without you knowing, and whether you’re secretly telling everyone your business.
I didn’t know my ISP could see every website I visit until I checked this setting
Your ISP sees more than you think.
Why WebRTC causes problems with VPNs
A leaky VPN is no good
Basically, to establish a connection between devices, WebRTC needs to know about the network interfaces available. It’s figuring out how the two devices should communicate in a process called ICE candidate gathering.
WebRTC makes those requests directly to your operating system, bypassing the VPN tunnel entirely. While this sounds like a misconfiguration, it’s actually how the protocol was designed. It skips out your VPN connection and directly opens the application layer… skipping the network layer where your VPN is active.
It’s this gap that can cause WebRTC to leak your real IP address.
For most folks browsing Netflix in a different region, this is a small problem that could cause a disconnection. But in those cases where you’re using a VPN to protect your privacy and identity, even small slip-ups can cause huge problems.
The WebRTC leak would also expose a range of data. So, WebRTC ICE candidate gathering could reveal your real public IP address, your local network IP address, and your IPv6 address, if you have one. The latter is most interesting because IPv6 addresses typically aren’t shared in the same way as IPv4 addresses (as there are billions more IPv6 addresses), which means they’re more easily tied to a specific device or location.
Modern web browsers and VPN clients have largely fixed this
But it’s worth checking!
Now, obviously, most VPNs and browsers have realized that leaking your IP address like this wasn’t ideal. That’s why this problem has mostly been addressed across all major browsers, with varying levels of protection, and some handy extensions if you want more protection.
The easiest option is to just test it out yourself with a WebRTC leak test. There are several options available to you here; Browser Leaks and Surfshark are the easiest options.
Head over to Browser Leaks and check out your IP address. Then enable your VPN, run the same test, and check the WebRTC Leak Test field to see if you’re still secure.
For example, some browsers, like Brave and Firefox, give you the option to completely disable WebRTC, while others, like Safari, restrict how WebRTC works. But others, like Chrome and Edge, don’t provide a specific toggle or flag to work with, which is why you need a browser extension to stop your IP address from being leaked (check them out in the next section).
I was actually surprised when I ran the tests, because it backed up other information I’d read online. Namely, that the tests aren’t always the most accurate, either.
So, I tested using Browser Leaks, Surfshark, and ExpressVPN’s WebRTC leak test tools. In each case, my actual IP address was logged without a VPN, as you’d expect. But then, in each case, enabling my VPN still flagged up as a leaked IP address, but it was most definitely leaking the VPN server I was connected to.
Also note that this is a per-browser issue. If you fix the problem in Firefox, that doesn’t make Brave okay.
So, what’s the real answer? How do I stop leaking my IP address?
Pick your browser and its features carefully
So, remember when I said some browsers deal with this better than others? This is where you have to pick and choose what you value.
|
Browser |
Protection |
How to fix it |
Notes |
|---|---|---|---|
|
Brave |
Built-in |
Go to |
May be turned on by default, but worth verifying. |
|
Firefox |
Native toggle |
Go to |
Fully disabling breaks Google Meet, Discord browser calls, and Zoom web client. Browser updates can silently reset |
|
Chrome and Edge |
Extension only |
Install WebRTC Leak Prevent and set the policy to Disable non-proxied UDP. Alternatively, try Google’s WebRTC Limiter and use the extension options to configure |
WebRTC Leak Prevent has a similar outcome to Brave, while Google’s WebRTC Limiter offers more fine-grained options |
|
Safari |
Restricted by default |
No action required for most users. Optional: enable developer tools via Settings > Advanced > then Develop menu > WebRTC > uncheck Enable Legacy WebRTC API. |
Restricts IP enumeration by default. Granting a site mic or camera access does expose your IP, which is unavoidable for video call sites on any browser. |
These changes don’t take long, but make sure that your IP address isn’t being leaked.
You’re probably fine, but this is worth checking
Before writing this article, I read an article with a stat that I haven’t included in the copy. It suggested that 23 percent of all VPNs suffer from WebRTC leaks, a stat that I simply haven’t been able to back up or confirm.
But the stat is what got me thinking about WebRTC leaks to begin with, and has led to double-checking my own privacy settings when I use a VPN. As I found out, “probably okay” doesn’t always cut the mustard, even if the likelihood is that my IP address wasn’t being leaked.
As I found, the check takes 30 seconds, and the fixes take just another minute or two to configure, so why not check now?
