|
|
Back to Blog
· OxidVPN Team

WebRTC Leaks: The Hidden Threat to Your VPN Privacy

Learn how WebRTC can expose your real IP address even when connected to a VPN, and how to test for and prevent these leaks.

privacy webrtc vpn security

What Is WebRTC?

WebRTC (Web Real-Time Communication) is a technology built into modern web browsers that enables direct peer-to-peer communication. It powers video calls, voice chat, file sharing, and screen sharing directly in the browser — no plugins or additional software required. Services like Google Meet, Discord, and many other communication platforms rely on WebRTC.

For WebRTC to establish a direct connection between two users, it needs to discover all available network paths. This is where the privacy problem begins. As part of this discovery process, WebRTC queries your device’s network interfaces and uses a protocol called ICE (Interactive Connectivity Establishment) to gather a list of candidate IP addresses. This list can include your real local and public IP addresses — even when you are connected to a VPN.

How WebRTC Leaks Your Real IP

When you use a VPN, your web traffic is routed through the VPN tunnel and websites see your VPN server’s IP address instead of your own. But WebRTC operates differently from regular web traffic. It makes requests through a mechanism that can bypass the VPN tunnel entirely.

Specifically, WebRTC sends STUN (Session Traversal Utilities for NAT) requests to discover your public IP address. These STUN requests can bypass your VPN’s proxy settings and reveal:

  • Your real public IP address — The IP assigned by your ISP, which can be used to determine your actual location.
  • Your local network IP address — Internal addresses like 192.168.x.x or 10.x.x.x, which reveal information about your network configuration.
  • Your IPv6 address — If your network supports IPv6, this can be leaked even when your VPN only handles IPv4.

This happens silently in the background. Any website can run JavaScript that triggers WebRTC’s ICE candidate gathering and read the results. You will see no permission prompt, no notification, and no indication that your real IP has been exposed.

Which Browsers Are Affected?

WebRTC is enabled by default in all major browsers:

  • Google Chrome — WebRTC is deeply integrated and cannot be fully disabled through settings alone.
  • Mozilla Firefox — WebRTC is enabled by default but can be disabled through about:config.
  • Microsoft Edge — Based on Chromium, so it shares the same WebRTC behavior as Chrome.
  • Safari — WebRTC is supported but has more restrictive default behavior. Leaks are less common but still possible.
  • Opera and Brave — Both are Chromium-based and affected. Brave includes some built-in WebRTC leak mitigation.

Mobile browsers on both Android and iOS are also affected. If you use a VPN on your phone, WebRTC leaks are just as much of a concern.

How to Test for WebRTC Leaks

Testing is simple. Connect to your VPN and then use our WebRTC Leak Test tool. The test will attempt to gather ICE candidates from your browser and report any IP addresses it discovers.

If the test reveals an IP address that does not belong to your VPN provider — especially if it matches your ISP-assigned IP — you have a WebRTC leak.

You should run this test:

  • After first setting up your VPN
  • After browser updates (which can reset privacy settings)
  • After installing new browser extensions
  • When switching between different VPN servers or protocols

How to Disable or Mitigate WebRTC Leaks

Firefox

The most straightforward fix. Navigate to about:config in the address bar, search for media.peerconnection.enabled, and set it to false. This disables WebRTC entirely, which will prevent browser-based video calls from working.

Chrome and Chromium-based browsers

Chrome does not offer a built-in setting to disable WebRTC. Your options are:

  • Install a browser extension like “WebRTC Leak Prevent” or “uBlock Origin” (which includes WebRTC leak prevention settings).
  • Use a VPN client that includes WebRTC leak protection at the system level.

Safari

Go to Preferences > Advanced, enable the Developer menu, then under the Develop menu, look for WebRTC-related options. Safari’s implementation is more restricted by default, but checking is still worthwhile.

System-level protection

The most reliable approach is to use a VPN client that prevents WebRTC leaks at the network level rather than relying on browser-level fixes. This works across all browsers and applications without needing per-browser configuration.

How OxidVPN Handles WebRTC Leaks

OxidVPN provides WebRTC leak protection at the system level. Our client configures your network stack so that WebRTC’s ICE candidate gathering only discovers the VPN tunnel’s IP address. This means:

  • No browser extensions required — Protection works across all browsers automatically.
  • No functionality lost — Video calls and other WebRTC-dependent features continue working normally, but they route through the VPN tunnel.
  • Consistent protection — Browser updates and setting resets do not affect the protection because it operates below the browser layer.

Our approach ensures that even if a website aggressively probes for your real IP through WebRTC, it will only ever see your OxidVPN server address.

Take Action

WebRTC leaks are one of the most common ways VPN users unknowingly expose their real IP addresses. The fix is straightforward, but you need to know the problem exists first.

Start by running a WebRTC leak test to check your current setup. If you want a solution that handles WebRTC leaks automatically and reliably, OxidVPN’s system-level protection ensures your real IP stays hidden — no manual browser tweaks required.

All Posts