Back to Blog
VPN

WebRTC Leaks: The VPN Hole Nobody Warns You About

By Kunal KhatriMar 7, 2026
WebRTC Leaks: The VPN Hole Nobody Warns You About

WebRTC is the browser technology that powers video calls, voice chat, and peer-to-peer file transfers in the browser. It's useful. It's also built with a feature that communicates directly with STUN servers to discover your public IP address — and that STUN request can bypass the VPN tunnel, exposing your real IP to any JavaScript code that asks for it.

How the Leak Works

When a website uses WebRTC, the browser makes a STUN (Session Traversal Utilities for NAT) request to discover the public IP address of the client — necessary for establishing peer-to-peer connections through NAT. The browser sends this request outside the VPN tunnel, using the underlying network interface directly. The STUN server response reveals your real public IP.

This means a website running a few lines of JavaScript can call a WebRTC function, make a STUN request to a server it controls, and read your real IP address — regardless of whether you're using a VPN. The VPN encrypts your other traffic. The WebRTC STUN request bypasses it entirely.

Who This Affects

Chrome, Firefox, Opera, and other Chromium-based browsers all implement WebRTC. Safari has a more restricted implementation that's less prone to this leak. If you're using a VPN and browsing with Chrome or Firefox without WebRTC protection, the leak is probably active. Not every site exploits it, but the capability is there for any site to use.

But even so — even if no site is currently using it against you, the leak means your VPN's core privacy promise is compromised. That should matter regardless of whether the specific mechanism is being actively exploited.

How to Fix It

In Firefox: set media.peerconnection.enabled to false in about:config. This disables WebRTC entirely and fixes the leak. The downside is that browser-based video calls and some peer-to-peer applications stop working.

Browser extensions like uBlock Origin can block WebRTC leaks specifically without disabling WebRTC entirely. The VPN client itself should ideally handle this — quality VPN clients block WebRTC requests at the system level. Check your VPN's settings for a WebRTC leak prevention option, then verify it's working with a WebRTC leak test.

Testing for the Leak Yourself

Testing is straightforward. Connect to your VPN and navigate to a WebRTC leak test site while the VPN is active. If your real IP (or your network's real public IP) appears under the local or remote candidate fields, you have a WebRTC leak. The test works by running the actual STUN discovery code and checking what IP addresses the browser's WebRTC stack reports.

Run the test in each browser you use — the leak depends on how each browser implements WebRTC and whether the VPN client or extension is controlling it. A fix applied in Firefox doesn't help if you also use Chrome without the same protection. Some operating systems also have VPN split-tunnel configurations that route STUN requests outside the tunnel by policy — in that case, fixing the browser-level leak doesn't solve the OS-level routing issue. Test everything separately.

Test for WebRTC and DNS Leaks

Check whether your VPN is leaking your real IP through WebRTC or DNS.

Run Leak Test
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: