WebRTC Leaks: The VPN Hole Nobody Warns You About

WebRTC is the browser technology that powers video calls, voice chat, and peer-to-peer file transfers in the browser. It's useful. It's also built with a feature that communicates directly with STUN servers to discover your public IP address — and that STUN request can bypass the VPN tunnel, exposing your real IP to any JavaScript code that asks for it.

How the Leak Works

When a website uses WebRTC, the browser makes a STUN (Session Traversal Utilities for NAT) request to discover the public IP address of the client — necessary for establishing peer-to-peer connections through NAT. The browser sends this request outside the VPN tunnel, using the underlying network interface directly. The STUN server response reveals your real public IP.

This means a website running a few lines of JavaScript can call a WebRTC function, make a STUN request to a server it controls, and read your real IP address — regardless of whether you're using a VPN. The VPN encrypts your other traffic. The WebRTC STUN request bypasses it entirely.

Who This Affects

Chrome, Firefox, Opera, and other Chromium-based browsers all implement WebRTC. Safari has a more restricted implementation that's less prone to this leak. If you're using a VPN and browsing with Chrome or Firefox without WebRTC protection, the leak is probably active. Not every site exploits it, but the capability is there for any site to use.

Actually, scratch that — even if no site is currently using it against you, the leak means your VPN's core privacy promise is compromised. That should matter regardless of whether the specific mechanism is being actively exploited.

How to Fix It

In Firefox: set media.peerconnection.enabled to false in about:config. This disables WebRTC entirely and fixes the leak. The downside is that browser-based video calls and some peer-to-peer applications stop working.

Browser extensions like uBlock Origin can block WebRTC leaks specifically without disabling WebRTC entirely. The VPN client itself should ideally handle this — quality VPN clients block WebRTC requests at the system level. Check your VPN's settings for a WebRTC leak prevention option, then verify it's working with a WebRTC leak test.