What Is WebRTC Leak?
A WebRTC leak is a browser-level flaw that can reveal your real IP address even while a VPN is connected. WebRTC (Web Real-Time Communication) is a feature built into browsers to enable video calls and peer-to-peer connections directly — but to do so it can query your real IP address and expose it to websites through JavaScript, bypassing the VPN tunnel. The result: a site can see your true IP despite the VPN, undermining the location privacy you connected for.
Why WebRTC leaks happen
WebRTC needs to know devices' real IP addresses to establish efficient peer-to-peer connections for video and voice calls. To do this, it uses a mechanism (STUN requests) that can discover and expose your real local and public IP addresses directly through the browser — and crucially, this can happen outside the VPN tunnel, because it operates at the browser level rather than the OS network level.
This means you can have a perfectly working VPN — IP changed, no DNS leak — and still leak your real IP to any website running a few lines of WebRTC JavaScript. It's one of the most common ways VPN users are unknowingly exposed, and it affects Chrome, Firefox, Edge, and other WebRTC-enabled browsers.
How to test for a WebRTC leak
Connect your VPN, then visit a WebRTC leak test page (most VPN providers host one, as do sites like browserleaks.com). The test runs the same WebRTC queries a malicious site would. If the IP shown matches your VPN server's IP, you're protected; if it shows your real IP (or your real city/ISP), you have a WebRTC leak.
Test in each browser you use, since WebRTC behavior and protection differ between Chrome, Firefox, Safari, and Edge. A VPN can pass a DNS-leak test but still fail a WebRTC test, so check both.
How to stop WebRTC leaks
The cleanest fix is a VPN with built-in WebRTC leak protection in its browser extension — ExpressVPN, NordVPN, and Surfshark all include this, and all passed our WebRTC leak tests. Their extensions disable or sandbox the WebRTC IP discovery so your real address never reaches the page.
You can also disable WebRTC manually: in Firefox, set media.peerconnection.enabled to false in about:config; in Chrome/Edge, use a reputable WebRTC-blocking extension (the browsers don't offer a native toggle). The trade-off is that disabling WebRTC breaks browser-based video calls (Google Meet, some web apps), so a VPN that handles it selectively is usually the better solution.
Frequently Asked Questions
Can a website see my real IP even with a VPN on?
Yes — through a WebRTC leak. WebRTC is a browser feature for video calls that can query and expose your real IP via JavaScript, outside the VPN tunnel. So even with a working VPN (IP changed, no DNS leak), a site can discover your true IP unless WebRTC leak protection is in place. It's a common and easily-overlooked exposure.
How do I check for a WebRTC leak?
Connect your VPN and visit a WebRTC leak test page (most VPN providers host one, or use browserleaks.com). If it shows your VPN server's IP, you're protected; if it reveals your real IP or location, you have a leak. Test in every browser you use, since WebRTC protection varies between Chrome, Firefox, Safari, and Edge.
How do I stop WebRTC leaks?
Easiest: use a VPN with WebRTC leak protection in its browser extension — ExpressVPN, NordVPN, and Surfshark all include it and passed our tests. Alternatively, disable WebRTC manually (in Firefox via about:config, in Chrome via a blocking extension), though that breaks browser-based video calls like Google Meet.
Which browsers are affected by WebRTC leaks?
All WebRTC-enabled browsers can leak — Chrome, Firefox, Edge, Opera, and Brave. Safari's implementation is more restrictive but not immune. Because behavior differs by browser, you should run a WebRTC leak test in each browser you use with your VPN rather than assuming one result covers all.