WebRTC Leak Test
This test checks whether WebRTC — the real-time communication engine built into every modern browser — is exposing your real IP address, even while a VPN is connected. Click Run test: if WebRTC hands out a public IP that differs from your browsing IP, you have a leak, and the verdict below tells you exactly how to fix it.
WebRTC leak test
Ready when you are
The test runs entirely in your browser: we ask WebRTC for its ICE candidates and check whether any of them expose an IP address your VPN should be hiding. Nothing is stored.
Detecting…
The address regular page requests come from
Run the test to find out
What STUN reflexive and host candidates reveal
What Is WebRTC, and Why Is It in Your Browser?
WebRTC (Web Real-Time Communication) is the technology that lets websites run video calls, voice chat, screen sharing, and peer-to-peer file transfers directly in the browser — no plugin, no download. When you join a browser-based meeting or a customer support video chat, WebRTC is doing the work. It ships enabled by default in Chrome, Firefox, Safari, Edge, and every other mainstream browser, because the modern web depends on it.
The privacy problem is a side effect of how peer-to-peer connections get established. Two computers behind home routers can't simply dial each other — each one first has to discover what its own address looks like from the outside. So WebRTC aggressively enumerates every address that might reach your machine: your local network addresses, your public IP, and — this is the dangerous part — it can do so through network paths that ignore the proxy settings your browser uses for ordinary page requests. A single snippet of JavaScript on any web page can trigger this discovery process silently, without asking permission and without you ever making a call. The result is what's known as a WebRTC leak: your true IP address handed to a website that should only ever see your VPN's.
How WebRTC Can Bypass Your VPN Tunnel
To find a working connection path, WebRTC uses a process called ICE (Interactive Connectivity Establishment). It collects "candidates" — possible addresses a peer could use to reach you — and each candidate type reveals something different:
- Host candidates are the addresses your network adapters hold directly — local addresses like 192.168.1.23, and on some systems your real public IPv6 address, straight from the interface.
- Server-reflexive (srflx) candidates come from asking a STUN server "what address do you see me connecting from?" Our test uses Google's public STUN server for exactly this step — the same one countless real websites use.
Here is where the leak happens. Your VPN app encrypts and reroutes your traffic at the operating-system level, but WebRTC's STUN requests are small UDP packets that some configurations send outside the tunnel — through your untouched physical connection. The STUN server then truthfully reports your real public IP, and WebRTC hands that answer to the web page as a srflx candidate. Your browsing traffic says "Amsterdam"; WebRTC says your actual city. IPv6 makes it worse: a VPN that only tunnels IPv4 can leave your interface's globally-routable IPv6 address sitting in the host candidates for any script to read.
Browsers have partially closed the hole. Since 2019–2020, Chrome, Firefox, Safari, and Edge replace local host candidates with anonymized mDNS names — random identifiers ending in .local that only resolve inside your own network. That's why our test marks .local candidates as protected. But mDNS masking does nothing about the srflx path: if a STUN request escapes your VPN tunnel, the public IP it returns is real, current, and visible to every site that asks. That's the leak this tool is built to catch, and it's a standard check in our VPN testing methodology.
How to Read Your Test Results
The verdict panel above does the interpretation automatically, but here is the full decision table so you can see exactly how each outcome is judged:
| Result | What happened | What to do |
|---|---|---|
| FAIL — leak detected | WebRTC exposed a public IP different from your browsing IP. With a VPN on, that's your real address escaping the tunnel. | Enable your VPN's leak protection, disable WebRTC (guides below), or switch VPNs. |
| PASS — same IP as browsing | WebRTC only revealed the IP your normal traffic already uses. No extra information leaked. | If that IP is your VPN's, all good. If it's your real IP, you're simply not behind a VPN. |
| PASS — only mDNS (.local) | Your browser handed out anonymized .local names instead of real addresses. | Nothing — this is the modern browser protection working as designed. |
| PASS — local IPs only | Only private addresses (192.168.x.x, 10.x.x.x, fe80::) appeared. These can't identify you to websites. | Nothing urgent — no public address escaped your tunnel. |
| PASS — WebRTC blocked | Your browser refused to run WebRTC or produced no candidates — it's disabled or an extension blocks it. | Nothing can leak. Note that in-browser video calls won't work until you re-enable it. |
Two subtleties worth knowing. First, run the test twice: once with the VPN off (you'll see your real IP — that's expected and harmless, it just confirms the test works) and once with the VPN on (now any public IP other than the VPN's exit is a genuine leak). Second, watch for IPv6. If the leaked address contains colons while your browsing IP is a dotted IPv4 address, your VPN is tunneling IPv4 but letting IPv6 through natively — one of the most common leak patterns we see. You can verify what your browsing IP looks like at any time with our What Is My IP tool, and combine this check with DNS and location tests using Is My VPN Working?
How to Disable or Limit WebRTC in Every Browser
If the test found a leak — or you simply never use browser video calls and want the attack surface gone — here is what each major browser allows. Note the differences: only Firefox lets you switch WebRTC off completely with a built-in setting.
| Browser | Full disable built in? | Recommended fix |
|---|---|---|
| Firefox | Yes | about:config → media.peerconnection.enabled → false |
| Chrome | No | WebRTC-limiting extension, or a VPN with built-in leak protection |
| Edge | No | Same as Chrome (Edge is Chromium-based) |
| Safari | No (rarely needed) | Defaults are conservative; pair with a leak-blocking VPN |
Firefox — the clean kill switch
Type about:config in the address bar, accept the warning, and search for media.peerconnection.enabled. Double-click it to set it to false — WebRTC is now off entirely, and this test will report PASS. If you still need video calls, use the softer option instead: set media.peerconnection.ice.default_address_only to true, which restricts ICE to the default route (your VPN interface) so calls still work but stop enumerating other network paths.
Chrome — no off switch, two workarounds
Chrome deliberately provides no setting to disable WebRTC — Google considers it a core web platform feature. What Chrome does do, since version 79, is mask local addresses with mDNS by default. For the public-IP path you have two options: install an extension that sets Chrome's WebRTC IP-handling policy to "disable non-proxied UDP" (which forces WebRTC traffic to give up rather than bypass a proxy or VPN), or use a VPN whose browser extension or app blocks WebRTC leaks itself. On corporate machines, administrators can enforce the same thing via the WebRtcIPHandling policy.
Edge — same engine, same answer
Edge is built on Chromium, so everything said about Chrome applies unchanged: local IPs are mDNS-masked by default, there is no built-in full-disable toggle, and the reliable fixes are a WebRTC-limiting extension (Chrome Web Store extensions install fine in Edge) or a VPN with its own leak blocking. Edge's InPrivate mode makes no difference to WebRTC behavior.
Safari — locked down by design
Safari has historically been the most conservative browser here: it doesn't expose local IP addresses to WebRTC until you've granted a site camera or microphone permission, and it offers no user-facing switch to disable WebRTC outright. In practice Safari users rarely fail this test on the local-address side — but the srflx public-IP path still depends on your VPN tunneling all traffic, so run the test with your VPN connected rather than assuming. If Safari is your daily browser, the highest-leverage fix is simply a VPN that tunnels IPv4 and IPv6 completely.
The Real Fix: a VPN That Doesn't Leak in the First Place
Browser tweaks treat the symptom. The underlying question is whether your VPN captures all traffic — TCP and UDP, IPv4 and IPv6, browser and system — inside the tunnel. A well-built VPN client routes WebRTC's STUN packets through the tunnel like everything else, so the STUN server only ever sees the VPN exit IP and this test passes automatically, no configuration needed.
That's exactly what we verify when we review providers: we run this WebRTC check alongside DNS leak and kill-switch tests on every VPN we rank. In our testing, NordVPN and ExpressVPN consistently pass with full IPv6 handling, and Surfshark covers the same ground at a lower price. The complete, leak-tested lineup is in our best VPN rankings. If budget is the constraint, Proton VPN's free tier tunnels WebRTC traffic properly too — and every paid provider we rank carries a 30-day money-back guarantee, so you can run this exact test on your own connection risk-free.
WebRTC Leak Questions, Answered
The test shows a .local address — is that a leak?
No — it's the opposite. A name like 3b2f…-8a91.local is an mDNS placeholder your browser generates specifically so websites can't see your real local IP. It resolves only inside your own network and changes per session. Our test marks these green because they prove the browser's anonymization is active.
I see my real IP with the VPN off. Is that a problem?
With no VPN connected there is nothing to leak around — WebRTC showing the same public IP as your normal traffic is expected and adds no new exposure. The test only becomes a pass/fail security check once a VPN is on: at that point, any public address other than the VPN's exit IP means the tunnel is being bypassed.
Does incognito or private browsing stop WebRTC leaks?
No. Private browsing changes what your browser stores locally — history, cookies, cache — not how it makes network connections. WebRTC behaves identically in a private window, and a leaking setup leaks there too. The fixes are the ones above: browser configuration or a leak-proof VPN.
Can WebRTC leaks happen on my phone?
Yes, though less often. Mobile browsers implement WebRTC too, and the same STUN mechanism applies. In practice, mobile VPN apps capture traffic at the OS level through a system VPN interface, which usually catches WebRTC packets as well — but IPv6 handling varies. Open this page in your phone's browser with your VPN connected and run the test; it works the same way on iOS and Android.
Should I disable WebRTC completely?
Only if you never use in-browser calling. Disabling WebRTC breaks browser-based video meetings, voice chat, and some screen-sharing and file-transfer tools. For most people the better trade-off is a VPN that tunnels WebRTC traffic correctly — you keep the functionality and this test still passes. Full disablement makes sense for a hardened secondary browser you use only for sensitive browsing.
The leaked address has colons in it — what does that mean?
Colons mean IPv6. If WebRTC exposes an IPv6 address while your browsing IP is IPv4, your VPN is tunneling IPv4 traffic but letting IPv6 travel outside the tunnel — a real leak, because that IPv6 address is globally routable and traces straight to your connection. Fix options: enable IPv6 leak protection in your VPN app if it has it, disable IPv6 on your device, or switch to a provider that handles IPv6 properly (see our rankings).
Is it safe to run this test? What data do you collect?
The test runs entirely in your browser using the same WebRTC API any website could call — we just show you the results instead of harvesting them. The only network requests are your browser's own STUN query to Google's public STUN server and the standard IP lookup this site already performs. We don't store the addresses the test finds.
Found a Leak? Your VPN Isn't Finishing the Job
A VPN that lets WebRTC hand your real IP to any website has failed at the one thing you pay it for. Every provider in our rankings passed this exact test on real hardware — see the VPNs we actually tested.
See Our Top-Rated VPNs8 VPNs benchmarked on real hardware — see how we test.
More Free Tools
Every tool on vpnrank.io is free, runs instantly, and never requires an account.
What Is My IP
See the IP address websites see
Is My VPN Working?
One-click check that your VPN actually protects you
VPN Kill Switch Test
Verify your kill switch blocks traffic on drop
IP Address Lookup
Look up any IP's location, ISP, and hostname
Password Generator
Create strong random passwords locally
Password Strength Checker
Test how fast a password would crack
Password Leak Checker
Check if a password appears in known breaches