INTELREAP
Privacy Guide

WebRTC Leak Test &
Shield Your Real IP

Your VPN might not be doing what you think it is doing. WebRTC, the browser technology behind video calls and voice chat, can reveal your real ISP-assigned IP address through a side channel that some VPNs never close. Here is how to test for it and shut it down properly, without breaking the video calls you actually want to keep working.

Loading…
4.9★satisfaction
290+ data pointsper scan
13 intelligence panelsper report
Zero data storedprivacy first
Quick Answer

WebRTC can expose your real IP even through an active VPN, because it talks to the network directly rather than through your browser's normal traffic path

Test for a leak by running a WebRTC check while your VPN is connected — if your actual ISP IP shows up instead of your VPN's IP, you have a leak. Fix it in Firefox by setting media.peerconnection.enabled to false in about:config. In Chrome, install a dedicated extension like WebRTC Leak Prevent, since Chrome has no native toggle. Whether your VPN leaks at all depends heavily on whether it is a full system-level client or just a browser extension — extensions are far more prone to this specific gap.

01 What Is WebRTC and Why Does It Leak Your IP?

WebRTC — Web Real-Time Communication — is a browser API that enables direct peer-to-peer audio, video, and data connections without routing through a server in between. It is the technology underneath Google Meet, Discord's browser voice chat, WhatsApp Web's calling feature, and most in-browser video conferencing tools. It exists because routing every video frame through a central server would be slow and expensive; peer-to-peer is faster and cheaper at scale.

To establish a direct connection between two browsers — often sitting behind different home routers and NAT configurations — WebRTC uses a protocol called ICE (Interactive Connectivity Establishment), which in turn relies on STUN servers to discover what IP addresses your device can be reached at. This discovery process is where the leak happens: STUN queries can return your real, ISP-assigned public IP address directly to the requesting page, through a request that does not necessarily travel through your VPN tunnel the way your regular browser traffic does.

The result is a strange and counterintuitive situation: you can have a VPN fully connected, showing a different IP in every other context, while a single line of JavaScript on a malicious or simply poorly-configured site extracts your actual IP address through WebRTC's STUN request. This is not a VPN failure in the conventional sense — it is a gap between two systems, browser networking and VPN tunnelling, that were not designed with each other in mind.

02 How to Test for a WebRTC Leak

Testing is straightforward and takes under a minute, but the order of operations matters. The result you are looking for is whether your VPN and proxy status panel shows a different IP from what WebRTC reports — if they match and reflect the VPN's address, the tunnel is holding.

WebRTC Leak Test — Correct Procedure
  1. Note your real IP address first by checking it with your VPN disconnected — this is your baseline to compare against
  2. Connect your VPN and confirm it shows as active, with a new IP visible through a normal IP check
  3. Run a WebRTC-specific leak test while the VPN remains connected — IntelReap's VPN & Proxy panel includes this check as part of its full scan
  4. Compare the IP addresses returned by the WebRTC check against your real baseline IP from step 1 — if they match, you have a leak; if only the VPN IP appears, you are protected

What a clean result looks like: No IP addresses should appear in a WebRTC leak test other than your VPN's IP, or ideally, no addresses should be returned by WebRTC queries at all if it is properly shielded or disabled.

03 Why VPNs Do Not Always Stop WebRTC Leaks

This is the part that surprises most people: paying for a reputable VPN is not, by itself, a guarantee against WebRTC leaks. The deciding factor is the VPN's architecture, not its price or marketing.

A full system-level VPN client — the kind you install as a desktop or mobile app — typically routes all network traffic, including the low-level STUN queries WebRTC generates, through the encrypted tunnel. This closes the leak at the operating system level, before it ever reaches your browser's networking stack. A VPN operating correctly at this level changes what every application on your device reports as its network identity, not just your browser's visible traffic.

A browser-extension-only VPN is a different story. Extensions operate inside the browser's JavaScript sandbox and can only intercept traffic that flows through the browser's standard request pipeline. WebRTC's STUN queries, in many implementations, bypass this pipeline entirely — they talk to the network interface more directly than a typical HTTP request does. This is precisely why free VPN browser extensions and many budget VPN services are disproportionately associated with WebRTC leaks: their architecture cannot reach the layer where the leak originates.

04 How to Disable WebRTC in Chrome

Chrome offers no built-in toggle for WebRTC — this is a deliberate choice by Google, since WebRTC is core to many Google products. The only reliable path is a dedicated extension.

Chrome — WebRTC Leak Prevent Extension
  1. Install WebRTC Leak Prevent from the Chrome Web Store
  2. Open the extension's options and set the IP handling policy to Disable non-proxied UDP — this is the setting that closes the leak while keeping WebRTC functional for proxied connections
  3. Re-run a leak test to confirm the fix took effect

Alternatively, if you already use uBlock Origin, open its Settings panel, switch to the dashboard view, and enable "Prevent WebRTC from leaking local IP addresses" under the general settings tab — no second extension required.

05 How to Disable WebRTC in Firefox

Firefox is the only major browser with a native, no-extension-needed way to fully disable WebRTC.

Firefox — about:config Method
  1. Type about:config in the address bar and accept the risk warning
  2. Search for media.peerconnection.enabled
  3. Double-click the entry to toggle its value from true to false
  4. Restart Firefox — WebRTC is now fully disabled site-wide

To re-enable later (for example, before a video call): repeat the steps and set the value back to true. There is no need to restart the browser between toggles in most cases, but a restart guarantees the change has fully propagated.

06 How to Disable WebRTC in Safari and Brave

Safari

Safari does not currently expose a user-facing toggle to disable WebRTC, and recent versions have removed the previous Develop-menu option that allowed it. This is a less urgent gap than it sounds: Safari's WebRTC implementation handles ICE candidate gathering more conservatively by default than Chrome's, which reduces — though does not eliminate — the leak surface. If WebRTC leak protection on Safari is a hard requirement, routing all traffic through a properly configured system-level VPN remains the most dependable option, since it closes the gap below the browser entirely.

Brave

Brave, being Chromium-based, includes a built-in setting that Chrome itself lacks. Go to brave://settings/privacy, scroll to the WebRTC section, and select "Disable non-proxied UDP" from the IP handling policy dropdown. This is the same protective setting Chrome users need an extension for, built directly into Brave's privacy settings.

VPN & Proxy Intelligence

Test Your VPN for WebRTC and DNS Leaks Right Now

IntelReap's VPN & Proxy panel checks for WebRTC leaks, DNS leaks, and IP mismatches in a single scan — showing you exactly what your VPN is and is not protecting, free and in-browser.

07 Disable vs Shield — Which Approach Is Right for You?

Fully disabling WebRTC and shielding it while keeping it functional are different trade-offs, and the right choice depends on how you actually use your browser. If you rarely or never use browser-based video calling, a full disable in Firefox via about:config is the cleanest, most permanent fix. If you regularly use Google Meet, Discord in-browser, or WhatsApp Web, a shielding extension that closes the leak while preserving WebRTC's core function — like WebRTC Leak Prevent set to "Disable non-proxied UDP" — gets you the privacy benefit without the functionality cost.

Comparison of WebRTC leak fixes by browser, method, and impact on video calling functionality
Browser Method Breaks Video Calls? Setup Time
Firefox media.peerconnection.enabled = false Yes — fully disables WebRTC 30 seconds
Chrome WebRTC Leak Prevent extension No — shields IP, keeps function 1 minute
Chrome uBlock Origin WebRTC setting No — shields IP, keeps function 30 seconds (if already installed)
Brave Built-in "Disable non-proxied UDP" No — shields IP, keeps function 15 seconds
Safari No native option — use system VPN Depends on VPN architecture Varies
Any browser Full system-level VPN client No — handled below browser layer Depends on VPN setup

08 WebRTC Leaks Are One Piece of a Larger Picture

A WebRTC leak defeats one specific purpose of using a VPN — IP masking — but it says nothing about the other tracking vectors that operate independently of your VPN entirely. Browser fingerprinting reads your GPU renderer, screen configuration, and dozens of other hardware signals to identify you regardless of what your IP address shows, and no VPN or WebRTC fix touches that vector at all. Closing the WebRTC gap is necessary if you rely on a VPN for privacy, but it should be treated as one item in a broader checklist rather than the whole task.

For the complete layered approach — covering DNS, fingerprinting, password security, and mobile tracking alongside VPN-specific issues like this one — our full guide to protecting your privacy online walks through each layer in priority order, with honest assessments of what each tool actually covers.

Security Intelligence

See Your Complete Privacy and Security Picture

IntelReap's Security panel checks WebRTC leaks, DNS leaks, fingerprinting exposure, and overall connection security in one pass — giving you a single, honest score for how exposed you actually are.

Logic

WebRTC leaks happen because peer-to-peer connection setup and VPN tunnelling were built as separate systems — closing the gap requires addressing WebRTC specifically, not just trusting that a VPN handles everything.

Methodology

This guide draws on the W3C WebRTC specification, IETF STUN/ICE protocol documentation (RFC 8445, RFC 5389), browser vendor privacy documentation, and live leak testing across multiple VPN architectures and browser combinations.

Sources & References
Share This Guide

Frequently Asked Questions

Twelve questions on WebRTC leaks — what causes them, how to test, how to fix them per browser, and how this fits into a broader privacy approach.

A WebRTC leak occurs when the browser's real-time communication feature reveals your real IP address even while a VPN is active. WebRTC queries your network interfaces directly through STUN servers as part of setting up peer-to-peer connections for video and voice calls — a process that can bypass the VPN tunnel and expose your actual ISP-assigned IP to any site running the right script.
Connect your VPN, then run a WebRTC-specific leak test while it stays active. IntelReap's VPN & Proxy panel includes this check, comparing your WebRTC-reported IP against your VPN's IP. If your real ISP IP appears instead of or alongside your VPN IP, you have a leak. Test with the VPN on and off to see the contrast.
Not automatically. Full system-level VPN clients with dedicated apps generally route WebRTC traffic correctly and do not leak. Browser-extension-only VPNs and free VPN services are far more prone to leaking, since extensions cannot always intercept WebRTC's direct network queries the way a system-level client can. The architecture of your specific VPN determines the outcome, not its price or reputation alone.
Chrome has no native toggle for this. Install the WebRTC Leak Prevent extension and set its IP handling policy to "Disable non-proxied UDP," or enable the WebRTC-blocking option already built into uBlock Origin's advanced settings if you have it installed. Either method shields the leak while keeping WebRTC functional for legitimate uses.
Type about:config in the address bar, accept the warning, search for media.peerconnection.enabled, and double-click it to set the value to false. Restart Firefox for the change to take effect. This fully disables WebRTC at the browser level — no extension needed. Toggle it back to true if you need video calling functionality again later.
Safari does not expose a user-facing setting for this, and the previous Develop-menu option has been removed in recent versions. Safari's WebRTC implementation is somewhat more conservative by default than Chrome's, which reduces the leak surface. For guaranteed protection on Safari, a properly configured system-level VPN client remains the most dependable route.
Yes, for any service relying on WebRTC for peer-to-peer media — Google Meet, Discord's browser voice and video, WhatsApp Web calling, and similar tools. A full disable (as in Firefox's about:config method) breaks these. A shielding extension that blocks only the IP-revealing behaviour while preserving WebRTC's core function is usually the better trade-off if you use browser-based calling regularly.
A local IP leak reveals your private network address, which is not very revealing on its own since millions of devices share the same private ranges. A public IP leak reveals your actual ISP-assigned address — the one a VPN exists specifically to hide — and is the leak that genuinely defeats a VPN's purpose. Leak tests should focus on whether the public IP is exposed, since that is the meaningful risk.
No. Reputable paid VPN providers with native desktop and mobile apps generally handle WebRTC traffic correctly. The leak risk concentrates in free VPN services and browser-extension-only VPNs that route only specific traffic types. Testing your specific combination of VPN and browser is the only way to know for certain — assumptions based on provider reputation alone are not reliable.
WebRTC Leak Prevent (Chrome) is purpose-built for this with granular IP handling controls. uBlock Origin includes a WebRTC-blocking option in its advanced settings dashboard. For Firefox, the about:config method achieves the same result natively without needing any extension. Brave has the protective setting built directly into its privacy settings under brave://settings/privacy.
No, they are different vulnerabilities. A DNS leak happens when DNS queries route outside the VPN tunnel to your ISP's resolver, revealing which sites you visit. A WebRTC leak exposes your actual IP address directly through the browser's real-time communication API, regardless of DNS routing. A VPN can be protected against one and still vulnerable to the other — test both independently.
Test immediately after setting up a new VPN, after any VPN software update, and after switching browsers or installing extensions that touch network behaviour. VPN providers occasionally introduce leaks through updates without intending to, so a periodic check every few months is a reasonable habit if you rely on a VPN for meaningful privacy protection.

Still Seeing a WebRTC Leak?

Tell us your browser, VPN provider, and what the test showed — we will help pinpoint the cause. We respond within two business days.