A WebRTC leak is when a browser’s WebRTC API exposes the user’s real IP address despite a VPN or proxy being active. WebRTC is the browser API that powers peer-to-peer video calls, file transfers, and some real-time gaming; to function, it needs to know the local network interfaces. The API helpfully exposes those interfaces to JavaScript, including the public IP that the VPN was hiding. The leak has been documented since 2015 and persists in modified form across every major browser.
What it means in practice
The mechanics: a script on a visited page calls the WebRTC API’s getUserMedia or RTCPeerConnection methods. The browser, in resolving network candidates for peer-to-peer setup, exposes both the VPN IP (the routed interface) and the real IP (the underlying interface or the local-network IP that maps to the real public IP via STUN servers). The script reads both. The VPN protected nothing for that script. The defenses are browser-specific: Firefox has the most controllable knobs (about:config, media.peerconnection.enabled to disable entirely or media.peerconnection.ice.no_host to mitigate), Brave has built-in WebRTC IP-leak protection in Settings, Chrome requires extensions or full WebRTC disable, Safari has historically been less leaky but exhibits similar behavior in some configurations.
Where it shows up
Tested by: ipleak.net, browserleaks.com/webrtc, dnsleaktest.com (which also covers WebRTC). Exploited by: fingerprinting libraries that include WebRTC IP as a stable identifier, geo-restriction-enforcement systems that compare the WebRTC-revealed IP to the connection IP and deny content when they differ, fraud-detection services that flag VPN users by detecting the discrepancy. For a journalist, activist, or operator whose VPN is the structural defense against IP linkage, a WebRTC leak silently invalidates the entire defense. Most users are unaware that the leak is happening.
What you can change today
Test for the leak. Connect to your VPN, open ipleak.net, scroll to the WebRTC test, verify the IP shown matches the VPN IP and not your real IP. If the test reveals leakage, mitigate by browser. Firefox: about:config, media.peerconnection.ice.no_host=true (mitigates without breaking video calls). Brave: Settings, Privacy and Security, WebRTC IP Handling Policy, set to “Disable Non-Proxied UDP.” Chrome: install the WebRTC Network Limiter extension from Google or use uBlock Origin’s “Prevent WebRTC from leaking local IP addresses” toggle (Settings, Privacy). For high-target users: use Mullvad Browser or Tor Browser, which handle WebRTC structurally.
