Home/WebRTC Leak Test
[ P.2 — WEBRTC ]

WebRTC Leak Test

Check whether your browser leaks your real IP address through WebRTC — even if you're on a VPN.

Last reviewed: May 2026

// Runs entirely in your browser. Nothing is sent to our servers.
// probe your browser's WebRTC state

What is a WebRTC leak?

WebRTC (Web Real-Time Communication) is the browser API that powers video calls, voice chat, screen sharing, and peer-to-peer file transfer inside web pages. To establish a peer connection between two browsers, each side needs to discover its own reachable addresses — local IPs on the network, the public IP it's coming from, and any TURN-relay address it might fall back to. That discovery process is called ICE candidate gathering.

The standard way to learn your own public IP is to send a UDP request to a STUN server and let the server reflect back what address it saw. The result lands in your browser's ICE candidate list. The same process also enumerates your local network interfaces, so if you have a private address like 192.168.1.42 on your LAN, that shows up too.

If a webpage runs this probe quietly in JavaScript, it can read your local LAN IP and your real public IP even when you're connected through a VPN. That's the leak — your VPN was supposed to be the only IP the site ever sees, and WebRTC routes around it.

How browsers protect you

The defenses have improved a lot over the last few years, and they look very different across vendors.

  • Chrome, Edge, and Opera use mDNS obfuscation by default since Chrome 76 (2019). Local interface addresses appear as random <uuid>.local hostnames instead of raw IPs — only meaningful to the peer you're talking to, useless to a tracker. Pages get the raw IP only after the user grants camera or microphone permission.
  • Firefox now uses mDNS obfuscation by default (media.peerconnection.ice.obfuscate_host_addresses = true in about:config). Earlier versions exposed raw local IPs, but current releases match Chrome's behavior. You can still disable WebRTC entirely with media.peerconnection.enabled = false if you prefer.
  • Safari is the most restrictive — it doesn't expose host candidates at all by default.
  • Brave ships with a configurable WebRTC IP-handling policy. The default suppresses local-IP enumeration; the strictest setting disables non-proxied UDP entirely.
  • Tor Browser turns WebRTC off completely — no probes possible.

How to fix a leak

If your browser is leaking and you care, the options are:

  • Firefox: current releases obfuscate local IPs by default, so no fix is usually needed. If this test still shows raw RFC1918 addresses you're likely on an older build — update Firefox, then verify media.peerconnection.ice.obfuscate_host_addresses = true in about:config. To turn WebRTC off entirely (video calls in the browser stop working), set media.peerconnection.enabled = false.
  • Chrome and Edge: install a WebRTC leak-prevention extension. The browser itself doesn't have a built-in toggle. Switching to Brave achieves the same thing without an extension.
  • Brave: open Settings → Shields → WebRTC IP Handling Policy and set to "Disable Non-Proxied UDP" for maximum protection.
  • Any browser: some VPN clients implement system-level WebRTC leak protection that intercepts the relevant queries. Check whether yours offers this feature, and turn it on.

The most reliable defense is using a browser that blocks local-IP enumeration by default — Chrome/Edge/Opera (with mDNS) or Brave with strict settings — rather than relying on individual VPN clients to plug every hole.

This page runs entirely in your browser. The leak test uses your own browser's RTCPeerConnection API and three public STUN servers; no data about the result is sent to our servers or stored anywhere. Open DevTools → Network to verify.