WebRTC Leak Test
See if WebRTC in your browser is exposing your real IP
Check whether WebRTC is leaking your real IP
WebRTC helps browsers negotiate peer-to-peer audio and video by probing STUN servers for your public IP. If your VPN does not specifically protect against it, those probes can bypass the tunnel and expose the IP assigned by your ISP. This test collects the ICE candidates your browser generates and compares them to the IP you currently appear to be using.
Modern Chrome, Safari, and Firefox replace raw LAN addresses in host candidates with randomised `.local` mDNS hostnames to block local-network fingerprinting. That means seeing `abcdef12-….local` rather than `192.168.1.23` is the browser protecting you, not a sign that something is broken. What you *do* want to watch for is a `srflx` candidate whose IP differs from the "Your public IPs" panel above — that's the real WebRTC leak signal.
What is a WebRTC leak?
WebRTC is a browser feature that enables real-time peer-to-peer audio, video, and data channels without plug-ins. To establish those peer connections it needs to know how the internet sees your machine, which it discovers by probing public STUN servers. Those probes run outside the usual browser proxy settings, so a misconfigured VPN can end up sending them over your normal internet connection while the rest of your traffic is tunneled. The result: the page on the other end sees your real public IP, even though your HTTP requests look like they're coming from the VPN.
How this test works
- Your browser opens a local
RTCPeerConnectionconfigured with two public STUN servers (Google and Cloudflare). - For about five seconds we collect every ICE candidate the browser produces — host, srflx (public), prflx, and relay.
- We compare the public srflx IPs against your HTTP egress IP reported by our /tools/my-ip endpoint.
- If they match, WebRTC is using the same network path as the rest of your traffic. If they differ — or a raw LAN address is exposed — the result is flagged.
How to prevent a WebRTC leak
- Use a VPN client that explicitly binds WebRTC / UDP to the tunnel interface (most major paid VPNs have this option).
- Install a browser extension that disables or restricts WebRTC (uBlock Origin's advanced settings, WebRTC Control, etc.).
- In Firefox, set
media.peerconnection.enabledtofalseinabout:config— this disables WebRTC entirely. - In Brave, Shields already restrict WebRTC to the proxy by default; double-check Settings → Privacy and security → WebRTC IP handling policy.
Our Services
We offer a variety of static and dynamic IP solutions designed for legitimate business and technical use, with global coverage tailored to your project requirements.
Buy Proxy, SOCKS5 & ShadowSocks Now
Buy Proxy now HTTP Proxies or SOCKS5, Dedicated or Shared, Residential or Datacenter. Fully Anonymous and Premium.
Buy Proxy
We answer your questions
Got questions? We've got answers! Dive into our frequently asked questions below.
A WebRTC leak happens when your browser's built-in real-time communication stack (WebRTC) exposes your real public IP address even though you are connected to a VPN or proxy. WebRTC was designed to help peer-to-peer apps find the best network path, so it uses STUN servers to discover your public IP directly — bypassing the tunnel if the VPN doesn't specifically protect against it.
Because WebRTC operates at the browser level and not at the OS network layer, it can reach out to STUN servers through any available interface. If your VPN only routes traffic from specific apps or doesn't block WebRTC-originated UDP, the browser will report the real public IP assigned by your ISP in the ICE candidates. A correctly configured VPN should make WebRTC see only the VPN's public IP.
ICE candidates are the network addresses WebRTC considers for a peer connection. Host candidates are the local addresses of your machine (LAN IP or, on modern browsers, an `.local` mDNS hostname that hides it). srflx (server-reflexive) candidates are the public IP that a STUN server sees — this is the main leak vector when it differs from your VPN's public IP. relay candidates are routed through a TURN server (we don't use one, so you will not see them).
Chrome, Safari and modern Firefox replace raw LAN addresses like 192.168.1.23 with randomized mDNS hostnames (for example abcdef12-34….local) to prevent trackers from fingerprinting your local network. This is a built-in browser mitigation — your LAN IP is not actually leaking. If you see a real RFC 1918 address instead, your browser is older or has the mitigation disabled.
Disabling WebRTC prevents any website from using real-time peer-to-peer audio, video or data channels. Video-call sites like Google Meet, Jitsi, Discord web and browser-based voice chat will stop working. If you only want to prevent leaks, a better option is to use a VPN that properly tunnels WebRTC, a browser extension that limits WebRTC to the proxy/VPN interface, or a browser with a built-in WebRTC-policy setting (e.g., Brave's default).
Yes. The test runs entirely inside your browser and only opens a brief connection to public STUN servers (Google and Cloudflare). No data about the candidates is sent to our servers — only the HTTP request that tells you your own egress IP, which we already expose on other tools.
