New videos every week — proxies, VPNs & antidetect browsers, explained.

Subscribe

Your privacy is exposed — websites can see your IP, location and device.

Try Surfshark urgently →

WebRTC Leak

Intermediate

A browser flaw where WebRTC's connection machinery reveals your real IP address even while a VPN or proxy is active.

In depth

A WebRTC leak exposes your true IP address through the browser's real-time communication API — the machinery behind in-browser video calls and peer-to-peer transfers. The cruel part: it can happen while your VPN or proxy is working perfectly, because the leak uses a side channel the tunnel doesn't cover.

The mechanism

WebRTC connects users directly to each other, so it must discover every address a peer might be reachable at. It uses ICE and STUN: the browser asks a STUN server "what addresses do you see for me?" and gathers candidates — local network IPs and your public IP among them. Any webpage can trigger this with a few lines of JavaScript, no call interface visible, and read the candidate list. If the browser queries outside the tunnel or reports interface addresses directly, your real IP lands in a script-readable list on a page you thought you were visiting anonymously.

Who's exposed and what to do

  • Proxy users are the most vulnerable: browser proxy settings often don't cover WebRTC's UDP traffic at all — this is a classic antidetect-browser test, and good ones mask or align WebRTC addresses per profile.
  • VPN users are safer but not immune: quality VPN apps block or route WebRTC traffic; misconfigurations and browser quirks still slip through.
  • Fixes: use your VPN's leak protection, disable WebRTC where acceptable (it breaks video calls), or use browser settings/extensions that restrict candidate gathering to the tunnel interface.

Test it, don't assume

Run a WebRTC leak test with your VPN or proxy active. If any listed candidate shows your real public IP, every site you visit can read it too — fix the leak before doing anything identity-sensitive.

Examples

  • A proxy user passes an IP-check page but a WebRTC test reveals their real home address in the ICE candidates.
  • An antidetect browser reports WebRTC addresses matching each profile's proxy, passing the consistency check.
  • A leak-test page shows a VPN user's tunnel IP only — their app is correctly routing STUN traffic.

Common use cases

VPN/proxy leak auditingAntidetect profile verificationPrivacy hygieneMulti-account safety checks

FAQs

Open a WebRTC leak-test page while your VPN or proxy is active and read the gathered candidates. Seeing only your VPN/proxy IP is a pass; your real public IP appearing anywhere is a fail that needs fixing before sensitive use.

If you never make browser video calls, disabling it is the bluntest reliable fix — Firefox allows it natively, Chromium needs extensions or policies. Otherwise use a VPN with WebRTC leak protection or settings that bind WebRTC to the tunnel.

A VPN captures traffic at the system level, so STUN queries ride the tunnel by default. Browser proxy settings only cover ordinary web requests — WebRTC's UDP machinery goes around them unless the browser explicitly masks it, which is what antidetect browsers do.

Related terms