WebRTC Leak Test - Detect Real IP Behind VPN
docFind out if WebRTC is exposing your real IP even when you're behind a VPN. This test checks ICE candidates to identify local and public IP leaks.
WebRTC Leak Test
Detect whether WebRTC exposes your real network path behind a VPN, including local candidates, public candidates, and relay behavior.
WebRTC Leak Test
Open ToolWhat this test checks
The test captures ICE candidates generated by your browser during WebRTC discovery, including host, server-reflexive, and relay candidates.
By comparing candidate types and visible IPs, you can quickly see whether traffic is constrained to your expected VPN or relay path.
Why WebRTC leaks matter
Even when HTTP traffic appears protected by a VPN, WebRTC can reveal network metadata through STUN discovery.
A single exposed ISP IP can undermine location masking, increase account-risk scoring, and weaken privacy assumptions for sensitive workflows.
How to read candidate types
Host candidates usually expose local interface addresses and can reveal internal topology.
Server-reflexive candidates expose public-facing addresses learned from STUN and are the most common leak signal.
Relay candidates are TURN-mediated and typically preferred for privacy-sensitive sessions.
Leak indicators to watch for
If you expect a VPN exit but see an ISP-owned public IP in candidates, treat that as a concrete leak signal.
If candidate country or ASN differs from IP lookup and DNS results, you likely have a partial-path leak.
Common root causes
Frequent causes include VPN clients that do not tunnel UDP consistently, browser defaults favoring direct paths, and multi-adapter systems exposing additional interfaces.
Browser updates, extension changes, and enterprise policy overrides can also re-enable risky behavior after previously safe settings.
How to reduce exposure
Prefer VPN providers with explicit WebRTC leak protection and verify whether IPv6 is covered as well as IPv4.
Where possible, enforce relay-only behavior or restrict direct candidate exposure through browser policy.
If real-time calls are not required, disabling WebRTC in high-risk profiles remains the most conservative option.
Practical troubleshooting workflow
Run a baseline test, then change one variable at a time: VPN on or off, browser profile, extension set, and network interface state.
After each change, retest and record candidate differences. This single-variable method prevents false conclusions and speeds root-cause isolation.
IPv6 and multi-network considerations
Some setups protect IPv4 but leak IPv6 through direct candidates. Always evaluate both families before declaring success.
Devices with Wi-Fi, Ethernet, and virtual adapters active at the same time tend to expose extra candidates and increase leak probability.
Validation checklist
Confirm no unexpected public IP appears in ICE candidates.
Cross-check with IP Lookup and DNS Leak Test for path consistency.
Retest after browser, VPN, or OS updates to catch regressions early.
Related Tools
Related Docs
- What Is a WebRTC Leak — root cause explanation and leak mechanisms
- DNS Leak Test — resolver path diagnostics
Frequently Asked Questions
What is a WebRTC leak?
A WebRTC leak occurs when WebRTC technology exposes your real IP address — including local network and public ISP IP — even when using a VPN. The browser's STUN/TURN discovery generates ICE candidates that can reveal addresses you intended to hide, because WebRTC operates independently of HTTP traffic and VPN tunnels.
How do I prevent WebRTC leaks?
Prefer VPN providers with explicit WebRTC leak protection. Disable WebRTC in high-risk profiles if real-time calls are not required. Enforce relay-only behavior through TURN servers. Also verify whether IPv6 is covered as well as IPv4, since some setups protect IPv4 but leak IPv6 through direct candidates.
Does my VPN protect against WebRTC leaks?
Not always. Many VPN clients do not tunnel UDP consistently, and WebRTC can bypass the VPN tunnel. Some providers include WebRTC blocking features, but the only way to be sure is to run a WebRTC leak test immediately after connecting and compare visible IPs against your VPN exit address.
What is an ICE candidate?
An ICE candidate is a potential network path WebRTC can use to establish a peer-to-peer connection. Host candidates expose local interface addresses. Server-reflexive candidates expose public IPs learned from STUN servers and are the most common leak signal. Relay candidates go through a TURN server and are the most privacy-preserving option.