DEV Community

Seven Labs for Seven Labs

Posted on • Originally published at Medium on

How to Fix WebRTC IP Leaks in Chrome and Firefox

How to Fix WebRTC IP Leaks in Chrome and Firefox

WebRTC leaks your real IP address to websites even when you are behind a VPN — and it happens silently, without any visible indication. Our browser fingerprint test checks for this leak automatically. If yours shows a detected IP under “Local IP (WebRTC)”, this guide explains exactly how to fix it.

Quick Answer: What is a WebRTC IP Leak?

A WebRTC IP leak occurs when a website’s JavaScript code uses the WebRTC API to request peer connection candidates, and your browser responds with your real local or public IP address — bypassing your VPN tunnel.

This happens because WebRTC uses STUN (Session Traversal Utilities for NAT) servers to discover the best network path for audio and video calls. The candidates your browser generates include your real IP, and they are sent before your VPN has a chance to intercept them.

Why VPNs Do Not Always Prevent It

A VPN encrypts your traffic and routes it through an exit server, masking your public IP. But WebRTC operates at the browser API level, below where many VPN clients intercept traffic.

When JavaScript calls new RTCPeerConnection() and requests ICE candidates, the browser responds directly using the OS network stack -- sometimes sending the request out before the VPN tunnel handles it, or sending it via a separate interface entirely.

The result: a site that wants to know your real IP can get it with a few lines of JavaScript, VPN or not.

How to Test Whether You Are Leaking

  1. Go to our browser fingerprint test
  2. Look at the “Network & Location” card
  3. Check “WebRTC IP Leak” and “Local IP (WebRTC)”

If “WebRTC IP Leak” shows “Detected” or “Local IP” shows a 192.168.x.x or 10.x.x.x address, your browser is leaking.

You can also click either row to open the detail sidebar, which shows your specific leaked value and the exact fix steps for your browser.

Fix in Firefox (Recommended)

Firefox gives you a direct toggle to disable WebRTC entirely:

  1. Open a new tab and go to about:config
  2. Accept the warning
  3. Search for media.peerconnection.enabled
  4. Double-click it to set it to false

That is all. WebRTC will no longer be available to any website. This is the most complete fix — no exceptions, no leaks.

Impact: Sites that use WebRTC for video calls (Google Meet, Discord in browser) will stop working in WebRTC mode. They will typically fall back to their native apps or offer an alternative. For most people who do not use browser-based video calls, this has no practical downside.

If you want to keep WebRTC for specific sites, use Firefox’s site-level permissions instead of disabling it globally.

Fix in Chrome / Chromium / Edge

Chrome does not expose a WebRTC toggle in its settings. The most reliable fix is via uBlock Origin:

  1. Install uBlock Origin
  2. Click the uBlock Origin icon in your toolbar
  3. Open the dashboard (the gear icon or “Open the dashboard”)
  4. Go to the Settings tab
  5. Under “Privacy”, tick “Prevent WebRTC from leaking local IP addresses”

uBlock Origin patches the WebRTC API so that ICE candidates do not include your real network addresses. STUN requests are still sent but the response only contains your VPN-assigned IP.

Alternative: The WebRTC Leak Shield extension is dedicated specifically to this fix and requires no other configuration.

Fix in Brave

Brave’s Shields system includes WebRTC protection, but the default setting still allows leaks in some configurations.

  1. Click the Brave Shields icon (the lion) on any page
  2. Make sure Shields are On for that site
  3. Go to Settings > Privacy and security > WebRTC IP handling policy
  4. Set it to “Disable non-proxied UDP”

This forces all WebRTC traffic through your proxy/VPN, preventing the leak entirely.

Fix in Safari

Safari uses a restricted WebRTC implementation and does not expose local IP addresses via STUN by default. If you use Safari, you are generally not affected by this specific leak. Our fingerprint test will confirm this by showing “Protected” under the WebRTC check.

Fix in Opera

Opera bundles a free VPN, but it does not fix the WebRTC leak by default. Follow the Chrome fix above (uBlock Origin), as Opera is Chromium-based and accepts Chrome extensions.

What the Leak Looks Like

When WebRTC leaks are present, the fingerprint test shows values like:

  • Local IP (WebRTC): 192.168.1.105 -- your router-assigned local IP
  • Local IP (WebRTC): 10.0.0.3 -- corporate or VPN internal range
  • WebRTC IP Leak: Detected

When fixed correctly, you will see:

Does Disabling WebRTC Affect Anything?

For most users: no.

WebRTC is used for real-time audio and video in the browser. If you do not use in-browser video calls (Google Meet, Jitsi, Discord web), you will not notice it is off.

Sites that require WebRTC will either prompt you to enable it, suggest using their native app, or fall back to a non-WebRTC mode automatically.

Why This Matters Beyond VPN Users

Even if you do not use a VPN, a WebRTC IP leak reveals your local network structure to any website you visit. A script can determine:

  • Whether you are on a home or corporate network
  • Your device’s local IP address, which is stable within a given network
  • The presence of multiple network interfaces (suggesting a VPN or virtual machine)

This information contributes to your browser fingerprint and can help a tracker re-identify you even across different sessions.

Combining This Fix with Broader Privacy Improvements

Fixing WebRTC leaks is one part of reducing your overall tracking exposure. The browser fingerprint test shows all active signals — canvas hash, audio fingerprint, installed fonts, and more.

For a complete picture of what your browser reveals and how to reduce it, see:

Run the browser fingerprint test after applying the fix above. The WebRTC row will update to show “Protected” once the leak is resolved.

Free tool

Check your own security headers

Instant grade, plain-language explanations, and a full remediation plan — no signup needed.

Scan your site now →

Originally published at https://sechead.sevenlabs.site on July 8, 2026.

Top comments (0)