WebRTC IP leak
measuring…
STUN candidate gathering reveals your local LAN address (and sometimes public IP) regardless of VPN — to JavaScript on any page.
WebRTC IP leak
WebRTC IP leak test — your local IP, exposed to JavaScript
The WebRTC surface is the loudest signal in any browser fingerprint test. With nothing more than
new RTCPeerConnection() and a STUN server, JavaScript on any page can enumerate your local network IP — bypassing your VPN — and use it as a stable tracking signal.Live test
This card runs only the webrtc ip leak probe. To run all six fingerprint surfaces at once, use the full browser fingerprint test.
What is a WebRTC IP leak?
What is a WebRTC IP leak?
WebRTC's ICE (Interactive Connectivity Establishment) protocol gathers candidates for peer-to-peer connections. Each candidate includes one of your IP addresses: host candidates expose your local LAN IP (e.g. 192.168.1.42), srflx candidates expose your public IP after STUN reflection, and relay candidates use a TURN server.
Modern Chrome obfuscates host candidates as mDNS hostnames (abc.local) which mitigates local IP exposure. But on older Chromium versions and other browsers, the raw IP still leaks. And srflx/STUN reflection still exposes your public IP unless the page explicitly avoids STUN — which tracker code never does.
How the test works
How the test works
The test creates an RTCPeerConnection with stun:stun.l.google.com:19302 as the ICE server, opens a dummy data channel, calls createOffer() + setLocalDescription(), and listens for onicecandidate events. Each fired candidate's SDP string is parsed for IPv4 patterns. Anything that looks like a private RFC 1918 range (10.x, 192.168.x, 172.16-31.x) is shown as a local IP; everything else is shown as public.
How to block WebRTC IP leaks
How to block WebRTC IP leaks
Two approaches. The blunt approach is to set iceServers: [] on every RTCPeerConnection — but that breaks Discord voice, Google Meet, Zoom Web, and any other legitimate WebRTC app. The smart approach is to leave user-provided iceServersalone and only suppress the bare-default tracker pattern of new RTCPeerConnection() with no arguments.
Browser Leaks Fingerprint Shield uses the smart approach by default — voice apps keep working, default-config tracker probes get blanked. Install it and re-run this test to see the candidate count drop to zero on default-config probes.
FAQ
WebRTC IP leak questions
Why does the test still show my IP even with a VPN active?
WebRTC ICE candidate gathering happens at the browser level, not at the IP-routing level. Your VPN routes your traffic, but WebRTC asks the OS for all available network interfaces — including the underlying physical NIC behind the VPN. Browser-level WebRTC leak protection is the only fix.
What is mDNS / .local in WebRTC?
Modern Chrome replaces local IPs with random mDNS hostnames like "abc12345-...local" to mitigate local IP fingerprinting. This is a partial defense, but the host-name itself is stable per browser session and can still be used as a tracking ID.
Does disabling WebRTC entirely fix this?
Yes, but it breaks every voice/video chat app and any site that uses WebRTC for real-time communication. A targeted iceServers wrapper is a much better trade-off than disabling the entire API.
Is this test the same as a 'WebRTC leak test' from a VPN provider?
Functionally yes — same probe technique. The difference is that VPN providers want to upsell their own VPN; we want you to install our free Chrome extension that fixes the leak in the browser itself, regardless of which VPN you use.
Run the full browser fingerprint test.
See your composite hash across all six surfaces — canvas, WebGL, audio, WebRTC, Client Hints, and User-Agent — in one click.
Open the browser fingerprint test →