The False Sense of Security
You launch your VPN. The icon turns green. You feel safe. But a protocol built into your browser for video chatting might be broadcasting your real IP address to every website you visit, bypassing your VPN entirely.
What is WebRTC?
Web Real-Time Communication (WebRTC) is an open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs. It powers Google Meet, Discord on the web, and Zoom.
To establish a direct peer-to-peer connection for high-speed video, WebRTC needs to know your actual IP address, not just the one your VPN server assigns you. It uses a protocol called STUN (Session Traversal Utilities for NAT) to discover this.
The Leak Mechanism
A website can execute a simple Javascript request to a STUN server. Your browser, trying to be helpful, queries the server and receives your public IP and your local LAN IP (e.g., 192.168.1.55) in return. It then exposes these to the Javascript on the page.
This happens inside the browser, often ignoring the system-level network routing tables that VPNs rely on.
Mitigation
Standard VPN software cannot always block this because it occurs at the application layer. You must configure your browser:
- Firefox: Go to
about:configand setmedia.peerconnection.enabledto false. - Chrome/Edge: You typically need an extension like WebRTC Control.
Always verify your setup. Trust, but verify. Use DCIPCHECK to confirm your IP is truly masked.