When discussing online privacy and VPNs, the topic of WebRTC leaks and vulnerabilities often comes up.
While the WebRTC issue is often associated with VPNs, this is in fact a vulnerability with web browsers – Firefox, Opera, Chrome, and Brave.
So what is WebRTC?
WebRTC stands for “Web Real-Time Communication”. This basically allows for voice, video chat, and P2P sharing within the browser (real-time communication) without adding extra browser extensions – further described on Wikipedia here.
While this feature may be useful for some users, it poses a threat to anyone using a VPN and seeking to maintain online anonymity without their real IP address being revealed.
The WebRTC Vulnerability
The fundamental vulnerability with WebRTC is that your true IP address can be exposed via STUN requests with Firefox, Chrome, Opera and Brave browsers, even when you are using a VPN.
Daniel Roesler exposed this vulnerability in 2015 on his GitHub page, where he stated:
Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
Essentially, this means that any site could simply execute a few Javascript commands to obtain your real IP address via your web browser.
Will a VPN protect me against WebRTC leaks?
Answer: maybe.
Just like with browser fingerprinting, the WebRTC issue is a vulnerability with web browsers. As such, it is best to address the root cause of the issue by fixing the vulnerability with your browser, which we will cover below.
Nonetheless, there are some VPNs that protect against WebRTC vulnerabilities. I have tested two VPNs that protect users against WebRTC leaks via firewall rules:
- Perfect Privacy – The Perfect Privacy VPN clients are configured to protect against WebRTC vulnerabilities. I tested this with Windows and Mac OS.
- ExpressVPN – ExpressVPN has recently updated their software to further protect users against WebRTC leaks. I tested the updated software on Windows and Mac OS and verified that it protects against WebRTC leaks.
Note – Given that the WebRTC vulnerability is a tricky issue, it is still best to fix the problem in your browser, rather than relying solely on a VPN for protection.
WebRTC solutions
Here are three different options for dealing with the WebRTC issue:
1. Disable WebRTC in the browser (Firefox) and only use browsers with disabled WebRTC capability. (Instructions are below.)
2. Use browser add-ons or extensions if disabling WebRTC is not possible. (Disabling WebRTC is not possible with Chrome and Chromium-based browsers, such as the Brave browser.)
Note: browser add-ons and extensions are not 100% effective. Even with add-ons, the vulnerability still exists in the browser to reveal your true IP address with the right STUN code. (Therefore don’t use Chrome.)
3. Use a VPN that protects against WebRTC leaks, such as Perfect Privacy (review) or ExpressVPN (review).
WebRTC fixes and add-ons
Below are different fixes for various browsers.
Firefox WebRTC
Disabling WebRTC is very simple in Firefox. First, type about:config into the URL bar and hit enter. Then, agree to the warning message and click “I accept the risk!”
Then, in the search box type “media.peerconnection.enabled“. Double click the preference name to change the value to “false“.
That’s it. WebRTC is completely disabled in Firefox and you won’t have to worry about WebRTC leaks.
Chrome WebRTC (desktop)
Since WebRTC cannot be disabled in Chrome (desktop), add-ons are the only option (for those who do not want to just give up on using Chrome).
As pointed out above, it is important to remember that browser add-ons are not 100% effective. In other words, you may still be vulnerable to WebRTC IP address leaks under certain circumstances. Nonetheless, here are some add-ons that may be worth considering:
Another obvious solution is to stop using Chrome, which gives Google your data.
Chrome WebRTC (mobile)
On your Android device, open the URL chrome://flags/#disable-webrtc in Chrome.
Scroll down and find “WebRTC STUN origin header” – then disable it. For safe measure, you can also disable the WebRTC Hardware Video Encoding/Decoding options, though it may not be necessary.
Note: Android users can also also install Firefox, and disable WebRTC via the steps above.
Opera WebRTC
Just like with Chrome, the only way (as of now) to address the WebRTC vulnerability in Opera is to use an extension.
First, download the extension “WebRTC Leak Prevent” to your Opera browser.
Then in the Advanced options for the WebRTC Leak Prevent extension, select “Disable non-proxied UDP (force proxy)” and then click Apply settings.
Again, because this is an extension solution, it is not 100% safe or effective.
Brave WebRTC
Because the Brave browser is based on Chromium, it is also vulnerable to WebRTC IP address leaks, even when you are using a VPN.
There are two ways to block WebRTC in the Brave browser:
Method 1) Via Fingerprinting protection – Go to Preferences > Shields > Fingerprinting Protection > and then select Block all fingerprinting. This should take care of all WebRTC issues – at least on desktop versions of Brave (Windows, Mac OS, and Linux).
Method 2) Go to Preferences > Security > WebRTC IP Handling Policy > and then select Disable Non-Proxied UDP. This should also block WebRTC IP leaks in the Brave browser.
Note: I have seen some complaints from users who claim that WebRTC is not getting blocked on iOS, despite making the changes above. Brave developers appear to have confirmed this issue and are working on a fix.
Conclusion on WebRTC browser vulnerabilities
The WebRTC vulnerability highlights a very important concept for those seeking a higher level of online anonymity and security through various privacy tools.
The browser is usually the weak link in the chain.
The WebRTC issue also shows us that there may be other vulnerabilities that exist with our privacy setup, which we are not even aware of. (The WebRTC issue was not publicly known until 2015.)
One other problem to be aware of is browser fingerprinting. This comes into play here because adding more extensions and add-ons to your browser actually makes you more easy to identify and track. Consequently, this is another reason to simply go with Firefox and manually disable WebRTC, rather than using Chrome with add-ons. (Another option is to use the Tor browser, but it also comes with some risks and drawbacks, as discussed in the Tor guide.)
Stay safe!
Last updated September 17, 2018 to include instructions for Brave browser.
I noticed the GNU Icecat browser for Android claims not to reveal internal IP’s even with WebRTC enabled. Seems to involve the “media.peerconnection.ice.no_host” and “media.peerconnection.ice.default_address_only” preferences. Does anybody know if this is effective?
Silly question, but I assume by disabling webRTC one can no longer use chat services dependent on this. Is this correct? If correct, is there any way to leave webRTC enabled and protect against leaking?
I would like to thanks you wrote this useful article, but I found a tiny mistake typo that “First, type about.config into the URL bar and hit enter. “, the correct URL is “about:config”.
Hi Jony, thanks for the feedback, fixed.
Disabling WebRTC makes my connection quality very bad. Delay jumps from 35 to 450 ms.(when using WebRTC websites)
Any suggestion on how to fix this? Thanks in advance!
I have an Amazon Fire Tablet 7 that uses Silk as a browser. I am trying to use the chatroulette.com website on my tablet, but am not sure of how to go about it. Any help you can give me is appreciated. Thanks.
Well if gambling websites are blocked in your area, you could use a VPN that offers an app for Amazon tablets, then connect to the websites you want.
Hi admin, I just installed Brave browser on my laptop, I use vypr vpn, when I checked whoer, the anonymity shows 100 percent but it still indicates that webrtc is enabled even after I diasabled it in settings. This makes me uncomfortable – privacy and anonymity wise. Is there anything else you can recommend I should do to correct this and ensure anonymity and privacy?
Hello, I’m looking into the WebRTC issue with Brave and will be updating this guide very soon with that information. But to answer your question:
Using Brave with Fingerprinting Protection set to Block All should prevent WebRTC IP leakage. Changing your WebRTC settings to “Disable Non-Proxied UDP” also accomplishes this.
You are doing a great job in making people like me with very little knowledge of technology and internet. I recently installed brave for android reading your review. But there is no option to change webrtc settings to “disable non proxied udp” . Can you explain if there is any other way to stop webrtc leakage in the latest version of brave for android ? Or do you suggest that i use firefox and configuring it completely like you have share in one of your posts?
Hi Yoman, I haven’t looked at Brave Android yet, but one good option is Firefox Focus browser, which you can also modify using the instructions above to disable WebRTC. Firefox Focus is a privacy-focused mobile version that automatically blocks trackers and erases browsing history.
Hi Sven,
Unfortunately, I checked and rechecked my settings. My Chrome mobile (Android) browser Webrtc is still showing my router’s IP address: 192.168.x.xx.
Can you see if your fix still works on your device?
Hi Frown, that 192.168… is just a local address and not your unique public IP address. A local IP address beginning in 192.168… is not uniquely identifiable.
This is exactly the opposite. Every site can know the public IP address (it is public!), but only if you have a WebRTC leak then sites can also know the local one. I can confirm that on Android it doesn’t work
Not correct. If you are using a VPN and run a WebRTC leak test and get a result of 192.168… this is a local IP address and is not uniquely identifiable – i.e. this is not a WebRTC leak. If your unique public IP address being exposed (when you are using a VPN) then you have a WebRTC leak. See additional information here.
I understand what your’re saying Sven, but if one runs the leak test from their desktop browser and has webrtc enabled either manually or through an extension, they don’t usually see their router’s ip address.
Hello Sven, are webrtc leaks only possible in webbrowsers or do they effect other software too? Im asking because i get webrtc Leaks in Brave Browser with IKEV2 (NordVPN and Perfect Privacy). But only with Brave and IKEV2, OPENVPN works fine. Under Firefox its disabled and i get no leaks. But when it Leaks under Brave it might leak under other software where i cant check for webrtc leaks, or am i wrong?
Best regards
Hi Brad, that is correct, the WebRTC leaks only affect browsers, such as Brave because it’s built on Chromium.
I’ve been combing your web site the last couple of days. I use Mac OSX and IOS exclusively. What setup would you use for those of us who are using the Apple environment?
Hey Jack, I really like VPN.ac’s Mac OS and iOS apps – see the VPN.ac review.
Hi Sven, I’m thinking about switching to only using linux for increased privacy – what would be your suggestion for vpn in that scenario?
Hi James, you can run OpenVPN on Linux terminal. There are also providers that offer Linux clients, such as Perfect Privacy (supports Ubuntu and Linux Mint) and AirVPN.
Stun servers can run on any port over TCP and UDP. It’s technically not feasible to block WebRTC via firewall rules. You can block the default port 3478 which is used by most Stun servers but any VPN that sets this firewall rules gives its users a false sense of security. All basic IP leak tests turn out fine, but you’re still vulnerable to expose your real IP on any website that uses a Stun server, which runs on a different port.