The WebRTC VPN “Bug” and How to Fix It

At the beginning of 2015 both the Chrome and Firefox browsers introduced a new “feature” called WebRTC. Rather alarmingly, however, it permits websites to detect your real IP address, even when using a VPN!

What is WebRTC?

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into the browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.

So what’s the problem?

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC services) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.

As the makers of, a tool that detects whether your browser is vulnerable to a WebRTC leak, explain,

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

The Opera browser, which uses the same WebKit code that powers Chrome is also affected by the issue, but Internet Explorer and Safari, which do not support WebRTC, are not. Update: newer versions of the stock Android browser appear to implement WebRTC, and so should be avoided.

Am I affected?

You can test whether your browser is leaking your true IP address through WebRTC by visiting

WebRTC 1

Here we can clearly see that I have a WebRTC leak. The website can see my VPN server’s IP, but can also see real local (UK) IP address. Bad!

WebRTC 2

If you have disabled WebRTC in your browser (or are using a browser that does not ”feature” WebRTC, you will see this message. Good!

webRTC 5

You may also see something like this, which means that your browser is vulnerable to the WebRTC “bug”, but that your VPN provider has fixed the problem and is routing WebRTC STUN requests through its servers. Bravo!

Although it is great that some VPN providers (such as AirVPN) have taken steps to fix the WebRTC “bug”, it should be stressed that, fundamentally, the problem lies with the WebRTC API, together with the fact that it is enabled by default within affected browsers.

It is therefore is not really the fault of VPN providers, although we would love to see more of them rise to the challenge of helping their customers (who will be largely unaware of the problem) from having their privacy compromised by this issue.



1. The simplest solution to the problem is to just disable WebRTC. In Firefox can be easily done manually in the advanced settings:

a) Type ‘about:config’ into the URL bar (and click through ‘I’ll be careful I promise!’)
b) Search for ‘media.peerconnection.enabled
c) Double-click on the entry to change the Value to ‘false’

WebRTC firefox fixThis method also works in mobile versions of Firefox (Android/iOS)

2. Install the Disable WebRTC add-on. The  uBlock Origin browser extension also prevent WebRTC from leaking your local IP address on the desktop (all of these add-ons also on mobile versions of Firefox.)


In uBlock Origin go to Menu -> Add-ons -> uBlock Origin -> Options -> Show Dashboard to disable WebRTC

3. A more nuclear option is to use the NoScript Add-on. This is an extremely powerful tool, and is the best way to keep your browser safe from a whole host of threats (including WebTRC), but many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to.

It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web savvy power-users, NoScript is difficult to beat (in fact, even with all with most of its features turned off, NoScript provides some useful protections anyway.) NoScript works on desktop versions of Firefox only.

4. As I have noted, WebRTC can actually be useful, so for a more nuanced approach you can install the Statutory add-on. This allows you to decide, on a site-by-site basis, whether to allow a WebRTC connection. Desktop only.

WebRTC 3The Statutory add-on blocks WebRTC by default, but allows you to white-list sites by adding them to this list

Note that the Tor Browser (which is based on Firefox) disables WebRTC by default.


1. The uBlock Origin browser extension is also available for Chrome (and work for Opera.)

2. The WebRTC Network Limiter browser extension will prevent IP leaks without fully disabling WebRTC functionality (this is an official Google extension.)

3. In Android you can manually disable WebRTC in Chrome using the following method:

Type chrome://flags/#disable-webrtc into the search bar

webrtc 4(This method does not work in desktop versions of Chrome)


In theory, Opera can use regular  Chrome extensions, but these mostly fail to block WebRTC IP leaks. The one method I know of that does work is using the WebRTC Leak Prevent extension, but only if you:

  1. Go to Menu -> Extensions -> Manage Extensions WebRTC Leak Prevent -> Options
  2. Set “IP handling policy”  to: Disable non-proxied UDP (force proxy), and tick both options under “Legacy”.


3. Hit “Apply settings”.


The WebRTC “bug” is dangerous for VPN users, as it can reveal your true IP address (thereby negating the whole point of using a VPN!)

Although not really their fault, it would be great, however, if more providers could addresses the problem in order to protect theirs users, most of whom are completely unaware of this threat.

In the meantime, at least once you are aware of the problem, it can be easily fixed.

Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

13 responses to “The WebRTC VPN “Bug” and How to Fix It

  1. I got a thought that if target website is replying on WebRTC IP Leaking to get our real ip. Isn’t that mean we can use that information to against them!? For example, we modify the STUN response (with some network packet filter tools), to return a fake ‘real ip’ for them. Correct me if I’m wrong.

    1. Hi Minh,

      You are probably right that it is possible to use network packet filter tools in order to return a false STUN request result. This, however, is not a trivial thing to do, even for those with the technical expertise to do it.

    1. Hi Ken,

      Thanks for the tip. SRWare Iron does look interesting, but as far as I can tell is not open source (although it is based on the open source Chromium).

  2. hi, is it possible that Bet Sites & Poker rooms have and a “webRTC” or something like this in their own software?
    they could know your real ip then beeing impossible play in this sites safety
    Best Regards

    1. Hi German,

      Yes, it is very possible. If used, it is likely mainly in order to detect whether players are accessing the website from permitted countries. Do please check out my Complete Guide to IP leaks to discover other ways in which websites can detect your real IP address when using VPN (and to fix it!).

  3. Thanks for writing this up. It seems like these solutions block both local IP and the VPN IP. Anyway to make your VPN IP public while still blocking your local IP?

    1. Hi Peter,

      The WebTRC “bug” allows websites to see your local IP address regardless of whether you are using VPN. You can prevent this by disabling WebRTC (or using the WebRTC Network Limiter browser extension), in which case a website should only be able to see the IP of your VPN server (which I think is what you want.) There is no way to stop a website seeing any IP.

  4. This is probably a stupid question (is that an oxymoron? What is stupid is not asking when you don’t understand).
    Whilst setting ‘media.peerconnection.enabled’ to ‘false’ is simple is it permanent? For example I like my tabs to be next to my context (tabs at bottom). This was easy to set in ‘about:config’. However the kind gentlemen at Firefox (who know far better what I want than I do) have removed this option in recent versions by installing a new ‘about:config’ list, and I now have to use an extension (written by someone cleverer than I am) to get what I want.
    Will the Firefox team remove the ‘media.peerconnection.enabled’ bug at their next half-weekly major update so that the incredibly useful ‘web-RTC’ feature can only be blocked by people who are capable of re-writing Firefox?

    1. Hi PABT,

      Changing Firefox advanced settings (including ‘media.peerconnection.enabled’) should be permanent, but as you have seen, it is probably worth checking after a major Firefox version update. The problem with WebRTC is that the ‘bug’ is built into the way WebRTC works, and is present as long as WebRTC is enabled. I do not believe the Firefox team has any plans to prevent users turning off WebRCT should they wish to do so (by setting ‘media.peerconnection.enabled’ to ‘false’). The best solution for those wanting the best of both worlds (no WebRTC ‘bug’, but the ability to use WebRTC when they want to,) is the Statutory add-on discussed in the article.

  5. Did some additional research and came across this reddit page with Firefox tweaks:

    According to OP (he lists an additional 4 entries related to WebRTC):

    media.peerconnection.enabled;false // VPN cannot bypassed anymore

    media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled

    media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled;false // makes sure WebRTC is really disabled

    media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled

    I guess my question is whether the first one listed is directly responsible for VPN leaks. Once “media.peerconnection.enabled” is set to false, the other suggested tweaks (the reddit post) are unnecessary as far as VPN leaks are concerned.

    1. Hi PaxD76,

      Thanks for the link, but as I understand it, media.peerconnection.enabled is the “master switch” that enabled/disables WebRTC functionality. The other settings you list are sub-settings, and are unnecessary once media.peerconnection.enabled is set to false.

Leave a Reply

Your email address will not be published. Required fields are marked *