The WebRTC VPN “Bug” and How to Fix It

The WebRTC VPN “Bug” and How to Fix It

Douglas Crawford

Douglas Crawford

November 5, 2015

At the beginning of 2015 both the Chrome and Firefox browsers introduced a new “feature” called WebRTC. Rather alarmingly, however, it permits websites to detect your real IP address, even when using a VPN!

What is WebRTC?

Web Real-Time Communication (WebRTC) is a potentially useful standard that allows browsers to incorporate features such as voice calling, video chat, and P2P file sharing directly into the browser.

A good example of this is the new Firefox Hello video and chat client that lets you talk securely to anyone else using an up-to-date Firefox, Chrome, or Opera browser, without the need to download any add-on, or configure any new settings.

So what’s the problem?

Unfortunately for VPN users, WebRTC allows a website (or other WebRTC services) to directly detect your host machine’s true IP address, regardless of whether you are using a proxy server or VPN.

As the makers of, a tool that detects whether your browser is vulnerable to a WebRTC leak, explain,

Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.

Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.

The Opera browser, which uses the same WebKit code that powers Chrome is also affected by the issue, but Internet Explorer and Safari, which do not support WebRTC, are not. Update: newer versions of the stock Android browser appear to implement WebRTC, and so should be avoided.

Am I affected?

You can test whether your browser is leaking your true IP address through WebRTC by visiting

WebRTC 1

Here we can clearly see that I have a WebRTC leak. The website can see my VPN server’s IP, but can also see real local (UK) IP address. Bad!

WebRTC 2

If you have disabled WebRTC in your browser (or are using a browser that does not ”feature” WebRTC, you will see this message. Good!

webRTC 5

You may also see something like this, which means that your browser is vulnerable to the WebRTC “bug”, but that your VPN provider has fixed the problem and is routing WebRTC STUN requests through its servers. Bravo!

Although it is great that some VPN providers (such as AirVPN) have taken steps to fix the WebRTC “bug”, it should be stressed that, fundamentally, the problem lies with the WebRTC API, together with the fact that it is enabled by default within affected browsers.

It is therefore is not really the fault of VPN providers, although we would love to see more of them rise to the challenge of helping their customers (who will be largely unaware of the problem) from having their privacy compromised by this issue.



1. The simplest solution to the problem is to just disable WebRTC. In Firefox can be easily done manually in the advanced settings:

a) Type ‘about:config’ into the URL bar (and click through ‘I’ll be careful I promise!’)
b) Search for ‘media.peerconnection.enabled
c) Double-click on the entry to change the Value to ‘false’

WebRTC firefox fixThis method also works in mobile versions of Firefox (Android/iOS)

2. Install the Disable WebRTC add-on. The  uBlock Origin browser extension also prevent WebRTC from leaking your local IP address on the desktop (all of these add-ons also on mobile versions of Firefox.)


In uBlock Origin go to Menu -> Add-ons -> uBlock Origin -> Options -> Show Dashboard to disable WebRTC

3. A more nuclear option is to use the NoScript Add-on. This is an extremely powerful tool, and is the best way to keep your browser safe from a whole host of threats (including WebTRC), but many websites will not play game with NoScript, and it requires a fair bit of technical knowledge to configure and tweak it to work the way you want it to.

It is easy to add exceptions to a whitelist, but even this requires some understanding of the risks that might be involved. Not for the casual user then, but for web savvy power-users, NoScript is difficult to beat (in fact, even with all with most of its features turned off, NoScript provides some useful protections anyway.) NoScript works on desktop versions of Firefox only.

4. As I have noted, WebRTC can actually be useful, so for a more nuanced approach you can install the Statutory add-on. This allows you to decide, on a site-by-site basis, whether to allow a WebRTC connection. Desktop only.

WebRTC 3The Statutory add-on blocks WebRTC by default, but allows you to white-list sites by adding them to this list

Note that the Tor Browser (which is based on Firefox) disables WebRTC by default.


1. The uBlock Origin browser extension is also available for Chrome (and work for Opera.)

2. The WebRTC Network Limiter browser extension will prevent IP leaks without fully disabling WebRTC functionality (this is an official Google extension.)

3. In Android you can manually disable WebRTC in Chrome using the following method:

Type chrome://flags into the search barand scroll down until you scroll down until your see “WebRTC STUN origin header”. Disable this. There are also some WebRTC video decoding options, but you should not need to disable these to prevent WebRTC IP leaks (although it it makes you feel better, go right ahead!).

(This method does not work in desktop versions of Chrome)


In theory, Opera can use regular  Chrome extensions, but these mostly fail to block WebRTC IP leaks. The one method I know of that does work is using the WebRTC Leak Prevent extension, but only if you:

  1. Go to Menu -> Extensions -> Manage Extensions WebRTC Leak Prevent -> Options
  2. Set “IP handling policy”  to: Disable non-proxied UDP (force proxy), and tick both options under “Legacy”.


3. Hit “Apply settings”.


The WebRTC “bug” is dangerous for VPN users, as it can reveal your true IP address (thereby negating the whole point of using a VPN!)

Although not really their fault, it would be great, however, if more providers could addresses the problem in order to protect theirs users, most of whom are completely unaware of this threat.

In the meantime, at least once you are aware of the problem, it can be easily fixed.

Douglas Crawford
April 12th, 2017

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

19 responses to “The WebRTC VPN “Bug” and How to Fix It

  1. Ric says:

    I have tried all of the suggestions above to fix the WebRTC problem in Chrome and Opera on Android and non work. Any new ideas?

    1. Douglas Crawford says:

      Hi Ric,

      The WebRTC Network Limiter and uBlock Origin browser extension browser extensions really should work for Chrome. Something very strange is happening if they do not. As noted in the article, WebRTC Network Limiter does work for Opera, but only if you follow the instructions provided.

  2. sourcerx9 says:


    Thank you for this article.

    I am trying to disable WebRTC in Chrome on Android. Unfortunately, the flag chrome://flags/#disable-webrtc no longer appears to exist. I am curious if you have any other possible solutions for Android users, other than using a different web browser. I would appreciate any help!

    1. Douglas Crawford says:

      Hi sourcerx9,

      Thanks for alerting me to this change. Chrome has actually changed the WebRTC permissions, and split them into more fine-grained options. Go to chrome://flags and scroll down until your see “WebRTC STUN origin header”. Disable this. There are also some WebRTC video decoding options, but you should not need to disable these to prevent WebRTC IP leaks (although it it makes you feel better, go ahead). I have updated this guide with this information (and an update screenshot).

  3. krishna says:

    I can’t find webrtc network limiter for firefox?where should i get

  4. Minh Nhut says:

    I got a thought that if target website is replying on WebRTC IP Leaking to get our real ip. Isn’t that mean we can use that information to against them!? For example, we modify the STUN response (with some network packet filter tools), to return a fake ‘real ip’ for them. Correct me if I’m wrong.

    1. Douglas Crawford says:

      Hi Minh,

      You are probably right that it is possible to use network packet filter tools in order to return a false STUN request result. This, however, is not a trivial thing to do, even for those with the technical expertise to do it.

  5. Ken says:

    Use webrtc off versions of SRWare Iron browser (chromium based browser)

    1. Douglas Crawford says:

      Hi Ken,

      Thanks for the tip. SRWare Iron does look interesting, but as far as I can tell is not open source (although it is based on the open source Chromium).

  6. German says:

    hi, is it possible that Bet Sites & Poker rooms have and a “webRTC” or something like this in their own software?
    they could know your real ip then beeing impossible play in this sites safety
    Best Regards

    1. Douglas Crawford says:

      Hi German,

      Yes, it is very possible. If used, it is likely mainly in order to detect whether players are accessing the website from permitted countries. Do please check out my Complete Guide to IP leaks to discover other ways in which websites can detect your real IP address when using VPN (and to fix it!).

  7. Peter says:

    Thanks for writing this up. It seems like these solutions block both local IP and the VPN IP. Anyway to make your VPN IP public while still blocking your local IP?

    1. Douglas Crawford says:

      Hi Peter,

      The WebTRC “bug” allows websites to see your local IP address regardless of whether you are using VPN. You can prevent this by disabling WebRTC (or using the WebRTC Network Limiter browser extension), in which case a website should only be able to see the IP of your VPN server (which I think is what you want.) There is no way to stop a website seeing any IP.

  8. PABT says:

    That is what I suspected and feared. Thank you for a very clear and prompt answer

  9. PABT says:

    This is probably a stupid question (is that an oxymoron? What is stupid is not asking when you don’t understand).
    Whilst setting ‘media.peerconnection.enabled’ to ‘false’ is simple is it permanent? For example I like my tabs to be next to my context (tabs at bottom). This was easy to set in ‘about:config’. However the kind gentlemen at Firefox (who know far better what I want than I do) have removed this option in recent versions by installing a new ‘about:config’ list, and I now have to use an extension (written by someone cleverer than I am) to get what I want.
    Will the Firefox team remove the ‘media.peerconnection.enabled’ bug at their next half-weekly major update so that the incredibly useful ‘web-RTC’ feature can only be blocked by people who are capable of re-writing Firefox?

    1. Douglas Crawford says:

      Hi PABT,

      Changing Firefox advanced settings (including ‘media.peerconnection.enabled’) should be permanent, but as you have seen, it is probably worth checking after a major Firefox version update. The problem with WebRTC is that the ‘bug’ is built into the way WebRTC works, and is present as long as WebRTC is enabled. I do not believe the Firefox team has any plans to prevent users turning off WebRCT should they wish to do so (by setting ‘media.peerconnection.enabled’ to ‘false’). The best solution for those wanting the best of both worlds (no WebRTC ‘bug’, but the ability to use WebRTC when they want to,) is the Statutory add-on discussed in the article.

  10. PaxD76 says:

    Did some additional research and came across this reddit page with Firefox tweaks:

    According to OP (he lists an additional 4 entries related to WebRTC):

    media.peerconnection.enabled;false // VPN cannot bypassed anymore

    media.peerconnection.turn.disable;true // makes sure WebRTC is really disabled

    media.peerconnection.use_document_iceservers;false // makes sure WebRTC is really disabled;false // makes sure WebRTC is really disabled

    media.peerconnection.identity.timeout;1 // makes sure WebRTC is really disabled

    I guess my question is whether the first one listed is directly responsible for VPN leaks. Once “media.peerconnection.enabled” is set to false, the other suggested tweaks (the reddit post) are unnecessary as far as VPN leaks are concerned.

    1. Douglas Crawford says:

      Hi PaxD76,

      Thanks for the link, but as I understand it, media.peerconnection.enabled is the “master switch” that enabled/disables WebRTC functionality. The other settings you list are sub-settings, and are unnecessary once media.peerconnection.enabled is set to false.

Leave a Reply

Your email address will not be published. Required fields are marked *