What is a WebRTC leak

WebRTC (Web Real-Time Communication) is a browser API for peer-to-peer connections — voice calls, video calls, screen sharing, direct file transfers. Google Meet, Discord voice, Slack huddles, and the in-browser parts of Zoom all use it.

For peer-to-peer to work, the browser needs to know your public IP. It learns this by asking a STUN server "what address do you see me from?" and caching the answer. Then any page that uses the WebRTC API can read that cached value — including pages you didn't intend to share your IP with.

That's a WebRTC leak. The VPN is up. The traffic is tunneled. The browser still hands out your real IP because it learned it before you connected, or because it has a side path that bypasses the tunnel.

Why a VPN doesn't fix this

A VPN tunnels network traffic. WebRTC's STUN exchange runs over that, but the browser's cached answer can be your real IP in two cases:

• Cached from before the VPN. The browser learned your real IP at startup or on a previous network. It saved it. The page asks WebRTC, gets the cached value.
• STUN escapes the tunnel. Some VPN configurations have routing edge cases where UDP to STUN servers leaks. Even with the VPN nominally up, the STUN exchange returns your real IP.

Even with everything routed correctly, the browser-side cache is still attack surface. Pages don't need to query STUN themselves — they ask WebRTC for the IPs the browser already knows.

What an attacker gets

Same things as no VPN at all: your real public IP, rough geolocation, ISP, and a persistent identifier. Worse than no VPN, because the leak gives them both your real IP and the VPN IP — they can correlate sessions and build a profile that follows you whether the VPN is up or not.

For journalists, activists, or anyone whose threat model depends on geolocation hiding, a WebRTC leak silently undoes the VPN's protection.

How to test

Run Fexyn's WebRTC leak test with the VPN connected. The public IP shown should be the VPN server's. If your home IP appears, you have a leak.

How to fix per browser

WebRTC fixes live in the browser, not the VPN.

• Firefox. about:config → media.peerconnection.enabled → false. Cleanest. Breaks browser-based video calls; desktop apps still work.
• Brave. brave://settings → search "WebRTC" → set "WebRTC IP Handling Policy" to Disable non-proxied UDP. Strongest setting that keeps calls working.
• Chrome / Edge. No built-in toggle. Install uBlock Origin with the "Prevent WebRTC from leaking local IP addresses" filter, or WebRTC Network Limiter (published by Google).
• Safari. No toggle exposed. If WebRTC matters, switch to Brave or Firefox.

Read the WebRTC leaks deep dive and the troubleshooting guide for the full instructions.

What Fexyn does and doesn't do

Fexyn doesn't monkey-patch your browser. We tunnel UDP (including STUN) through the VPN where the protocol allows, and we recommend the per-browser fix above. Combined, that closes the leak: the network can't see your real IP, and the browser doesn't volunteer it through WebRTC.

Try Fexyn free for 7 days and verify with the test.