So you've got a VPN. You turned it on. The little lock icon looks reassuring. You assume you're invisible.
You're probably not.
This isn't a scare tactic. It's a specific, well-documented technical problem that affects millions of VPN users, most of whom have no idea it exists. It's called a VPN leak, and the most common flavor involves something called WebRTC. Let me explain what's actually happening under the hood.
What a VPN Is Supposed to Do
When you connect to a VPN, your traffic gets routed through an encrypted tunnel to a server somewhere else. Instead of websites seeing your real IP address, they see the VPN server's IP. That's the whole point. Your ISP can't see what you're browsing, websites can't pin your real location, and your network traffic looks like it's coming from, say, Frankfurt instead of your apartment in Cleveland.
It works. Most of the time.
The problem is that your browser and operating system don't always play along.
Here's What a VPN Leak Actually Is
A VPN leak happens when some piece of information that your VPN is supposed to hide ends up getting sent outside the encrypted tunnel anyway. Your real IP address shows up somewhere it shouldn't. The VPN is running, everything looks fine, but your actual identity is leaking out through a side channel you didn't know existed.
The most common source? WebRTC.
What Is WebRTC and Why Does It Exist
WebRTC stands for Web Real-Time Communication. It's a technology built directly into modern browsers that lets websites and web apps establish peer-to-peer connections for things like video calls, voice chat, and file transfers. Google Meet uses it. Discord uses it in the browser. Twitch streaming has used it. It's the reason you can have a video call through a website without installing any software.
Here's the thing about peer-to-peer connections: to make them work, your browser needs to know and communicate your actual IP address, including your local network IP and your public IP. It uses something called STUN servers (Session Traversal Utilities for NAT) to figure this out. The browser essentially asks a STUN server "hey, what's my real public IP?" and the STUN server tells it.
And here's the problem. That IP discovery process can bypass your VPN tunnel entirely.
Your browser makes those STUN requests through the operating system's network stack in a way that doesn't always get routed through the VPN. So even if your VPN is working perfectly for normal web traffic, those WebRTC requests can reveal your real public IP address to any website that wants to check.
Most websites don't check. But any website that runs a small piece of JavaScript can. And that includes websites that want to detect VPN users, advertisers who want your real location, and anyone else with a reason to care.
The Scale of This Problem
I think most people assume that because they paid for a VPN, they're protected. That's understandable. That's literally what VPN companies advertise. But surveys and security researchers who've looked into this have consistently found that a significant chunk of VPN users, sometimes estimated in the range of 20 to 30 percent depending on the configuration, are leaking their real IP through WebRTC without knowing it.
That's not a small edge case. That's a lot of people who think they have privacy they don't actually have.
And the frustrating part is that this isn't even the VPN's fault exactly. WebRTC is a browser feature. The VPN encrypts network traffic, but WebRTC operates at a layer that can sidestep that. Some VPNs handle it better than others, but plenty don't handle it at all and just hope you don't notice.
How to Test If You Have a VPN Leak Right Now
Turn on your VPN. Then go to our VPN Leak Test tool and run a full check.
The tool will look at what IP addresses are visible to the page, including any IPs being revealed through WebRTC. It compares these against what your VPN IP should be.
What the results mean:
If all detected IPs match your VPN's IP address, you're in good shape. No leak.
If you see an IP that matches your real ISP-assigned address alongside your VPN IP, that's a WebRTC leak. Your real IP is visible even though your VPN is on.
If you see only your VPN IP through normal channels but a different IP through WebRTC, that's also a leak, and it might be showing a different VPN server or a local network address.
Run the test twice if you want to be sure. Once with your VPN off to see your real IP, then again with your VPN on. If any IP from the first test shows up in the second, something is leaking.
How to Fix a WebRTC Leak
There are several approaches, and which one makes sense depends on your browser and how much you want to mess with settings.
Option 1: Use a browser extension.
Extensions like uBlock Origin (in the right configuration) or dedicated WebRTC-blocking extensions can prevent the browser from making those real-IP-revealing STUN requests. This is probably the fastest fix. Search for "WebRTC leak prevent" in your browser's extension store and read the reviews before installing anything.
Option 2: Disable WebRTC directly in the browser.
In Firefox, you can type about:config in the address bar, search for media.peerconnection.enabled, and set it to false. This completely disables WebRTC in that browser, which means some video call features might stop working on sites that rely on it, but your IP won't leak.
Chrome doesn't let you disable WebRTC through settings, which is part of why it's the most leak-prone browser for this specific issue. You need an extension, or you use a different browser.
Brave has built-in WebRTC protection and handles this better than Chrome by default.
Option 3: Configure your VPN client to handle WebRTC.
Some VPN apps have a setting specifically for WebRTC leak protection. If yours does, turn it on. Check the settings panel. Look for anything about WebRTC, leak protection, or network routing. ExpressVPN, NordVPN, and Mullvad all have some level of WebRTC handling built into their clients.
Option 4: Use a VPN browser extension in addition to the desktop client.
Many VPN providers offer browser extensions that sit between the browser and the network. These extensions can intercept WebRTC requests specifically and route them properly. It's an extra layer on top of the VPN client.
Which VPNs Handle This Better
Mullvad is widely regarded as one of the best for preventing leaks. It's built by people who think deeply about this stuff and their browser extension specifically blocks WebRTC. Expensive taste in privacy tools, but it delivers.
ProtonVPN also has solid leak protection, and their open-source client makes it verifiable.
NordVPN and ExpressVPN do okay, especially with their browser extensions installed.
Generic no-name VPNs, free VPN apps, and particularly VPNs with opaque business models tend to do worse. Some of them don't handle WebRTC at all and just quietly let your real IP show up in tests.
Here's the thing about VPN choice: the price and the marketing often have very little to do with the actual technical implementation. A VPN that costs $15 a month can leak just as badly as a free one. Test before you trust.
DNS Leaks Are Also a Thing
While we're here, WebRTC isn't the only way your VPN can fail you. DNS leaks are another common problem.
When you type a URL, your computer needs to look up the IP address for that domain. Normally that lookup goes to a DNS server. When your VPN is on, that lookup should go through the VPN to a DNS server that can't be traced back to your ISP. But sometimes it doesn't. Sometimes the DNS queries leak out and go to your ISP's DNS servers anyway.
This means your ISP can see every domain you visit even if they can't see the content. Not great.
You can test for DNS leaks here. Same concept: run it with VPN on and see if the DNS servers showing up belong to your VPN provider or to your ISP.
The Bottom Line
A VPN is a good tool. I'm not here to tell you they're useless. But "VPN is on" and "you're actually protected" are not the same thing. WebRTC leaks are real, they're common, they're easy to miss, and they completely undermine the reason you turned the VPN on in the first place.
The fix is pretty simple. Test first, then patch whichever hole you find. Takes maybe ten minutes total.
Go run the VPN leak test right now. If you see your real IP in the results, you know what to fix.