WebRTC needs to know your real IP address to set up peer-to-peer video calls efficiently. It asks something called a STUN server. By default that lookup happens whenever a website uses WebRTC, including when the site doesn't actually need to call you, just to extract your IP. VPN users have been caught out by this for years. The fix is to restrict WebRTC's IP gathering to only routes that go through your VPN tunnel.
How WebRTC works
WebRTC is the technology that powers in-browser video calls. To set up a peer-to-peer connection between you and the other call participant, the browser needs to figure out the network paths between you. It does this with something called ICE (Interactive Connectivity Establishment), which involves asking a public STUN server: "hey, what IP do I look like I'm coming from?"
The STUN server replies with your public IP. The browser also gathers your local network IPs (e.g. 192.168.x.x). All of those candidates get exchanged with the other side so they can find a working route.
How the leak happens
WebRTC's IP-gathering can happen any time a page calls the WebRTC APIs, not just for legitimate video calls. A tracking script on a random website can call RTCPeerConnection, watch the IP candidates that get gathered, and now it has your real IP. Even if you're behind a VPN, your operating system might still surface the non-VPN local interface as a candidate.
The result: your VPN protects HTTP requests, but a malicious page can extract your real IP via WebRTC anyway. This was a big deal in the 2014–2018 VPN scene; it's still a big deal in 2026 because most browsers haven't fixed it.
How browsers can fix it
The fix is to restrict WebRTC's IP-gathering policy. The setting in Chromium has four options:
- Default: gathers all interfaces (this is the leaky default)
- Default public + private interfaces: same risk
- Default public interface only: only the public IP visible to the network
- Disabled non-proxied UDP: only routes through your proxy / VPN
The last option is what you want when using a VPN. Dazr uses default public interface only by default, which prevents private network IPs from being leaked while still letting WebRTC video calls work. Combined with a VPN, this gets you the leak protection without breaking calls.
How to test for a leak
Visit the upcoming Dazr privacy audit tool and look at the WebRTC section. It runs a real WebRTC connection in the background and shows you which IPs got exposed. If your real IP shows up while you're on a VPN, your browser is leaking. (For now, sites like browserleaks.com run the same test.)