WebRTC TURN leak — invisible layer

experiment · WebRTC · no permission needed

WebRTC shows your
entire network topology.

WebRTC's ICE (Interactive Connectivity Establishment) protocol gathers every network address your device has — local LAN IP, router-assigned address, and the public IP seen by STUN servers. When TURN relay servers are involved, they reveal your ISP's routing infrastructure. All of this happens silently, with no permission prompt.

VPN users are not protected. WebRTC queries your LAN interfaces directly — below the VPN tunnel. Even if your browsing traffic is encrypted and routed through a VPN exit node, the ICE host candidate reveals your router's actual LAN address, and the srflx candidate reveals your real ISP's public IP before the VPN got involved. Ad networks use this to cross-reference VPN users with their real identities.

—local IPs

—public IPs

—relay routes

▶ what are ICE candidates and why do they leak?

host candidates: your device's actual LAN IP addresses — assigned by your router, or link-local IPv6. These are enumerated from your network interfaces directly. Reveals your local network topology, subnet, and what type of router you're behind.

srflx candidates (Server Reflexive): your public IP as seen by a STUN server. If you're using a VPN, this might show your VPN exit node — or it might show your real ISP IP if the VPN doesn't intercept UDP traffic (split tunneling, WebRTC leak).

relay candidates: your IP on a TURN relay server. TURN is used when direct connectivity fails. The relay address tells you which TURN server infrastructure your call is routing through — revealing your ISP's peering topology and geographic routing.

The fix: browsers can block WebRTC IP leaks with mDNS obfuscation (Chrome 75+, Firefox 65+) — host candidates become random UUIDs instead of real IPs. But many older browsers and mobile platforms still expose them. Firefox with media.peerconnection.ice.default_address_only = true in about:config prevents the leak.