VPN services are used by many to stay safe and anonymous on the web by hiding their real IP addresses and encrypting their traffic. However, some VPN services suffer from leaks which can give away the very information users seek to protect. The major VPN leak types are WebRTC, DNS, and IPv6 leaks. Let’s look at these vulnerabilities in greater detail and examine what you can do to detect and stop them.

What is a WebRTC leak?

A WebRTC (Web Real-Time Communication) leak is basically a vulnerability that exposes your IP address to websites using the WebRTC functionality to establish a connection with you. This allows third parties to detect your (approximate) real location and ISP, which, in conjunction with other information, could be used to identify you.

WebRTC is an API definition that facilitates communication between browsers directly, without the need for an intermediate server. Its benefits include faster speeds and less lag for activities such as live streaming, file transferring, and video chats. For two devices to communicate with each other directly, however, they need each other’s IP address. WebRTC sometimes goes around the VPN tunnel, thereby exposing a user’s IP address in what is called a WebRTC leak.

VPNs such as ExpressVPN, NordVPN, and Ivacy VPN, among others, do not suffer from WebRTC leaks and have features preventing any such leaks from occurring. However, most free VPNs such as Hola VPN and Tuxler VPN lack WebRTC leak protection and may be prone to leaks.

At the core of these vulnerabilities is the fact that WebRTC utilizes more integrated and advanced protocols that can easily uncover your real IP address. Here are some ways the ICE (Interactive Connectivity Establishment) protocol discovers real IP addresses.

STUN/TURN servers

STUN/TURN servers allow web browsers to ask questions such as what a user’s public IP addresses are, allowing two devices to communicate even if they’re behind NAT firewalls.

The Host Candidate Discovery

Most devices accessing the internet have multiple IP addresses associated with their hardware. Despite firewalls hiding these IPs from websites and STUN/TURN servers, the ICE protocol allows browsers to simply read them off devices. IPv4 addresses are commonly associated with devices and do not compromise privacy. IPv6, on the other hand, poses a high privacy risk as it acts as your unique public IP address. The ICE protocol can easily discover the IPv6 address associated with your device and this could compromise your privacy.

Using these methods, a malicious website can trick your browser into unveiling your real IP address, thus identifying you without your consent.

Which browsers are most vulnerable to WebRTC leaks?

WebRTC leaks occur in just about any browser. However, users of Chrome, Firefox, Safari, Opera, and Edge, among others, are more vulnerable to leaks because they have WebRTC enabled by default.

What is a DNS leak?

DNS is an acronym for Domain Name System. When you enter a web address into your browser, it delivers that domain name to a DNS server, which translates the domain name into an IP address. The DNS server then sends that data back to your browser to enable it to connect to the IP address.

Every ISP has its DNS servers, which they regularly amend to cater to new domain names and addresses. DNS queries are demands made by users to transform domain names into IP addresses. These DNS requests are fundamental for internet communication as most applications, including games, browsers, and email clients use IP addresses for communication.

A DNS leak occurs when a DNS query is sent directly to an ISP’s DNS server instead of through the encrypted VPN tunnel, thus allowing the ISP to see what websites the user is visiting.

This is mostly an issue for Windows machines, hence the Windows versions of most great VPN apps will have features protecting against DNS leaks.

While the top premium VPN services such as ExpressVPN and NordVPN do not leak DNS info and even protect you from leaks, some cheap or free options such as SkyVPN suffer from DNS leaks.

What is an IPv6 leak?

IPv6 (Internet Protocol Version 6) is the new IP standard, introduced in 1998 to replace the current standard – IPv4. IPv6 allows for a lot more unique IP addresses than the older IPv4 standard. However, IPv4 is still a long way from being replaced by its successor.

IPv6 addresses, on their own, aren’t dangerous. However, VPNs assign IPv4 addresses to their users and if a user attempts to communicate with an IPv6 server, the user’s actual IP address could be revealed.

As businesses shift to IPv6 from IPv4, their information can be stolen by hackers if their IPv6 setup is not equipped with sufficient security controls. If you have an IPv6 address, then you need to make sure your VPN either has IPv6 disabled altogether or has a IPv6 leak protection feature.

How to test for VPN leaks

To find out if your VPN service is currently leaking your data, there are a couple of tests you can and should perform regularly.

WebRTC leak test

If you’re using a VPN and it indicates that there may be a WebRTC leak, you can make sure by performing the following leak test:

  1. Disconnect from the VPN service
  2. Open a WebRTC leak checker like this one.
  3. Take note of the public IP addresses displayed on the page
  4. Close the page
  5. Connect to your VPN service and then reopen the page
  6. If you see any of the public IP addresses you saw earlier, then you have a leak.

On the other hand, if the public IP addresses are different, you have nothing to worry about.

DNS leak test

You can detect DNS leaks by using an online DNS test tool. Most of these are free. All you have to do is connect to your VPN service and run the test.

If the test results include your authentic ISP hostname, country, or your actual IP address, then a DNS leak is confirmed.

How to Stop VPN leaks

If you find that your VPN service is vulnerable to WebRTC, DNS, or IPv6 leaks, what can you do about it? Let’s examine ways you can stop or prevent these leaks and reinforce your online privacy.

Prevent WebRTC browser vulnerabilities

One way to protect yourself from WebRTC leaks is to get a VPN service that offers solid protection from these vulnerabilities. VPNs such as ExpressVPN or NordVPN go the extra mile to ensure that WebRTC browser vulnerabilities are not an issue for their user base.

Browsers occasionally cache IP addresses and such incidences may compromise your privacy. Fortunately, you can manually disable WebRTC in your browser.

Disabling WebRTC does significantly affect the normal browsing experience. Remember: most websites don’t depend on it. However, some real-time communication or file transfer functions may become unavailable.

How to manually disable WebRTC in Firefox

Firefox WebRTC vulnerabilities are easy to plug because the browser has an integrated way to disable the functionality.

  1. In the address bar, type “about:config”
  2. Click on the “I accept the risk!” button that appears
  3. A search bar will appear – type “media.peerconnection.enabled”
  4. Double-click to change the value to “false.” This renders the Firefox WebRTC functionality disabled.

The procedure above can effectively work to prevent the WebRTC leak on Firefox for both the desktop and mobile versions of Firefox.

How to neutralize the WebRTC Chrome (Desktop) issue

Unlike with some other browsers (such as the aforementioned Firefox), manually disabling the Chrome WebRTC functionality is not very straightforward. Therefore, if you’re using the Chrome browser, you might want to use a WebRTC Chrome extension to plug the hole. Here are a few that will do the trick:

uBlock Origin works as an all-purpose blocker for ads, trackers, and has an option to block Chrome WebRTC. On the other hand, the WebRTC Network Limiter is an add-on developed by Google to specifically stop the IP leakage through WebRTC.

How to block Chrome WebRTC on mobile

The same steps work for Chrome on Android as well:

  1. Turn on Chrome and enter “chrome://flags/#disable-webrtc” into the address bar.
  2. When you scroll down, you will see the option “WebRTC STUN origin header” – disable it.

This will fix your WebRTC woes on mobile.

How to block WebRTC on Opera

There are two ways you can go about plugging the WebRTC Opera leak. The first is to follow these steps:

  1. Go to Settings
  2. Click Advanced->Privacy & Security and scroll down to WebRTC
  3. Choose “Disable non-proxied UDP“

Note that this doesn’t disable Opera WebRTC altogether, but it will prevent WebRTC leaking your real IP address.

How to prevent the WebRTC leak on Brave

The Brave browser has had a long-standing WebRTC vulnerability, which was fixed only in 2018. Currently, users can plug the Brave WebRTC leak issue following these steps:

  1. Go to Settings->Advanced->Privacy & Security->WebRTC
  2. Choose “Disable non-proxied UDP“

These are the same steps you would follow as an Opera user. Again, this does not disable Brave WebRTC altogether – it only fixes the leak.

How to fix DNS leaks

There are several things that can be done to prevent DNS leaks from occurring, such as assigning your PC a static IP. However, the most secure and simple solution is the usage of a VPN service with integrated DNS leak protection. Most of the top VPN providers offer DNS leak protection.

While connecting to your Virtual Private Network, you automatically connect to its DNS server instead of the DNS of your ISP. That way, you get protected as your ISP is not aware of the sites you are visiting or which domains you are accessing.

But what happens if your VPN does not have DNS leak protection? In such situations, Windows users can be vulnerable. It doesn’t necessarily mean your DNS queries are leaking, but the risk is heightened.

How to stop IPv6 leaks

Just like with DNS leaks, the best solution for dealing with IPv6 leaks is to use a reputable VPN service. Most VPNs that offer protection from IPv6 leaks usually just turn IPv6 off when the user turns on the VPN.

IPv6 leaks can also be stopped by using specific ACLs (Access Control Lists). IPv4 and IPv6 use different stacks. This means that the ACLs of IPv4 do not work for IPv6. The IPv6 ACL is slightly more complicated than that of the IPv4. ACLs are like traffic signals; they specify which systems or objects can be granted access to other objects.

The IPv6 ACL can also filter a large amount of undesired traffic (TCP and UDP) based on its source and destination ports. However, this process is a bit more difficult than in the IPv4 environment. To solve this problem, network engineers can use a new filtering keyword, undetermined transport.