You’d think connecting to a VPN or proxy would keep your real IP address completely out of sight. And for most traffic, it does. But browsers have a habit of talking behind your back, leaking identifying details through protocols and features that were never designed with privacy in mind.
The frustrating part is that your privacy tool might be working perfectly fine. Your browser is just doing its job, and sometimes that job includes giving away your location.
How Browsers Give You Away
Speed and convenience drive browser development, not privacy. WebRTC, DNS prefetching, certain JavaScript APIs: they all exist for legitimate reasons. They also happen to create gaps that expose your real IP address without so much as a warning.
WebRTC is the worst offender by a wide margin. Google built it so websites could handle audio and video calls without plugins, which is genuinely useful. The catch? WebRTC needs your actual IP address to establish peer-to-peer connections, and it will hand that information to any website running a basic JavaScript snippet. No permission dialog, no notification, nothing.
Research into browser fingerprinting shows these leak vectors (combined with other signals) can uniquely identify over 83% of site visitors. That number should bother anyone who thinks “VPN on” means “problem solved.”
WebRTC: Great for Video Calls, Terrible for Privacy
Zoom, Google Meet, Discord: they all depend on WebRTC. The STUN and TURN server requests that make those calls possible also force your browser to cough up both local and public IP addresses to any page that asks.
Running a webrtc check takes about ten seconds and the results tend to surprise people. You’ll often see your real IPv4 or IPv6 address right there on screen, fully visible, even with a VPN active.
This isn’t a desktop-only problem either. Chrome and Firefox on Android behave the same way. Safari on iOS is slightly better about it, but Apple’s implementation still has edge cases that leak in certain configurations.
DNS Leaks: Less Famous, Equally Dangerous
DNS leaks don’t get the same attention as WebRTC, which is a shame because they’re just as bad. If your browser sends domain name lookups through your ISP’s servers instead of your VPN’s encrypted DNS, your ISP can log every site you visit. So can anyone else watching that traffic.
Windows makes this worse than it needs to be. There’s a feature called “smart multi-homed name resolution” that fires DNS queries across all network interfaces at once, including ones outside the VPN tunnel. Microsoft has patched parts of this in later Windows releases, but the defaults still catch people off guard regularly.
Linux isn’t safe either. The systemd-resolved service behaves unpredictably when you’ve got multiple network interfaces running simultaneously.
IPv6: The Leak Nobody Thinks About
This one even gets experienced users. Plenty of VPNs and proxies only handle IPv4 traffic. If your operating system has IPv6 enabled (it almost certainly does by default), websites can see your real IPv6 address while your IPv4 stays neatly hidden behind the proxy.
Google’s IPv6 adoption data puts the number at over 45% of users connecting via IPv6. That’s a huge chunk of people potentially walking around with an exposed address and zero awareness of it.
The fix isn’t complicated: disable IPv6 at the OS level, or verify that your VPN explicitly tunnels IPv6 traffic too. Most paid VPN clients handle this now. Free tools and manual proxy setups almost never do.
Smaller Leaks That Add Up
WebRTC, DNS, and IPv6 are the big three, but they aren’t the whole picture. Firefox pulled the Battery Status API back in 2016 after researchers proved it could fingerprint users. The EFF’s Cover Your Tracks project catalogs just how many of these browser signals remain exposed today. Similar APIs still exist across Chromium-based browsers.
The Geolocation API at least asks permission before sharing your location. But Intl.DateTimeFormat reveals your timezone silently, and navigator.language gives away your language preferences. None of these are IP leaks on their own. Pair them with a partially exposed address, though, and you’ve got a fingerprint that’s disturbingly accurate.
What Actually Fixes This
There’s no single toggle that closes every gap. You need a few layers working together.
For WebRTC, Firefox users can go to about:config and flip media.peerconnection.enabled to false. Chrome doesn’t have that option natively, so you’re stuck using an extension like WebRTC Leak Prevent. Fair warning: turning off WebRTC kills browser-based video calls entirely.
For DNS, set up encrypted DNS (DoH or DoT) through something like Cloudflare’s 1.1.1.1 or Quad9. This catches stray queries that escape the VPN tunnel and works independently of whatever other privacy tools you’re running.
For IPv6, look for a leak protection toggle in your VPN client’s settings. If there isn’t one, disable IPv6 on the network adapter directly. It’s a one-line terminal command on macOS and a checkbox in adapter properties on Windows.
Where Browser Privacy Goes From Here
Browser vendors are closing some of these holes, slowly. Google’s Privacy Sandbox project focuses on replacing third-party cookies but doesn’t touch protocol-level leaks like WebRTC at all. Mozilla has shipped Total Cookie Protection and stronger tracking prevention, yet WebRTC still ships enabled by default in Firefox.
The real change happens when browsers start treating IP exposure as seriously as they now treat cookie consent. We’re not there yet. Until we are, it’s on you to test your own setup regularly and accept that “connected to a VPN” and “fully protected” aren’t the same thing.
