Skip to content
← All Tools

What Is My VPN / Am I Leaking?

Compare your HTTP-visible public IP with WebRTC ICE reflexive addresses to spot possible IP leaks, plus plain-language DNS leak context.

This page compares the public IP our server sees over HTTPS with server-reflexive (srflx) ICE candidates produced by a short WebRTC gather using standard STUN servers. When those public endpoints disagree, it can mean WebRTC is traversing a different path than your page load—often worth reviewing if you rely on a VPN.DNS resolver identity cannot be fully enumerated from the browser alone; we explain why and point you to complementary checks.

🔐What Is My VPN / Am I Leaking?

WebRTC ICE and why VPN users care

WebRTC negotiates realtime audio, video, and data channels. During setup the browser runs the Interactive Connectivity Establishment (ICE) algorithm: candidates describe every network path peers might try (host/private, server-reflexive, relay, peer-reflexive). A STUN (Session Traversal Utilities for NAT) server echoes the public-facing endpoint it observes for outbound UDP—that becomes an srflx candidate typed in SDP.

Your VPN may route TCP (what typical HTTPS relies on) through the tunnel while UDP to STUN exits elsewhere if policy, split routing, firewall rules, or IPv6 bridging differ. Researchers and users colloquially call that a WebRTC leak because the leaked srflx can reveal a home or carrier IP unrelated to your VPN egress.

How detection works here

  1. HTTP baseline: the browser performs GET /api/ip; Cloudflare-supplied CF-Connecting-IP (or X-Forwarded-For) resolves the address we log for HTTPS.
  2. ICE gather: we instantiate RTCPeerConnection with public STUN servers, open an in-band data channel, call createOffer → setLocalDescription, and collect icecandidate events until a timeout expires.
  3. Srflx harvesting: any candidate whose type === "srflx" (SDP or object property) exposes a reflexive endpoint; we isolate non-private IPs and compare them against the HTTP baseline IP after normalization for IPv6 casing.
  4. Verdict heuristics: mismatched IPv4 reflexive vs IPv4 HTTPS IP flags a probable WebRTC/IP conflict. Dual-stack or timeout edge cases downgrade to explanatory copy instead of a binary pass/fail—see the results table below the hero for raw values.

DNS leaks and the browser sandbox

A DNS leak happens when lookups for VPN-controlled hostnames—or plain cleartext SNI-associated names—are resolved outside the VPN resolver path, oftentimes by your ISP. Full leak suites assign each session a unique label under a wildcard zone so resolvers observable at authoritative servers can be mapped.

Ordinary web apps cannot silently enumerate resolver chains for arbitrary OS sockets. Privacy guides therefore recommend VPN vendor tooling, firewall rules, DHCP/DNS-lock features, or dedicated native utilities. Inside the browser we still surface best-practice copy and steer you toward our What Is My DNS tool where you knowingly issue DoH lookups to study resolver-visible answers—not a substitute for a native DNS leak panel, but useful when teaching how lookups differ across configurations.

Privacy implications

Running ICE exercises signals similar network metadata to trackers that monetize fingerprints, though we do not store candidate outputs server-side—they stay in your DOM until reload. Blocking third-party trackers does not by itself prevent first-party probes like ours; clearing state after sensitive sessions remains wise.

Correlate egress identity with What Is My IP, organization labels via What Is My ISP, and GeoIP-style summaries on What Is My Location. Understand transport quality using What Is My Latency and throughput using the Internet Speed Test.

Privacy note

HTTPS calls hit our `/api/ip` route; ICE checks contact public STUN infrastructure and otherwise execute locally. Structured logs may exist at the infrastructure layer—see Privacy Policy regarding analytics cookies and advertisements separate from diagnostics.

Common questions

What is a VPN leak?
A VPN leak is any situation where traffic that should exit through your VPN tunnel instead exposes your underlying connection information. Common leaks include WebRTC exposing a different public IP than your HTTPS traffic, IPv6 exiting outside the tunnel when only IPv4 is covered, DNS queries resolving through your ISP instead of your provider’s resolver, or split-tunnel configurations that omit certain apps.
What does WebRTC have to do with VPN leaks?
WebRTC (Web Real-Time Communication) can negotiate network paths directly between peers. ICE gathering often contacts STUN servers, which yields server-reflexive (srflx) candidates that expose the public endpoint used for UDP. If that public IP differs from the address servers see when you load a plain HTTPS page, your browser may still be reachable on a secondary path—a classic WebRTC-style leak indicator.
Does this tool prove my VPN is safe?
No. This page runs heuristic checks suitable for education and troubleshooting, not audits. Passing the HTTP vs WebRTC comparison does not rule out malware, malware-free split tunneling misconfiguration, captive portals, captive DNS, or leaks in other browsers and apps. Threat models requiring guarantees should combine provider-native leak tests and independent verification.
Why can’t websites fully test DNS leaks?
A complete DNS leak test usually involves unique subdomain queries so the resolver hitting an authoritative DNS server can be identified. Ordinary web apps cannot reliably read your OS or VPN resolver list or observe every subsystem DNS query due to sandboxing. Browser-only pages can demonstrate DoH behavior you trigger from JavaScript, but cannot replace dedicated DNS probe infrastructure.
What should I compare on the HTTP IP row?
This row shows what our server observes as your inbound address on the HTTPS request—a useful baseline for routing and GeoIP summaries. VPN users generally expect this to match their VPN exit region when the tunnel routes all TCP traffic correctly. Unexpected home-country IPs when the VPN indicator is on merit checking kill switches, captive portals, and split tunnel exclusions.
Is this supported in Safari and Firefox?
WebRTC exists in Chromium, Firefox, and Safari, but ICE candidate fields behave differently across engines. Some browsers omit parsed address helpers on candidate objects until later spec levels. If WebRTC gathers no srflx candidate within our timeout—common with restrictive NAT—you may see inconclusive wording rather than a clean pass.
How is this different from the What Is My IP tool?
The IP tool answers ‘what address do sites see on my HTTP connections?’ alone. This page adds an automatic comparison between that HTTP-visible address and STUN-derived srflx candidates from WebRTC, which is sensitive to UDP path selection. Related checks for DNS semantics are explained on our What Is My DNS page.
What data leaves my browser during the WebRTC probe?
The probe creates short-lived outbound UDP signaling toward public STUN servers (Google-hosted STUN in our default configuration) as part of standard ICE gathering. Those packets announce network path information consistent with mainstream video chat stacks. Combined with HTTPS requests to our own API endpoints, totals should be negligible, but enterprise policies may flag STUN egress.

Also Check These Tools

🌐What Is My IPInstantly see your public IPv4 and IPv6 address with ISP, city, and country details.📡What Is My ISPSee which Internet Service Provider (ISP) or organization is associated with your public IP and connection.🔷What Is My DNSLook up public DNS A and AAAA records using Cloudflare DNS over HTTPS, with honest labeling about resolvers.📶What Is My LatencyMeasure HTTPS round-trip time from your browser to this site—a practical “ping” when ICMP is not available in the web sandbox.🛜What Is My Network TypeDetect whether you are on Wi-Fi, cellular, or ethernet, with effective speed class and estimated bandwidth from the Network Information API.Internet Speed TestTest your download and upload speeds with a fast, accurate in-browser speed test.🖥️What Is My BrowserDetect your browser name, version, engine, and operating system in one click.🔍What Is My User AgentSee the full user agent string your browser sends to websites and servers.📐What Is My Screen ResolutionCheck your screen resolution, color depth, pixel ratio, and viewport size.🎮What Is My WebGL / GPUDetect your GPU renderer, vendor, WebGL version, and key graphics capabilities directly from your browser — no plugins required.📍What Is My LocationDiscover your approximate location based on your IP address including city and country.🕐What Is My TimezoneFind your current timezone, UTC offset, and local time with DST status.🔌What Is My Open PortsCheck which TCP ports are open, closed, or filtered on your public IP address — no software needed.