STUN and Your IP: How WebRTC Leaks Expose You and What You Can Do About It | Brav

STUN and Your IP: How WebRTC Leaks Expose You and What You Can Do About It

Table of Contents

TL;DR

  • WebRTC’s STUN feature can reveal your real IP even when you’re on a VPN.
  • Apps like Telegram, WhatsApp, Discord, and Signal all use STUN/TURN under the hood.
  • A single firewall rule (block outbound UDP 3478 or 1378) can stop most leaks.
  • Switching to TURN or a VPN, or disabling WebRTC in browsers, are practical defenses.
  • Keep an eye on Wireshark captures – a quick STUN filter shows if your IP is leaking.

Why this matters

I once got a call from a friend who was ‘in a dark room with a headset’ and the friend’s location popped up on a map in the background of the chat. I was like, ‘Hold on, what’s that?’ It turned out that the friend’s device had just opened a STUN session to discover its public IP. I was suddenly a target for a hacker who could send packets to my home network, and the whole experience felt like a breach of privacy. This is the real-world pain of IP leakage: hackers can pull your IP address from a WebRTC call, and many popular apps default to STUN, exposing you to malicious actors.

Core concepts

STUN is a lightweight protocol that tells your device what its public IP address and port are. The RFC that defines it – RFC 5389 STUN — Session Traversal Utilities for NAT (RFC 5389) (2008) – says that a ‘binding request’ is sent and a ‘binding success’ response (packet type 0x0101) comes back with the XOR-mapped address, which contains the remote public IP. The whole dance happens over UDP; the default port in the spec is 3478, but some vendors hard-code 1378 in their software.

When you initiate a WebRTC call – whether it’s a voice chat in WhatsApp, a video call in Telegram, or a voice channel in Discord – your browser or the app first talks to a STUN server. That server replies with the public IP so that the two peers can try to connect directly (peer-to-peer, or P2P). If the NAT or firewall blocks the direct path, WebRTC falls back to TURN, a relay server defined in RFC 5766 TURN — Traversal Using Relays around NAT (RFC 5766) (2010). TURN relays all media through its own IP, so the remote side never sees your real address.

Many modern messaging apps use WebRTC under the hood. A quick look at the architecture of WhatsApp, Telegram, Discord, and Signal shows that they all rely on STUN/TURN for NAT traversal. The ‘Setting Up a Secure TURN Server’ guide explains that WhatsApp Business, Telegram, and Google Meet all use TURN behind the scenes TURN — Setting Up a Secure TURN Server (Coturn) for WebRTC — Like the Ones Behind WhatsApp Calls (2025). Discord’s voice stack, which is built on Rust, Elixir, and WebRTC, likewise depends on the same ICE framework Discord — Discord’s Voice Stack: How Rust, Elixir, and WebRTC Power 150 Million Voices (2025). Signal, while not as public-facing in its documentation, follows the same WebRTC pattern and therefore also talks to STUN/TURN servers.

Wireshark – the network packet sniffer – can capture every UDP packet on your interface. If you filter for ‘stun’ you’ll see binding requests and responses that include your public IP. That’s how the author in the video demonstrates the leak: a local PC IP shows up in the capture, followed by the public IP that the STUN server told the remote peer.

How to apply it

  1. Detect the leak Open Wireshark and apply the filter stun. Look for packets of type 0x0101. The ‘XOR-mapped address’ field shows the public IP that the app handed to the other side.

  2. Block outbound STUN Most STUN traffic is sent to UDP 3478 (or 1378 in some apps). Add a firewall rule that blocks outbound UDP on those ports. For Windows use “Windows Defender Firewall with Advanced Security”, for Linux use iptables -A OUTPUT -p udp –dport 3478 -j DROP.

  3. Force TURN If you can control the client’s WebRTC settings, set iceTransportPolicy to “relay” or configure the app to use a TURN server. This tells the browser to ignore STUN and send all media through the relay.

  4. Use a VPN A good VPN hides your public IP behind its own server. The VPN’s tunnel will encapsulate the STUN traffic, so even if the STUN packet is sent, it won’t expose your real IP. Remember to enable the “kill-switch” so that no traffic leaks outside the tunnel.

  5. Browser-level fixes Some extensions block WebRTC entirely. If you don’t need WebRTC on a given site, install “WebRTC Control” or “WebRTC Blocker” in Chrome/Firefox.

FeatureUse CaseLimitation
STUNQuick NAT traversal for P2P connectionsExposes public IP; can be blocked, but may break direct calls
TURNRelay media when P2P failsAdds latency; requires server and authentication
VPNHides IP from all trafficMust be reliable; some VPNs leak DNS or WebRTC data

Pitfalls & edge cases

  • Discord: If you block STUN, Discord may fall back to P2P but still leak your local IP. Switching to TURN via the Discord settings is not straightforward; you may need to tweak a config file or use a VPN.
  • VPN leakage: Some cheap VPNs do not tunnel STUN traffic, especially if you have split tunneling enabled. Always test with a WebRTC leak checker.
  • Local IP leaks: Even when using a VPN, WebRTC can reveal your private network IP (192.168.x.x). This isn’t a threat by itself, but combined with a VPN it can help an attacker fingerprint your device.
  • High-latency: TURN introduces a relay hop, which can make voice calls stutter for users on congested networks.
  • App updates: Future versions of WhatsApp or Signal may change the STUN port or switch to a proprietary NAT protocol, so keep your firewall rules up to date.

Quick FAQ

  1. Will the IP extraction technique work on Discord? Yes – Discord uses WebRTC and sends STUN packets. If you haven’t blocked them, the remote side will see your public IP.

  2. How does TURN specifically mitigate IP exposure? TURN routes all media through its own server, so the other peer only sees the TURN server’s IP, not yours.

  3. Does blocking UDP 1378 outbound block all STUN traffic? It blocks the common default port, but some apps use 3478 or custom ports. Check the app’s network logs to be sure.

  4. Does using a VPN completely hide the real IP? A VPN hides your IP from the rest of the internet, but if WebRTC is not routed through the tunnel, STUN may still leak your address. A kill-switch solves this.

  5. How do other apps like Signal handle STUN/TURN? Signal follows the same WebRTC ICE flow as WhatsApp and Discord, so it also contacts STUN/TURN servers for NAT traversal.

  6. Are there other ports or protocols beyond UDP 1378 used by STUN? The official spec uses UDP 3478; some vendors hard-code 1378. Always inspect the traffic your app generates.

  7. What is the default STUN port? The RFC defines 3478 as the standard port.

Conclusion

If you’re a developer, a security researcher, or just a tech-savvy user who cares about privacy, the simplest defense is to block outbound STUN traffic and to use a trustworthy VPN with a kill-switch. For apps that must stay online, forcing TURN via the ICE policy is a robust alternative. Remember that every WebRTC call is a potential IP leak; keep your network monitored with Wireshark and stay aware of the apps’ NAT traversal behaviour.

Last updated: February 25, 2026

Recommended Articles

Vibecode Secrets Exposed: 3 Seconds to Reveal Key Leaks & RLS Bypass | Brav

Vibecode Secrets Exposed: 3 Seconds to Reveal Key Leaks & RLS Bypass

Vibecode adult site exposed: secret key leaks, RLS misconfig, and config file exposure. Steps to protect your no-code platform.
Wallbleed Exposed: I Uncovered China’s DNS Leak Exposing Millions | Brav

Wallbleed Exposed: I Uncovered China’s DNS Leak Exposing Millions

Wallbleed leak shows China’s Great Firewall leaking private data, adult sites, 600 GB Geedge dump, and a blueprint to detect and patch the leak.
RDP: I Found 260 Exposed Servers – How NLA, Brute-Force, and Defense Stack Up | Brav

RDP: I Found 260 Exposed Servers – How NLA, Brute-Force, and Defense Stack Up

Discover how 260 exposed RDP servers expose attackers to brute-force and ransomware. Learn how NLA, VPN, and custom password lists protect against RDP attacks.
From $106 to Battlefield-Grade: Building Your Own IP Mesh Radio | Brav

From $106 to Battlefield-Grade: Building Your Own IP Mesh Radio

Below is a step-by-step mental model that keeps you focused on the end goal: a functional, secure, and scalable network.