WebRTC’s connection setup gathers candidate addresses, and scripts can read them, exposing a real address to a page even while a VPN carries the traffic. The leak is a browser behavior, not a tunnel failure.
Mitigations are browser-side: disabling WebRTC where acceptable, extensions or settings that restrict candidate gathering, and VPN clients that filter the traffic. Leak-test pages confirm the actual behavior per browser.