What is a WebRTC IP leak?
WebRTC sets up peer connections by gathering ICE candidates, which can include your real local and public IP addresses via STUN — independently of the browser's HTTP proxy. A page can read these with a few lines of JavaScript.
For anyone routing through a proxy this is both a privacy hole and a tell: the page sees a proxy IP in the headers but the real IP over WebRTC — an obvious contradiction. Simply disabling WebRTC is itself detectable, because real browsers have it.
The coherent fix is to make WebRTC report the proxy egress. Clearcote fabricates the server-reflexive candidate at your proxy IP and sends no real STUN, so the real IP never leaks and the two stories agree. See the --webrtc-ip flag.