
VPN leaks users’ IPs via WebRTC - BlueGh0st
https://voidsec.com/vpn-leak/
======
lovelearning
I don't use VPNs. For me, the more alarming information here is that SOCKS and
Tor proxies are also leaking IP addresses. If a SOCKS proxy is configured in
browser, isn't it the browser's responsibility to ensure all outgoing traffic
- including WebRTC - goes via the proxy? Are these browser bugs?

Update: Can confirm Firefox Quantum with SOCKS proxy leaks the address. Oh
dear!

Update 2: I didn't realize this is how WebRTC actually works. FF even has an
entire page for tweaking this stuff
[https://wiki.mozilla.org/Media/WebRTC/Privacy](https://wiki.mozilla.org/Media/WebRTC/Privacy).
I hate it when features like these, which atleast in my case go mostly unused,
have such critical weaknesses by design and it's not announced anywhere with a
big red danger sign.

~~~
MichaelGG
This is the fault of the browser and WebRTC. They know about this but
deliberately break it. The truth is WebRTC should never activate without user
permission.

But no, WebRTC added data-channels. They have no good use to be silent and
especially not to override SOCKS proxy. In fact, some key people on the WebRTC
group, when I pressed them, could not provide a single real use-case for
silent data channels.

Firefox is absolutely in the wrong to ignore your proxy settings, especially
without getting consent first to start a call. It's a complete mess.
Regardless of what the "spec" says, Firefox is responsible for implementing
broken software that harms users.

Then again, so is STUN/ICE and basically every single thing that has to do
with SIP/VoIP. It's like they go out of their way to be obtuse and come up
with shitty standards then take glee in how bad it gets. As an example, look
up SIP Torture Tests. There's an RFC just to illustrate the moronic edge-cases
in SIP parsing that at one point implies your software needs to be conscious
to infer the intention of malformed messages.

t. been working in telecom for far too long

~~~
mirimir
Yes, this is largely the browser's problem. Because all available uplinks are
available. Tor browser doesn't leak, because WebRTC is blocked. But other
browsers with WebRTC enabled will leak with a standard Tor setup.

However, using Whonix for Tor, even if you install a random browser with
WebRTC enabled, there is no WebRTC leak. Because the workstation VM has _no
Internet access_ except through Tor. The gateway VM _is not a router_. There
is no forwarding, and it's firewalled. It just exposes Tor ports to a private
internal network, for the workstation VM.

And one can do the same for VPNs, using pfSense VMs as VPN gateways. Apps in
workspace VMs have _no Internet access_ except through the VPN client running
in the gateway VM.

~~~
jerheinze
+1 for Whonix (with Qubes OS)

------
cosmiccartel
Just want to point anyone looking to test their own VPN to
[https://ipleak.net/](https://ipleak.net/). That's been my go-to, and it seems
more comprehensive than the linked service.

~~~
tobltobs
Or try [https://www.doileak.com](https://www.doileak.com) . (Shameless plug of
of a project of mine)

~~~
progval
> WebRTC IP Leak: Your local IP: 10.41.41.2 .

> Your browser supports WebRTC! Your real IP address is visible to every
> website you visit.

>

> Web Real-Time Communication (WebRTC) is enabled by default in Firefox, Opera
> and Google Chrome, and enables video chat, voice calling and P2P sharing
> from within your browser.

> A neat trick, but it allows any website to instantly see your true IP
> address. The only way to avoid sharing your IP address this way is to
> disable WebRTC completely.

Nope, that's not my "real" IP address

~~~
userbinator
_Nope, that 's not my "real" IP address_

Reminds me a bit of this old story:
[http://sirkan.iit.bme.hu/~kapolnai/fun/bitchecker.html](http://sirkan.iit.bme.hu/~kapolnai/fun/bitchecker.html)

~~~
krylon
FWIW, the link did not work for me, but archive.org has a copy. It was
hysterical!!! :)

------
zorkw4rg
Clickbait? Its not "VPN providers" its "VPN provider software", I never even
thought of using their software, most just give you the credentials for
OpenVPN/IPSEC/PPTP or similar. Also if anonymity is of "real" concern you
should never use a system that knows your real IP address in the first place.
Instead create the vpn tunnel on a separate host system and run something like
Tails in a VM (or better yet separate physical hardware).

~~~
fauigerzigerk
_> Its not "VPN providers" its "VPN provider software"_

OpenVPN leaks DNS on every default Ubuntu installation I have tried. But I
think it's actually Ubuntu NetworkManager's fault.

The WebRTC leaks discussed in this article are not prevented by OpenVPN either
(last time I checked, which was a while ago). You have to disable WebRTC in
the browser.

~~~
mahkoh
>You have to disable WebRTC in the browser

Incorrect. An easy and foolproof way of using VPNs is with network namespaces.
You start the VPN in your init network namespace and then move the created
device into a dedicated VPN namespace. OpenVPN has support for this because it
allows you to execute a shell script after the VPN device has been created.
Then you simply start your browser, torrent client, whatever in this namespace
and you are completely safe:

1\. If the VPN fails, then the only network device inside the network
namespace disappears (modulo the lo device) and the programs in this namespace
cannot use the internet.

2\. Since the browser can only see the devices within the network namespace,
the only IP it can see is the one assigned to you by your VPN provider
(usually 10.x.y.z or similar.)

DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8.

~~~
fauigerzigerk
_> DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8_

You mean leaking to Google doesn't count as leaking?

Your namespaces suggestion is interesting, but easy and foolproof?

~~~
rsync
Your parent said:

"DNS leaks can be prevented by using a generic DNS provider such as 8.8.8.8."

... and you replied:

"You mean leaking to Google doesn't count as leaking?"

But I don't understand where the DNS leaks would be coming from if you are
using an actual VPN for your entire network stack - wouldn't that tunnel _all
traffic_ (TCP and UDP) to your endpoint ?

How are you leaking DNS in that scenario ?

~~~
fauigerzigerk
Two things should happen:

1) All network traffic should go through the VPN tunnel.

2) All DNS requests should be sent to the VPN provider's DNS server and not to
the one configured in the OS.

If either or both of these two things isn't happening then it's a DNS leak.

If I understood correctly, then mahkoh was saying that (2) doesn't matter if
the host DNS is configured to use Google's public DNS server 8.8.8.8. That's
what I called "leaking to Google".

------
codedokode
It seems that main purpose of WebRTC was disclosing user's IP addresses. By
the way, did you know that Websocket can be used for port scanning [1]? I was
surprised to find that Aliexpress code scans 127.0.0.1 (visitor's computer)
for VNC, RDP and similar ports.

[1]
[https://datatracker.ietf.org/meeting/96/materials/slides-96-...](https://datatracker.ietf.org/meeting/96/materials/slides-96-saag-1/)

------
piracykills
Would enabling this uBlock option not be perfectly sufficient at preventing
this attack?

[https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-
from-l...](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-
local-IP-address)

~~~
ryuuchin
It should unless this is something new? I'm not sure why this is really news.
We've known about this problem with WebRTC for quite some time now.

------
anfilt
For firefox the following in about:config should do the trick.

    
    
        media.peerconnection.turn.disable = true
        media.peerconnection.use_document_iceservers = false
        media.peerconnection.video.enabled = false
        media.peerconnection.video.vp9_enabled = false
        media.peerconnection.video.h264_enabled = false
        media.peerconnection.identity.enabled = false
        media.peerconnection.identity.timeout = 1

------
CydeWeys
I don't have a need for this high level of security, but if I did, here's what
I'd do:

1\. Run VPN software on host.

2\. Download a widely used, generic VM image.

3\. Route VM's entire network connection through host's VPN.

4\. Do whatever you need to do, in the VM only.

5\. Reset VM to initial settings after each use.

Am I missing anything?

------
mido22
Please stop using clickbaity titles, first line that I saw in the post "I’ve
tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC"

So, more appropriate title would have been "23% of VPN providers leak user IP"
:)

------
voidsec
Quite funny, I've published this yesterday and went unnoticed until now, lol

~~~
BlueGh0st
I was surprised it didn't tell me it was posted here before. I found the post
and your comments on it over at /netsec.

Really appreciate your work on this!

------
_jomo
While this has long been known, I was never able to actually reproduce this
and I'm not sure how it's technically even supposed to work.

Assuming we're using IPv4, the default gateway is a VPN and the machine is
behind a NAT: Any outside service (e.g. STUN server) would see the VPN's IP
address. How would the browser even technically be able to know the public
(i.e. the NAT's) IP address?

However, the WebExtensions API allows tweaking this via the
webRTCIPHandlingPolicy to only reveal the public "interface" IP address.

FWIW, I'm always connected to a VPN and I have configured my macOS [0] and
Android [1] firewalls to drop any connection other than the VPN's.

0: Wrote it down here: [https://jomo.tv/security/pf-prevent-traffic-bypassing-
vpn](https://jomo.tv/security/pf-prevent-traffic-bypassing-vpn)

1: Quite self-explaining:
[https://f-droid.org/packages/dev.ukanth.ufirewall/](https://f-droid.org/packages/dev.ukanth.ufirewall/)

------
en4bz
Another thing to watch out for is leaking IPv6 connections. Depending on your
configuration your VPN may not set the IPv6 default gateway.

------
dillondoyle
I think it's a bit crazy Chrome web tools/inspector doesn't show these
connections easily. You can check out chrome://webrtc-internals but most
people just look at the network tab which shows nothing...

------
chime
If you use computer/phone-based VPN, try
[https://www.dnsleaktest.com/](https://www.dnsleaktest.com/) or
[http://dnsleak.com/](http://dnsleak.com/)

I have VPN on my home router with Tomato firmware. All of my devices pass this
flawlessly.

------
ensignro2340
Anyone interested in setting up their own VPN should check out Algo:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
superkuh
Or reconsider the need for a VPN at all. By using a VPN you cut yourself off
from participating as an equal citizen on the net. If it's just for browsing
the web, irc, or the like it's much easier and better just to use a socks 5
proxy to a cheap VPS. I like shadowsocks-libev.

But then again I don't use popular browsers that cram in fancy new features
every week to expose new leaks and attack surfaces.

~~~
Hnrobert42
> By using a VPN you cut yourself off from participating as an equal citizen
> on the net.

What?

~~~
superkuh
You can't host servers off a VPN. You don't have control or use of your own
ports. You can consume and that's about it.

~~~
gruez
>You can consume and that's about it.

Uploading videos isn't "consuming". Writing blogs/articles isn't "consuming".
Contributing to open source projects isn't "consuming". Neither of those
activities require forwarded ports.

~~~
superkuh
True enough. But they also aren't participating in the net. They're using
other people and companies' resources to do things rather than participating
yourself.

And that's bad because it leads to centralization. And centralization leads to
perverse incentives to spy and censor.

~~~
fwip
You've got a weird definition of participation.

------
joering2
I'm suprised to see NordVPN is leaking.

I see commercials everywhere all the time and its #1 or #2 on most VPN reviews
websites.

I was very tempted to switch, especially when they routers' Firmware is
available for the newest/coolest routers out there; but kind of got used to
ExpressVPN over the years, so went with them and their firmware for NETGEAR
Nighthawk R7000 is very easy to use. Glad to see ExpressVPN is not leaking and
I continue not to find any bad news about them (versus HideMyAss for example
LOL)

~~~
jlgaddis
> _I see commercials everywhere all the time ..._

That's because of their marketing budget.

> _... and its #1 or #2 on most VPN reviews websites._

That's because of their affiliate programs.

------
IronBacon
I think I've started reading suggestions to disable WebRTC at least a couple
of years ago in regards to avoid VPN detection from Netflix, so I thought it
was a common knowledge.

------
andoma
FWIW, Safari does not include your local IP address in the list of candidate
addresses for WebRTC until you also authorize the page to access your camera.

------
godzillabrennus
Just tested this with [http://www.ExpressVPN.com](http://www.ExpressVPN.com)
client on MacOS and it protected my IPv4 Public IP from being exposed but it
does leak the local (NAT) IPv4 Private IP that I use on my internal network.

Not good that it leaked anything but at least the public IP is hidden by their
software.

------
brink
Looks like this Chrome plugin allows you to turn on / off WebRTC and fixes the
leak. [https://chrome.google.com/webstore/detail/webrtc-
control/fjk...](https://chrome.google.com/webstore/detail/webrtc-
control/fjkmabmdepjfammlpliljpnbhleegehm?hl=en)

------
qwerty456127
BTW I think I would love a "VPN" (the term itself is misused massively,
oftentimes it is just a proxy) accessed via WebRTC so it would be harder for
the men in the middle to tell whether I am using a "VPN" or just calling
somebody. Perhaps people in countries like China could make great use of such
a thing too.

------
smaili
Complete list of tested browsers and VPN providers:
[https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-
BtE5...](https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-
BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0)

------
amenghra
I authored
[http://jsfiddle.net/alokmenghrajani/0qo4kq7x/](http://jsfiddle.net/alokmenghrajani/0qo4kq7x/)
over 3 years ago...

------
qwaitwhat
FWIW, various arbitrarily strung together components (your OS, DNS, VPN,
Browser, WebRTC) are not going to guarantee anonymity. Simply because it is
not their job.

The only possible solution is a piece of software that guarantees end-to-end
privacy by literally standing guard at each end (from the moment you connect
to your network with your hardware MAC address exposed to the final moment
when a web page is retrieved for you from your destiantion website).

Shameless plug: my project proposes to do exactly this.
[https://qwaitwhat.github.io/](https://qwaitwhat.github.io/)

------
jwilk
It's 503 for me. Here's an archived copy:

[https://archive.is/XHX74](https://archive.is/XHX74)

------
MaupitiBlue
Given that its hard to figure out how they could be profitable, should we
assume private internet access is a NSA honeypot?

~~~
protonimitate
I don't understand this. Is profitability the only metric for if a service can
be trusted or not?

It's also not even mentioned in the article linked, not sure why you brought
it up at all tbh.

~~~
jaxn
Profitability (or the possibility of profitability) is absolutely a measure of
whether something can be relied on. And if it can't possibly be profitable,
then it means there is likely a non-obvious revenue stream or funding source,
which means a ulterior motive.

So yeah, if a service can't be profitable, it can't be trusted.

~~~
OrganicMSG
A decent emergency medical response service is never profitable.

It requires a vast amount of hospitals to ensure that there is one local
enough to wherever you get ill or injured and they all have to be staffed by
lots of different highly qualified specialists who are in as regular practice
as possible.

If you were going to require that they be profitable, there simply are not
enough rich people for the doctors to work on in order to stay in good
practice, or to pay for enough suitably equipped hospitals to ensure a short
travel time in an emergency.

~~~
CamTin
In the US, we essentially do require that they all be profitable or else not
exist at all. This is "solved" by just charging you (or your insurance
company) tons of money if you actually need to use it. A medical emergency
requiring an ER and an ambulance can easily cost as much or more than an
ordinary person will earn in their whole lifetime.

~~~
OrganicMSG
> A medical emergency requiring an ER and an ambulance can easily cost as much
> or more than an ordinary person will earn in their whole lifetime.

The majority of hospitals with E.R. in the US are non-profits that receive
federal subsidies to help them exist.

~~~
CamTin
But not enough subsidy that they are remotely affordable, hence the outrageous
bills foisted upon individuals.

------
smsm42
My VPN provider is listed as "vulnerable" but testing with their test site
does not show IP leak...

~~~
voidsec
Which one?

------
pasbesoin
One reason I don't want my browser to become a fucking operating system.

We already have Emacs for that. ;-)

------
Thaxll
Use the VPN on your gateway / router, problem solved.

------
revanx_
this is old news tho, I was aware of this for ages. If you check privacy
websites thats one of the first thing they say, turn off webRTC in your
browser.

------
LinuxBender
This is a terminology problem. If you are using a VPN, a browser could not
possibly leak your real IP, as all traffic would be encapsulated by the VPN.

What is being described is actually a proxy.

------
yorby
Maybe the browser should not have access to your real IP when you are using a
VPN? so it's the OS's fault?

------
fwdpropaganda
VPN isn't leaking anything, your browser is.

A) Don't run javascript

B) Config your firewall to block everything except connection to the VPN entry
point.

~~~
mtve
just for the record, "B" option is not helping here.

------
Froyoh
Ahhh why is the scrolling messed up :/

~~~
blunte
I did find a bit of irony that the page warning about VPNs leaking my IP was
hijacking my scrolling.

------
_o_
Heh, this webrtc story is at least few years old and everyone privacy /
security aware is blocking it.

For testing webrtc and other leaks including fingerprinting rather use
[https://browserleaks.com/](https://browserleaks.com/)

(and it is unable to capture any exposing data for my browsers on any of my
devices)

------
aviv
This has been known for a long long time, but keeps coming up in articles as a
new finding.

~~~
lovelearning
If it's been known from a long time, then it's really unfortunate that nobody
so far has bothered to contribute a fix to FF that changes its webrtc config
flags correctly when a network proxy is configured.

~~~
ryuuchin
uBlock Origin has an option to do it[1].

[1] [https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-
from-l...](https://github.com/gorhill/uBlock/wiki/Prevent-WebRTC-from-leaking-
local-IP-address)

~~~
lovelearning
Never used it before but will do so now, Thank you!

------
yAnonymous
Every browser should have settings to disable WebRTC and it should arguably be
disabled by default.

It can be very useful, but can also cause a lot of problems.

