- VPN's can be exploited to leak the real IP of users via WebRTC.
- The technique involves sending a simple request to the STUN server - which is used by VPNs.
VPN, short for the virtual private network, creates a safe environment (private network) within a public network so that the user can browse the internet anonymously. This can help to enhance your security, privacy, and keep prying eyes away for your online matters. However, WebRTC technology can be used to obtain the real IP of website visitors, even if they are using a VPN.
WebRTC is a free and open project that provides browsers and mobile applications with APIs that give them Real-Time Communication (RTC) functionalities. The technology provides the fundamental components that help build a high-quality communication experience such as network, audio-video components used during video calls, and so on.
So how can this be used to make VPNs leak real IPs? As reported by Voidsec, this happens thanks to the underlying mechanism. First, you will need to understand the STUN and ICE mechanisms which are used by VPNs to establish a connection across various networks.
The STUN (Session Traversal Utilities for NAT ) server is used to ping back the IP address and port of a client. It is used by VPNs to translate a local home IP address to a new public IP address. While connected, the STUN servers keep a table of both of your VPN based public IPs along with the real local IP. This is somewhat similar to what routers do in your home.
- Internet (Samsung Browser)
- Google Chrome on Android
- Google Chrome
- Mozilla Firefox
- Epiphany (Gnome)
- Edge (it does not leak at the moment since it doesn’t support ‘createDataChannel’)
Now, VoidSec has done a test on over a hundred VPN and Proxy providers to see how many of them leak IPs via WebRTC. And the following are the providers which leaked IPs:
- Windscribe Add-ons (Browser Extension/Plugin)
- TOR as PROXY on browsers with WebRTC enabled
- SumRando Web Proxy
- SOCKS Proxy on browsers with WebRTC enabled
- psiphon3 (not leaking if using L2TP/IP)
- PHP Proxy
- IBVPN Browser Addon
- HTTP PROXY in a browser that supports Web RTC
- Hola!VPN Chrome Extension
- Glype (Depends on the configuration)
- ChillGlobal (Chrome and Firefox Plugin)
Here is the link to the spreadsheet of all tested VPN providers.
With this new knowledge at hand, here are some tips which you should practice to keep yourself anonymous while surfing:
- Disable WebRTC
- Drop all outgoing connections except for VPN provider
- Clear browser cache, history, and cookies
- Always kill all your browsers instances before and after a VPN connection
- Always set a DNS fallback for every connection/adapter
- Disable Canvas Rendering (Web API)