VPNs Can Leak Real IPs And Make Users Traceable

By Nitish Singh / April 2, 2018

VPN, short for the virtual private network, creates a safe environment (private network) within a public network so that the user can browse the internet anonymously. This can help to enhance your security, privacy, and keep prying eyes away for your online matters. However, WebRTC technology can be used to obtain the real IP of website visitors, even if they are using a VPN.

WebRTC is a free and open project that provides browsers and mobile applications with APIs that give them Real-Time Communication (RTC) functionalities. The technology provides the fundamental components that help build a high-quality communication experience such as network, audio-video components used during video calls, and so on.

Now, when these components are implemented in a browser, it can be accessed by a JavaScript API. This allows any developer to implement their own RTC web app easily.

VPN leaks IP because of WebRTC

Image Courtesy of a1a

So how can this be used to make VPNs leak real IPs? As reported by Voidsec, this happens thanks to the underlying mechanism. First, you will need to understand the STUN and ICE mechanisms which are used by VPNs to establish a connection across various networks.

The STUN (Session Traversal Utilities for NAT ) server is used to ping back the IP address and port of a client. It is used by VPNs to translate a local home IP address to a new public IP address. While connected, the STUN servers keep a table of both of your VPN based public IPs along with the real local IP. This is somewhat similar to what routers do in your home.

Now, using WebRTC, a request can be made to the STUN servers which will return the “hidden” real IP along with the local network address. Since these requests are made outside the normal XML/HTTP request procedures, they will not show up in the developer console. Instead to access the information developers can use certain Javascript APIs.

The only requirement for this WebRTC based de-anonymizing technique to work is that the browser being used should support both Javascript and WebRTC. And its use cases go as far as tracing back to users who are hiding behind VPNs, SOCKS Proxies, and HTTP Proxies.

So to help you out, here is a list of the popular browsers which has Javascript and WebRTC enabled by default:

Now, VoidSec has done a test on over a hundred VPN and Proxy providers to see how many of them leak IPs via WebRTC. And the following are the providers which leaked IPs:

Here is the link to the spreadsheet of all tested VPN providers.

With this new knowledge at hand, here are some tips which you should practice to keep yourself anonymous while surfing:

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: