i want to understand more about WebRTC security when using vpn. id like to know if it is more secure with VPN than without… or even if its recommended to use WebRTC with VPN.
i created a webrtc demo: https://chat.positive-intentions.com/#/webrtc (the corresponding code its created with: https://github.com/positive-intentions/chat/blob/staging/src/components/pages/webrtc/WebRTC.jsx)
if i generate a “WebRTC offer” then i see a bunch of information including my IP address.
if i do the same with VPN, i see that my ip address isnt in that payload.
following the information here: https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html?m=1
and using the demo here: https://ipleak.net/
it seems even with vpn, the local ISP ip seems detected.
a recurring concern ive had on reddit about the security of my app is that webrtc exposes ip addresses. im investigating using the app with vpn. it seems to work like normal.
in the example details given above, i see while the local ISP IP is exposed, the personal ip address is still hidden. im sure what is exposed there is not worthless, but it could help users with privacy and security.
on the back of this investigation id like to see if i can add something like a toggle in my app called “enforce VPN” which will first check to see if you are on a vpn, and if you are, open the rest of the app.
my app is using peerjs-server as the connection broker. this is a third party i have no contractual agreement to provide me with a service. it could help to hide your IP from this service.
So this comes down to how the browser, OS and VPN handle this.
My understanding has been that Windows handles openvpn poorly and is prone to leaking.
However, Linux when using wireguard works fairly well but may leak lan IPs.
People who configure their router to use a VPN service are safe because it’s transparent to the OS.
Then there’s the rare few that are using socks and their IP information gets leaked by webRTC fairly easily.
Now my understanding of these may be outdated, so I would suggest building test units to evaluate these conditions and confirm it for yourself in your app.
Generally speaking the kind of person that’s concerned with this problem also runs their browser with JavaScript disabled and by extension webrtc disabled.
Thanks for the clear info! I’ll investigate this further within the demo.
Glad to help, just keep in mind not everyone is connected to a NAT, so if you see a leaked LAN IP that condition will leak their WAN IP.
If anyone is intrigued by the comment:
People who configure their router to use a VPN service are safe because it’s transparent to the OS.
OpenWRT, the router software, has built-in support for VPNs, including OpenVPN and Wireguard. Some router companies base their router software on OpenWRT, so you don’t even have to be technologically oriented enough to feel confident with flashing your router yourself. I don’t know if this is included in base OpenWRT, but some companies include support for some VPN vendors, so you don’t even have to do much more than configure your account, and it’ll download exit node lists and so on.
My favorite router company, GL.iNet, is one of these. Inexpensive routers, OpenWRT-based, with built in support for my VPN provider (Mullvad). I pick the countries I want, and it downloads lists of Mullvad exit nodes, and I just pick the one I want to use. I’m sure there are other router companies that do something similar.
The point is: if you can afford $100 (for a whole-house router), or $33 (if you only need coverage for an apartment), and you’re non-technical, you can get yourself whole-home VPN coverage by switching your router.
Alternately, OPNsense (free) on a cheap computer with two or more ethernet ports can do this. Unlike OpenWRT, it is much easier to update.
Good to know, options are great. Easiest, I’d say, are still the products like GL.iNet, which can be configured to auto-update. This may be something GL.iNet has added to their version of OpenWRT, but it works just fine.
Why the IP leaks or not is entirely dependent on each user’s individual opsec… how you are connecting to the VPN, potentially your firewall/routing table setup, how the browser interacts with it etc.
You said “if I do the same with VPN, i see that my ip address isnt in that payload”, but then you said ipleak.net does leak, but that you “followed information” from thehackernews.com before using ipleak.net, which from what I read seemed to just say “connect to expressvpn and run the test”… is that actually what you were doing? Were you using expressvpn the whole time or did you switch to just that one for the ipleak.net test or something? It’s not clear to me.
The bottom line is that the IP can only leak if you let it. Regardless of how the VPN is accessed, whether that’s via a browser configuration (extension or proxy setting) or an OS-level layer3 tunnel (managed by a separate app or the OS itself), a misconfiguration or misunderstanding of how those work could cause the leak and there’s no fool-proof way for a web page to do anything about that. If you really want no leaks, then the user must actively choose to block all internet connections to anything BUT the VPN (and regularly test/verify that it works), some call this a “kill switch” although I really dislike the term.
As for the “enforce VPN” option… depending on your definition of “VPN” in the context of your app, IMO you simply can’t do anything reasonably useful here. There are so many ways to mask your IP that there is no definitive way for a web page to know with any certainty that the user is “connecting via a VPN”, which some might say is impossible to quantify anyways. At best you might be able to use very flawed methods like scanning known IP ranges of well-known VPN providers, which IMO does not count as “detecting a VPN”, and even worse, doesn’t help with any sort of leak. I could be tunneling through tor, a neighbor’s wifi, ssh, or remote desktop or something for all you know. Does any of that count to you?
“connect to expressvpn and run the test”… is that actually what you were doing?
i tried with a different VPN provider but yeah. understandable for people to not go to an unknown websites like the demo i posted, so a link to the code on github is provided.
IMO you simply can’t do anything reasonably useful here
i agree… im stretching the definition of what is “reasonable”. id settle some something clunky likes a popup for the user to remind them to be on VPN. its important to understand im putting efforts in determining what the safest and securest way is to use my app. i think it has the potential to be a private and secure chat app. the app works with webrtc, the key attack-surface is individuals and their peers not applying good security practices.
in traditional centralized chat system the central server will typically take responsibility for proxying request and consequently, the personal IP addresses are not needed to be shared. so having something like a toggle for “enforce VPN” might do nothing more than remind the user to turn on their VPN. but sometimes a reminder is what someone needs to use good security practices.
