While reading about WebRTC I was wondering how exactly the default route through an established VPN tunnel is being bypassed. If I'm not mistaken the VPN tunnel is normally represented in the system by a virtual network adapter to which the default route can be set to route all internet traffic through it (corrections and amendments welcome). So, does WebRTC have to choose the physical NIC used to connect to the internet instead of the virtual tunnel adapter to do it and if so, how is this being done?
Asked
Active
Viewed 3,781 times
1
-
I'm not sure this is a Security question, but a WebRTC internals question, which might be better suited for StackOverflow. – schroeder Nov 10 '15 at 15:42
-
are you sure that WebRTC is th ONLY thing that is sent out of the tunnel? I agree with schroeder, the inner workings of the WebRTC should be discussed at [StackOverflow](http://stackoverflow.com/). – DarkLighting Nov 10 '15 at 15:50
-
I wasn't sure whether this is the right place, either. But since the unwanted and (by the user) unnoticed bypassing of a VPN tunnel definitely can be a big security issue, I chose this forum. On the other hand my questions is focused on the mechanism by which this can be done rather than the security aspect so feel free to move it. – Arminius Nov 11 '15 at 11:15
1 Answers
3
WebRTC uses ICE to generate a list of IP address that can be used to reach your computer. This is important when trying to establish a direct connection. However, this list can sometimes include IP addresses that the user would rather not disclose. As explained here, this behavior is counterintuitive when using a VPN as their actual IP address can be discovered with WebRTC:
Many such users assume that using a VPN will obscure all their browsing and their real external IP address, which could be used to locate them.
However many VPN configurations don’t properly disable local interfaces, and so users of those VPNs might be surprised to learn that their real external IP addresses are exposed by ICE.
So, if your browser is giving out your real IP address, it becomes possible to create direct connections to that interface, bypassing the VPN.
Austin Hartzheim
- 1,581
- 11
- 15
-
I see. The actual thing to read up on is the ICE protocol. The important thing is that the addresses of the (disabled) non-tunnel interfaces must not be detectable via ICE while the tunnel is up. – Arminius Nov 11 '15 at 11:23
-
1So, WebRTC can (relatively) easily be disabled. Are there any other ways to aquire all the addresse of a machine's network adapters despite the internet connection being routed through a VPN tunnel? – Arminius Nov 11 '15 at 11:25