3

I have read and re-read the questions about webRTC leaks and have a good understanding as to how this works and why IP addresses are leaking from so-called "VPN tunnels".

However, in all of those cases, the "VPN tunnels" are actually just software or application layer plug-ins or apps that work on the same layer, or just below, the browser itself. It's unfortunate, but I understand how and why IP addresses could leak, via webRTC, from that configuration.

However, I am using a transport layer VPN called "sshuttle" that is a protocol agnostic, full VPN. It creates a bridge0 interface with pfctl and sends all traffic through it.

In this configuration, my localhost has NO OTHER IPs than 10.0.0.10 and ALL traffic is configured to run over the transport layer VPN.

And yet ... both google and browserleaks know my real IP. Even my local system does not know my real IP, but somehow they do.

Am I correct in concluding that my VPN software is faulty/buggy/leaky ? That is the only conclusion I can come to, since a proper, non-leaky transport layer VPN should not be able to leak info about an IP it doesn't know about.

Or am I wrong and webRTC is capable of even more magic than I thought ?

Thank you.

user227963
  • 201
  • 1
  • 2
  • `sshuttle` is just a proxy server that uses an SSH tunnel that forwards all traffic through. SSH operates at the Application Layer like TLS. [DNS Leak](https://en.wikipedia.org/wiki/DNS_leak) might be an interesting read for you. – RoraΖ Sep 29 '16 at 16:39
  • Yes, you are correct that SSH operates at the application layer, however sshuttle creates a new network interface and provides a transport layer VPN that *it then sends over SSH*. No matter what the signal channel is (ssh, pings, carrier pigeons) if the VPN gets created down at the transport layer, it shouldn't leak like this. My conclusion is that sshuttle has bugs/errors that is causing it to *leak anyway, even though it shouldn't* ... but maybe I'm confused ? – user227963 Sep 29 '16 at 18:02
  • "my localhost has NO OTHER IPs" How can it communicate with the VPN server then? – billc.cn Sep 29 '16 at 18:33
  • 1
    I'm sorry - I wasn't clear - the VPN is on a local router box and provides 10.x.x.x IPs to local clients. So the system in question really does have no other IP than 10.0.0.10. All traffic goes out the network on the router, which uses the *transport layer* VPN to go out to the VPN endpoint in the world. It all works just like it is supposed to - I have tested with https://dnsleaktest.com and it *does not* leak DNS. But it *does leak webrtc* which I can test with https://www.browserleaks.com/webrtc ... so I think I need to conclude that there is a fault in the VPN software. – user227963 Sep 29 '16 at 19:52
  • 1
    WebRTS doesn't leak if you have a proper VM+VPN setup. But it leaks if you have run the VPN on the same machine as the VPN software. – CodesInChaos Sep 30 '16 at 13:03

1 Answers1

3

WebRTC leak and IP leak or DNS leak are two different terms and one shouldn't relate them with each other.

Why DNS leak happens?
When you use VPN and if you find that your IP is leaking it means your DNS request are also being forwarded to your ISP other than to your VPN provider. Your DHCP server chooses its own DNS server for fast response. This causes the DNS leak. You can test if your IP is leaking while using VPN dns leak

In WebRTC leak servers and browsers come to know about your internal IP Address if you are befind NAT but not all web-servers can do that.

How it works
Today your browsers are implemented with WebRTC. WebRTC accepts STUN request which is generated by STUN server. This request discovers behind which type of NAT you are sitting at and your public IP Address. WebRTC accepts this request and sends a response to STUN server that returns your NAT type and both public & private IP. STUN server uses 2 IP Addresses.

I wrote that not all web servers can discover your internal IP. The reason is not all web servers use STUN server because STUN server is designed for troubleshooting problems related with VoIP and NAT and how NAT creates problem in SIP&SDP.

While using VPN you might be able to prevent yourself from DNS leak but you can't prevent webRTC leak. To know your internal IP visit here. If you analyse the traffic of this site in wireshark you will see that it is generating STUN request.

How to prevent DNS leak
dnsleaktest.com serves a utility which blocks outside dns. I'm also using this tool. You can also flush dns cache using ipconfig /flushdns in command prompt or set static DNS address to Google or openDNS.

But remember preventing DNS leak doesn't mean you are preventing yourself from webRTC leak. VPNs doesn't block STUN request because it is just an internet traffic coming from STUN server.

STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery

How to prevent WebRTC leak
In google chrome there are 2 browser plugins WebRTC Leak Prevent and WebRTC Network Limiter. They successfully block STUN request and I'm using them both just in case if one fails to do that. It also means that by blocking STUN request my browser won't be able to make VoIP sessions when I'm sitting behind NAT.

Mozilla Firefox users can actually turn off the default WebRTC functionality directly in Firefox settings by typing ‘about:config’ into the search bar and browsing to the ‘media.peerconnection.enabled’ option and setting it to FALSE.

WebRTC leak has nothing to do with how secure your VPN is and how strong encryption your VPN uses. The vulnerability is in your browser which is WebRTC itself. Your VPN will simply accept any traffic you have requested.Strictly saying, VPN doesn't prevent webRTC leak It all depends on your browser. If webRTC is enabled it'll simply accept STUN request and send a response to server.

You can learn more about webRTC leak here

Community
  • 1
defalt
  • 6,231
  • 2
  • 22
  • 37
  • I have confirmed with https://dnsleaktest.com that I am *not* leaking DNS. However, I am leaking my actual IP which I can see at https://www.browserleaks.com/webrtc and it shows that the leak is coming via webRTC. You say that "Even if you use VPN you might be able to prevent yourself from DNS leak but you can't prevent webRTC leak", but again ... if the VPN is transport layer or lower, I can't believe that that is true. So my conclusion, which I am trying to verify, is that my particular *transport layer* VPN (sshuttle) is broken in some way which leads to webrtc leaks - possibly over UDP? – user227963 Sep 29 '16 at 22:10
  • @user227963 I've edited my answer. Last time I posted in hurry, sorry about that. – defalt Sep 30 '16 at 07:49
  • WebRTC leak can be a vulnerability in some way but webRTC is not a vulnerability itself. You can find here why implementation of webRTC is important: https://webrtchacks.com/an-intro-to-webrtcs-natfirewall-problem/ – defalt Sep 30 '16 at 15:38