Does it matter if you're using a VPN do hide your ip on an Android phone when you use apps like youtube, facebook, or third party open source apps like NewPipe (youtube) or "Tinfoil for Twitter" or "Tinfoil for Facebook"? Will WebRTC give away my ip anyway, or is that just for browsers?
Asked
Active
Viewed 1,521 times
1
-
You are blaming webRTC for your IP leak when it is clearly a fault of your VPN client. WebRTC does not leak public IP Address. I've tested with openVPN and softether VPN client and there was no IP leak in my case. Change your faulty VPN client. – defalt Oct 31 '17 at 18:32
-
But I'm using OpenVPN as well... Both on Windows and Android. Try Openvpn on Android with Lightning Browser on www.doileak.com, and you will get a webrtc leak. – Antonio Oct 31 '17 at 19:40
-
apps can get the same info, without webRTC. – dandavis Oct 31 '17 at 23:37
-
@Antonio No, I didn't. I tested it in Android, Linux and Windows and my IP is not leaking. The leak you are referring is not a leak due to webrtc client. That can be dns leak also. Apps can ignore the tunnel. That's all depend on your VPN configuration. Test this www.dnsleaktest.com – defalt Nov 01 '17 at 01:36
1 Answers
1
WebRTC only returns private IP Address of a cient and not public IP Address because WebRTC client has no idea what your public IP Address is if you are behind NAT and this is what WebRTC client wants to find out.
If you are using VPN, your request to STUN server - who is responsible for discovering your public IP Address and behind what type of NAT you are sitting at, sees your request coming from VPN.
But using VPN doesn't prevent webRTC client to send binding request to STUN server. Any embedded iframe can execute JavaScript that makes the browser initiate a transaction to a STUN server that can return the local IP address, along with the external IP and port number that can get through the firewall or NAT back to the browser.
Any app which is implemented with webRTC API is a webRTC client and yes they can leak your private IP Address. WebRTC is required by those apps who want to support P2P-VOIP and video calling so there are only handful of apps.
YouTube does not use webRTC. Facebook messenger and hangout use webRTC for voice calling so they can discover your private IP Address. Browsers were the first which came with integrated support for webRTC API and this is the list of websites that are using webrtc.
If you are wondering what What's app use for voice and video calls, it uses PJSIP libraries.
If you are using VPN and you find that your real IP Address is leaking, then that's the fault of your VPN client. It is not tunneling your traffic properly. STUN server should only see the IP Address of your VPN server. If this is not happening, it means that webRTC client is making STUN request outside of the VPN tunnel as shown in figure.
defalt
- 6,231
- 2
- 22
- 37
-
Thanks for the very thorough answer but now I'm very confused. I never thought it was an issue that the private IP leaked but the public? If I run www.doileak.com on a web browser where webrtc isn't disabled while using a VPN, then my public real IP is returned? My private IP leaking isn't really an issue since it doesn't say anything about who I am? – Antonio Oct 31 '17 at 13:51
-
@Antonio That's the fault of your VPN. It is not tunneling the entire traffic of your PC. The webRTC client is making request to STUN server outside of the tunnel. I add an edit to my answer. – defalt Oct 31 '17 at 14:33
-
Again, thanks for indepth explanations. I'm reading about STUN now which I knew nothing about before. But I still have some questions. Like reading on the VPN providers sites, it says it's not an issue from the VPN providers end, but the software (like browser settings). And when I meant FB app, i meant third party apps like FaceSlim that are more or less wraparounds around FaceBook mobile site. How can I check whether an app like that, or an app for Reddit, uses WebRTC? Another question, is WebRTC leak not an issue on Android, but just windows? – Antonio Oct 31 '17 at 18:01
-
@Antonio As written in the answer webRTC is used by those apps who want to add support for VOIP so just make a guess why reddit would use it. Any application that uses webRTC can cause webRTC leak so it doesn't depend on Operating system. – defalt Oct 31 '17 at 18:28