Is WireGuard fixed IP address obtainable by LAN clients if VPN is running on the router? WebRTC/STUN risk?

Question

WireGuard does not assign dynamic IP addresses, which may be a privacy risk.

It is known that while WireGuard may offer advantages in terms of performance, by design it is not ideal for privacy, because it doesn't allocate VPN IP Addresses (10.*) dynamically like OpenVPN does; instead WireGuard requires fixed ones in .conf files deployed on devices.

I keep reading there are certain scenarios in which these IP addresses can be exposed, namely with WebRTC leaks. I'd like to know if my scenario is among the scenarios at risk of leaking this fixed (internal) VPN IP address.

On my OpenWrt router I have installed WireGuard, which connects to my VPN provider and provides internet access (tunneled through the VPN) for all my LAN clients. The LAN clients themselves are in this sense 'unaware' of the VPN connection. The public IP address reported by sites such as ipleak.net when visited in the browser on one of my LAN clients reports only the VPN public IP address, not the public IP from my ISP, nor does it report the fixed (internal) WireGuard IP address which can allegedly leak by means of WebRTC or STUN.

My question is: is it possible for LAN clients in this scenario to obtain, somehow, the fixed (internal) WireGuard IP address (assuming they can't login to the router)? Should I be concerned about the risk of WebRTC in this case, or not?

Answer 1

The WebRTC stack in the browser has only knowledge of the local IP address and the externally visible address as returned by STUN, which means only these can leak. Since the Wireguard address on the router is not local to the client this only leaves STUN for discovery.

Usually a STUN server is on the internet, in which case it will only see the external IP address from the VPN exit. Only a STUN server placed inside the VPN network itself would see the VPN internal address, i.e. the Wireguard address of your router.

So if somebody manages to be part of the same VPN network (like using the same VPN provider) they can setup a STUN server which allows to detect your routers Wireguard IP with WebRTC. This only works though if the VPN provider allows direct connection between the VPN participants instead of isolating these from each other. I don't know if your specific provider does this.

Answer 2

I found a few more references claiming there's no WebRTC/STUN risk when running WireGuard on the router:

There's an easy way to fix the Web RTC Leak issue network wide: Use a VPN on your Router so your network clients literally don't know their "real" ip and therefore can't leak it. Same thing works for TOR. In my experience OpenWRT and an Wireguard VPN Provider works best.

Source: https://news.ycombinator.com/item?id=23537402

Alternatively, those that use the affected browsers can set up a wireless home router to connect to their VPN service directly. This removes the likelihood of a software-based (or in this case, a browser-based) flaw from exposing any information about the user.

Source: https://blog.ipvanish.com/webrtc-security-hole-leaks-real-ip-addresses/