Jump to content
Not connected, Your IP: 3.239.233.139
AirVPN
go558a83nk

WebRTC used to reveal real IP address

By go558a83nk, ... in Off-Topic

Recommended Posts

go558a83nk    290

go558a83nk
Posted ...

Nice tip! This also serves as a good test of your firewall setup. On a properly firewalled system, this test will reveal all your LAN, but not WAN addresses.

 

can you please explain more about a firewall setup that would prevent them from seeing the WAN address?

Share this post

Link to post

sheivoko    185

sheivoko
Posted ...

go558a83nk, even without any firewalling, I have yet to understand how exactly WebRTC/STUN is able to figure out your WAN while a VPN tunnel is established and set as the one and only route - i will do some testing on this tomorrow; in any case, if your firewall:
- denies all incoming traffic
- denies all outgoing traffic except to AirVPN entry server(s)

then there's no way for any application, including browser/WebRTC, to obtain your WAN address. They can phone home but it'll either happen via VPN or it'll fail. AirVPN's Eddie client comes with a similar "network lock" feature.

all of my content is released under CC-BY-SA 2.0

Share this post

Link to post

go558a83nk    290

go558a83nk
Posted ...

go558a83nk, even without any firewalling, I have yet to understand how exactly WebRTC/STUN is able to figure out your WAN while a VPN tunnel is established and set as the one and only route - i will do some testing on this tomorrow; in any case, if your firewall:

- denies all incoming traffic

- denies all outgoing traffic except to AirVPN entry server(s)

 

then there's no way for any application, including browser/WebRTC, to obtain your WAN address. They can phone home but it'll either happen via VPN or it'll fail. AirVPN's Eddie client comes with a similar "network lock" feature.

 

I run VPN on my router and it was able to see VPN and ISP IP addresses. :-(

Share this post

Link to post

sheivoko    185

sheivoko
Posted ...

Interesting, this might have made all the difference, as WebRTC/STUN does some NAT magic to map local/WAN ip and port. For testing purposes, can you please try this test while disabling the VPN on your router and connecting to AirVPN directly with your computer? Even if you don't firewall anything, I would be very surprised if your ISP IP was discovered.

all of my content is released under CC-BY-SA 2.0

Share this post

Link to post

zhang888    1059

zhang888
Posted ...

Actually WebRTC/STUN can use the help of ALG and UPnP functions of consumer routers in order to get that information.

Thats why they are generally unsafe, since those features are either on by default, or have a very non-intuitive way to disable them.

 

There are some workarounds for disabling this on Chrome and Firefox, but if you want a more global secure solution just disable those router features.

Also, STUN works on port 3478/udp, you might want to block that with a rule, if all the above fails.

sheivoko reacted to this

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

go558a83nk    290

go558a83nk
Posted ...

OK, did the test with Eddy 2.8 on my win 7 64k machine.

 

with network lock OFF, it could still see my ISP WAN address, and also saw AirVPN address.

 

with network lock ON, it could only see AirVPN address.

 

regarding my router, Asus AC68, UPnP has always been turned off by my choice.  But, not sure what setting would control ALG.  Anybody know?

Share this post

Link to post

go558a83nk    290

go558a83nk
Posted ...

Well, interesting development.  I rebooted my router and Win 7 machine and tested connections to 4 different VPN companies from my router and this test only showed the VPN WAN each time.  So, I don't know what caused the "leak" in previous tests.  I'll have to keep an eye on it.

 

I happen to be testing two other VPN companies right now for a replacement for one I've had for a while. I plan on keeping Air for the foreseeable future.

 

I wanted to test their configs because they use other openvpn options dealing with routes and topology etc that Air doesn't use.

Share this post

Link to post

zhang888    1059

zhang888
Posted ...

In any case, STUN, ICE, TURN are all possible due to "leaky" router/NAT settings that allow those ALG protocols.

You can read some technical insights here:

 

 

https://webrtchacks.com/stun-helps-webrtc-traverse-nats/

 

This is how you disable it on Asus-C66:

 

http://www.junctionnetworks.com/knowledgebase/onsip/phones-routers-and-devices/router-configuration/asus/asus-rt-ac66u

 

 

 

Asus RT-AC66U devices with their most current firmware enables their SIP ALG by default. THERE IS NO GUI OPTION TO DISABLE IT

So as to add to your knowledge base, I thought I'd share the solution:
To disable the SIP ALG manually, you enable telnet to the device via the WWW interface
Telnet to the device (from a command line enter "telent 192.168.1.1" or the appropriate IP address for the device.)

Issue the following commands:

nvram get nf_sip

(It should return a "1")

nvram set nf_sip=0
nvram commit

Reboot

 

 

There are very tricky ways to disable those ALG handlers, that are mostly used for VOIP. If you use an open-source firmware, it might be your only way to really be sure what's going on.

go558a83nk reacted to this

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

zhang888    1059

zhang888
Posted ...

Before HTML5 all those potentially dangerous features were at lower risk, because the 3d party would have to run an executable file on your machine to be able to unmask you.

With the new browser "features", such as the Geolocation, RTC, bookmark sharing, peer-assisted networking, and who knows what else, only a properly configured open-source

software at the perimiter, or manual disabling of those easter-eggs can ensure maximum protection.

encrypted and go558a83nk reacted to this

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

packetpuzzler    2

packetpuzzler
Posted ...

I appreciate the responses so far. Are the Advanced Members that have been responding part of the AirVPN staff? If not, I would also really like to hear directly from AirVPN about this.

 

Update:

 

FYI: Disabling SIP ALG on my Netgear WINR200V4 router did not fix the problem.

 

However, adding the WebRTC Block Extension from the Chrome Store seems to fix the problem on Chrome (Windows 8.1).

Share this post

Link to post

go558a83nk    290

go558a83nk
Posted ...

I appreciate the responses so far. Are the Advanced Members that have been responding part of the AirVPN staff? If not, I would also really like to hear directly from AirVPN about this.

 

Update:

 

FYI: Disabling SIP ALG on my Netgear WINR200V4 router did not fix the problem.

 

However, adding the WebRTC Block Extension from the Chrome Store seems to fix the problem on Chrome (Windows 8.1).

 

what was your problem?  was your real ISP IP address showing up?  if only the VPN IP address was showing up then there's really no problem.  of course, you can still block it (in Chrome ) or shut it off (Firefox) if you desire.

Share this post

Link to post

mhalen    2

mhalen
Posted ...

is there any downsides to setting media.peerconnection.enabled to false? what could potentially stop working?

Share this post

Link to post

OpenSourcerer    939

OpenSourcerer
Posted ...

is there any downsides to setting media.peerconnection.enabled to false? what could potentially stop working?

 

Your browser cannot start direct audio/video conversations with other clients. Decentralized Skype, so to speak.

» I am not an AirVPN team member. All opinions are my own and are not to be considered official. Only the AirVPN Staff account should be viewed as such.

» The forums is a place where you can ask questions to the community. You are not entitled to guaranteed answer times. Answer quality may vary, too. If you need professional support, please create tickets.

» If you're new, take some time to read LZ1's New User Guide to AirVPN. On questions, use the search function first. On errors, search for the error message instead.

» If you choose to create a new thread, keep in mind that we don't know your setup. Give info about it. Never forget the OpenVPN logs or, for Eddie, the support file (Logs > lifebelt icon).

» The community kindly asks you to not set up Tor exit relays when connected to AirVPN. Their IP addresses are subject to restrictions and these are relayed to all users of the affected servers.

 

» Furthermore, I propose that your paranoia is to be destroyed. If you overdo privacy, chances are you will be unique amond the mass again.

Share this post

Link to post

usr32    2

usr32
Posted ...

Im a little concerned about this. For now I set media.peerconnection.enabled to false but there are some things I don't understand.

 

For example. If I use Cisco VPN from my company STUN doesn't reveal my ISPs IP but when using AirVPN it does. Sure, Network lock prevents it

​but I don't want to use it all the time because it messes with my Firewall. So why is this happening with OpenVPN but not Cisco VPN?

​I am connected through a router with all unnecessary services disabled. I use Windows Firewall Control. Is there a way to prevent this globally?

izeus reacted to this

Share this post

Link to post

usr32    2

usr32
Posted ...

So I solved the problem with the additional arguments:

 

route-nopull

redirect-gateway bypass-dhcp

 

This is to ignore the argument def1 that is being pushed by the server to the client that is responsible.

But:

 

dhcp-option DNS x.x.x.x

route x.x.x.x

 

will be ignored. So the DNS of the server will not be used. If you add this argument with a public DNS or 10.4.0.1 it should be fine.

 

I don't know if route is important in this case. I did not experience any differences when adding route 10.4.0.1 or leaving it out.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Go To Topic Listing
×
×
  • Create New...