An alternative approach to so-called WebRTC leaks

Posted on Reddit here:

Recently there were a lot of discussions about the WebRTC IP Leak. Almost all of them are talking about a “Security flaw” or treat it as a bug.

However, many articles about the WebRTC [leaks] talk about a solution: disable WebRTC in favorite browser.
Two questions:

  • Is it really a “Security flaw” that needs to be fixed in browsers? Look at browsers bug-reports to understand how many different opinions exist on this.
  • Why the browser can go outside the VPN tunnel? How many app/protocols can do the same things of the WebRTC leak? So, is disabling WebRTC a sufficient solution for those who use a VPN to avoid exposing their ISP IP address or traffic?

I will explain details of the issue. But first, if you are connected to a VPN service right now, try this: (source available here )

or, under Unix try this (try also as root):

for s in `ifconfig -a | sed 's/[ \t].*//;/^\(lo\|\)$/d'`; do curl --interface $s; done

Is your real ISP IP leaked?


When a user connects to OpenVPN, the main interface (ethernet, wifi etc) is still available (also to talk with the VPN server itself).
And another network interface is opened (tun/tap).
This is the scope of OpenVPN: create a tunnel.

As a plus, OpenVPN can be configured to push a directive from the server to their client: “redirect-gateway”.
This tells at client-side that ALL traffic needs to be redirected inside the tunnel by default.

Almost all VPN services use a specific option of that directive: “redirect-gateway def1”.
From OpenVPN manual

def1 — Use this flag to override the default gateway by using and rather than This has the benefit of overriding but not wiping out the original default gateway.

Now, this means that the original route are still active, but there are other routes created by OpenVPN that override the original based on precedence.
But is a route assigned to the standard interface, while the new and are assigned to the TUN interface.

In every OS, when a connection/socket is opened, the program can choose a specific network interface that needs to be used.
This is not common, because most applications don’t need that and let the OS use the default network interface.

The program above do exactly this: bind to specific network interface to query an external what is my ip address service.
When binding to the standard interface, the overriding rules of OpenVPN are simply ignored, at least under Windows.

I think browsers do the same thing in WebRTC discovery.

Can a VPN service based on OpenVPN resolve the issue server-side, transparently to their users?

Simply don’t use the def1 option in redirect-gateway directive.
Without def1, OpenVPN client removes totally the route, and re-creates it at disconnection.

But I don’t recommend this approach: with def1, if the OpenVPN process is terminated, the overriding routes are automatically deleted or unused, and traffic continues to flow over the standard interface.
Without def1, if OpenVPN process is killed/terminated, the user remains without any route for his/her traffic.

For me, a good VPN service needs to use the def1 option, for the final consideration below.

Final consideration

WebRTC IP Leak is not a fault of browsers.

It is not a fault of OpenVPN (that is designed to be a Tunneling software, not an Always hide my traffic software).

It is a fault of users, because they trust the standard OpenVPN client for things out of its scope, or trust a badly-written VPN service client software.

Users need to use a VPN service that has a software addressing this kind of issue, or need to understand how to configure a firewall or a router.

*Disclaimer: *
I’m the author of the client software of a known VPN service. Anyway I don’t cite it in this reddit.

AMV – Forsaken

*** Semi-finalist for VCAs 2006 – Category “Best First Video” ***

The video is a ‘reassumed/summary’ of the Evangelion’s The End film, so
all the images in the AMV are exposed in the (almost) same sequence from the film.

I started this project in november 2005, so in two month (approximately 100 hours) i study After Effects 6.5 and create this video.
It was my first experience with AMV and After Effects, but i’m a code developer and i already know concepts like ‘keyframes’,’layers’ etc, so i understand quickly how this software works.

In the first pre-release, the video had many effects on it, but before the official release i removed many of the effects to create a more ‘clean’ videos, but i don’t remove the subtitles. This was a wrong choice….

In march 2006, i re-render the video without subtitles and better quality (with some encoding tips from my friend rei.andrea), available as ‘direct link’.

Here you can download the jpeg of the mosaic used in the intro, it’s a mosaic of Rei and Eva01, made with all frames of the films ‘The End Of Evangelion’ with AndreaMosaic free software.


Evangelion – The End Of Evangelion (Renewal)


Artist : Within Temptation
Intro : Deceiver of Fools (Album: Mother Earth)
AMV : Forsaken (Album: The Silent Force)
End Titles : Memories (Album: The Silent Force)

English Lyrics

Now the day has come
We are forsaken this time

We lived our lives in our paradise,
As gods we shaped the world around
No borderlines we'd stay behind,
Though balance is something fragile

While we thought we were gaining,
We would turn back the tide, it still slips away
Our time has run out, our future has died,
There's no more escape

Now the day has come,
We are forsaken,
There's no time anymore
Life will pass us by,
We are forsaken,
We're the last of our kind

The sacrifice was much too high,
Our greed just made us all go blind
We tried to hide what we fared inside
Today is the end of tomorrow

As the sea started rising,
The land that we'd conquered just washed away
Although we all have tried to turn back the tide,
It was all in vain

Now the day has come,
We are forsaken,
There's no time anymore
Life will pass us by,
We are forsaken,
Only ruins stay behind

Now the day has come
We are forsaken this time

Now the day has come,
We are forsaken,
There's no time anymore

Now the day has come
The day has come
The day has come

Italian Lyrics

E' arrivato il giorno
in cui saremo dimenticati

Abbiamo vissuto le nostre vite nel nostro paradiso
Come Dei modellammo il nostro mondo
Nessun confine da rispettare
Benchè l'equilibrio fosse fragile

Volevamo risalire la corrente
Ma mentre pensavamo di guadagnarci essa lentamente scivola via
Il nostro tempo è finito, il nostro futuro è morto
Non c'è via di salvezza

E' arrivato il giorno
In cui saremo dimenticati
Non c'è più tempo ormai
La vita è trascorsa
Ci hanno dimenticato
Siamo gli ultimi del nostro genere

Il sacrificio è stato troppo alto
Fummo accecati dalla nostra avarizia
Abbiamo cercato di nascondere ciò che temevamo
Oggi è la fine del domani

Il mare si è innalzato
La terra che avevamo conquistato è stata spazzata via
Anche se tutti abbiamo provato a girare indietro la marea
Tutto è stato vano

E' arrivato il giorno
in cui saremo dimenticati
Non c'è più tempo ormai
La vita è trascorsa
Ci hanno dimenticato
Solo rovine alle nostre spalle

E' arrivato il giorno
Siamo stati abbandonati questa volta

E' arrivato il giorno
in cui saremo dimenticati
Non c'è più tempo ormai

Ora il giorno è arrivato
Il giorno è arrivato
Il giorno è arrivato


Adobe After Effects 6.5 & TrapCode”s Plugins
Media Player Classic
Adobe Illustrator


JPEG intro mosaic (25.7 MB, 7617×5240 pixels)
Download Direct (190 MB, 704×384, Best quality available)
One of YouTube copy