{"id":21,"date":"2015-04-12T23:37:46","date_gmt":"2015-04-12T22:37:46","guid":{"rendered":"http:\/\/www.clodo.it\/blog\/?p=21"},"modified":"2024-04-09T16:02:11","modified_gmt":"2024-04-09T15:02:11","slug":"an-alternative-approach-to-so-called-webrtc-leaks","status":"publish","type":"post","link":"https:\/\/www.clodo.it\/blog\/an-alternative-approach-to-so-called-webrtc-leaks\/","title":{"rendered":"An alternative approach to so-called WebRTC leaks"},"content":{"rendered":"<p>Posted on Reddit here: <a href=\"http:\/\/redd.it\/32d94q\">http:\/\/redd.it\/32d94q<\/a><\/p>\n<p>Recently there were a lot of discussions about the <strong>WebRTC IP Leak<\/strong>. Almost all of them are talking about a &#8220;Security flaw&#8221; or treat it as a bug.<\/p>\n<p>However, many articles about the WebRTC [leaks] talk about a solution: disable WebRTC in favorite browser.<br \/>\nTwo questions:<\/p>\n<ul>\n<li>Is it really a &#8220;Security flaw&#8221; that needs to be fixed in browsers? Look at browsers bug-reports to understand how many different opinions exist on this.<\/li>\n<li>Why the browser can go outside the VPN tunnel? How many app\/protocols can do the same things of the WebRTC leak? So, is disabling WebRTC a sufficient solution for those who use a VPN to avoid exposing their ISP IP address or traffic?<\/li>\n<\/ul>\n<p>I will explain details of the issue. But first, if you are connected to a VPN service right now, try this:<\/p>\n<p><a href=\"http:\/\/files.clodo.it\/varie\/ipdetection.zip\">ipdetection.zip<\/a>  (source available <a href=\"http:\/\/pastebin.com\/Q4sHnWv9\">here<\/a> )<\/p>\n<p>or, under Unix try this (try also as root):<\/p>\n<pre><code>for s in `ifconfig -a | sed 's\/[ \\t].*\/\/;\/^\\(lo\\|\\)$\/d'`; do curl --interface $s http:\/\/www.clodo.it\/projects\/whatismyip\/; done\n<\/code><\/pre>\n<p>Is your real ISP IP leaked?<\/p>\n<p><strong>Details<\/strong><\/p>\n<p>When a user connects to OpenVPN, the main interface (ethernet, wifi etc) is still available (also to talk with the VPN server itself).<br \/>\nAnd another network interface is opened (tun\/tap).<br \/>\nThis is the scope of OpenVPN: create a tunnel.<\/p>\n<p>As a plus, OpenVPN can be configured to push a directive from the server to their client: &#8220;redirect-gateway&#8221;.<br \/>\nThis tells at client-side that ALL traffic needs to be redirected inside the tunnel by default.<\/p>\n<p>Almost all VPN services use a specific option of that directive: &#8220;redirect-gateway def1&#8221;.<br \/>\nFrom <a href=\"https:\/\/community.openvpn.net\/openvpn\/wiki\/Openvpn23ManPage\">OpenVPN manual<\/a><\/p>\n<blockquote><p>def1 &#8212; Use this flag to override the default gateway by using 0.0.0.0\/1 and 128.0.0.0\/1 rather than 0.0.0.0\/0. This has the benefit of overriding but not wiping out the original default gateway.<\/p><\/blockquote>\n<p>Now, this means that the original <em>0.0.0.0\/0<\/em> route are still active, but there are other routes created by OpenVPN that override the original based on precedence.<br \/>\nBut <em>0.0.0.0\/0<\/em> is a route assigned to the standard interface, while the new <em>0.0.0.0\/1<\/em> and <em>128.0.0.0\/1<\/em> are assigned to the TUN interface.<\/p>\n<p>In every OS, when a connection\/socket is opened, the program can choose a specific network interface that needs to be used.<br \/>\nThis is not common, because most applications don&#8217;t need that and let the OS use the default network interface.<\/p>\n<p>The program above do exactly this: bind to specific network interface to query an external <em>what is my ip address<\/em> service.<br \/>\nWhen binding to the standard interface, the overriding rules of OpenVPN are simply ignored, at least under Windows.<\/p>\n<p>I think browsers do the same thing in WebRTC discovery.<\/p>\n<p><strong>Can a VPN service based on OpenVPN resolve the issue server-side, transparently to their users?<\/strong><\/p>\n<p>Yes.<br \/>\nSimply don&#8217;t use the <em>def1<\/em> option in <em>redirect-gateway<\/em> directive.<br \/>\nWithout <em>def1<\/em>, OpenVPN client removes totally the <em>0.0.0.0\/0<\/em> route, and re-creates it at disconnection.<\/p>\n<p>But I don&#8217;t recommend this approach: with <em>def1<\/em>, if the OpenVPN process is terminated, the overriding routes are automatically deleted or unused, and traffic continues to flow over the standard interface.<br \/>\nWithout <em>def1<\/em>, if OpenVPN process is killed\/terminated, the user remains without any route for his\/her traffic.<\/p>\n<p>For me, a good VPN service needs to use the <em>def1<\/em> option, for the final consideration below.<\/p>\n<p><strong>Final consideration<\/strong><\/p>\n<p>WebRTC IP Leak is not a fault of browsers.<\/p>\n<p>It is not a fault of OpenVPN (that is designed to be a Tunneling software, not an <em>Always hide my traffic<\/em> software).<\/p>\n<p>It is a fault of users, because they trust the standard OpenVPN client for things out of its scope, or trust a badly-written VPN service client software.<\/p>\n<p>Users need to use a VPN service that has a software addressing this kind of issue, or need to understand how to configure a firewall or a router.<\/p>\n<p>*<em>Disclaimer: *<\/em><br \/>\nI&#8217;m the author of the client software of a known VPN service. Anyway I don&#8217;t cite it in this reddit.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Posted on Reddit here: http:\/\/redd.it\/32d94q Recently there were a lot of discussions about the WebRTC IP Leak. Almost all of them are talking about a &#8220;Security flaw&#8221; or treat it as a bug. However, many articles about the WebRTC [leaks] talk about a solution: disable WebRTC in favorite browser. Two questions: Is it really a &hellip; <a href=\"https:\/\/www.clodo.it\/blog\/an-alternative-approach-to-so-called-webrtc-leaks\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">An alternative approach to so-called WebRTC leaks<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,4,11],"tags":[15,16],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false,"post-thumbnail":false},"uagb_author_info":{"display_name":"Clodo","author_link":"https:\/\/www.clodo.it\/blog\/author\/clodo\/"},"uagb_comment_info":5,"uagb_excerpt":"Posted on Reddit here: http:\/\/redd.it\/32d94q Recently there were a lot of discussions about the WebRTC IP Leak. Almost all of them are talking about a &#8220;Security flaw&#8221; or treat it as a bug. However, many articles about the WebRTC [leaks] talk about a solution: disable WebRTC in favorite browser. Two questions: Is it really a&hellip;","_links":{"self":[{"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/posts\/21"}],"collection":[{"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/comments?post=21"}],"version-history":[{"count":2,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/posts\/21\/revisions"}],"predecessor-version":[{"id":492,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/posts\/21\/revisions\/492"}],"wp:attachment":[{"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/media?parent=21"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/categories?post=21"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.clodo.it\/blog\/wp-json\/wp\/v2\/tags?post=21"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}