webrtc bug seems to leak "private" mesh ip addresses when connecting via peoplesopen.net

[jhpoelen]

Just came across an article that describes a leak of private ip addresses via WebRTC through a VPN tunnel. From https://www.bleepingcomputer.com/news/security/many-vpn-providers-leak-customers-ip-address-via-webrtc-bug/ :

"[...] Around 20% of today's top VPN solutions are leaking the customer's IP address via a WebRTC bug known since January 2015, and which apparently some VPN providers have never heard of. [...]"

A demo site (see also the article) at https://ip.voidsec.com helps to see whether you are exposed.

On Opera v 52.0.2871.30 on Ubuntu 16.04, it appears that my peoplesopen.net ssid only exposes the (new) exit node: 64.71.176.94 . However, when using Chrome v65.0.3325.181 , my private mesh ip was exposed (see attached screenshot).

A apparent workaround is to disable WebRTC in your browser or use a VPN on top of the peoplesopen connection. Or switch to another browser like Opera / Tor.

[bennlich]

I'm reading a bit online, trying to determine if this is a browser thing or a VPN thing. It's starting to sound like it's a browser thing, and thus impossible to avoid. I.e. if Chrome is willing to respond to STUN requests with the private IP of the client, there's nothing to do besides stop using Chrome.

[bennlich]

These both seem relevant:
https://bugs.chromium.org/p/chromium/issues/detail?id=457492&thanks=457492&ts=1423615660
https://bugs.chromium.org/p/chromium/issues/detail?id=333752

[wwwhtml]

I tried it with DON (Daniel's Open Network) by itself, and and yes, it leaks my ISP IP.
But, it does not leak the IP if I add an additional VPN on top of it.

Do you want a free three hours VPN account to test yourself?: https://mullvad.net

[wwwhtml]

DON + an additional VPN.

[wwwhtml]

@bennlich I tested on Safari and the results are the same:
Just DON leaks.
DON + an additional VPN doesn't leak.

[Juul]

This isn't really a bug. It's just how WebRTC works. WebRTC allows you to enumerate the local IPs so your app can connect directly over LAN if the two nodes appear to be on the same LAN. Mozilla developers also discussed this but elected not to change the behavior of the browser. If someone thinks this is a bug then it should be fixed in the browser. It's definitely not a sudomesh bug.

[bennlich]

@Juul one question I have is why using some VPN tunnels protects your IP from this leak, while others do not. I haven't been able to reason out what could be different myself. Do you know?

[yardenac]

If your VPN works by creating its own network interface (e.g. tun0 in linux) then the LAN your applications see won't be the same LAN your computer and router use to see each other.

I recommend ublock origin for blocking WebRTC (and more) in your browser.