WebRTC & VPN Security Leaks

By: Daniel Shen

Problem Statement:

Web Real-Time Communication (WebRTC) is used on many popular internet browsers. Unfortunately, WebRTC has a major downfall which has caused a major impact to users who use Virtual Private Networks. The current scale of problems results in WebRTC allowing primary host machines to show their true IP address even when using a VPN.

Who’s affected by the Problem?

          We assessed and found multiple privacy filters compromised by WebRTC and leaking IP addresses. If a user is using a privacy filter and has WebRTC enabled, they should check if their privacy filter prevents the leakage of their IP.

The list of people affected is shown below

  • VPN Users + VPN Providers
  • Web-RTC enabled browsers (See Problem Impact)
  • STUN servers made with local and public IP addresses for the user
  • P2P file sharing users
  • Proxy Users

About WebRTC:

Web Real Time Communications was initial project that started in 2011. Often referred to as WebRTC, it serves as a free open-source project that provides peer-to-peer communication on web pages or web applications. WebRTC allows for users to connect with voice or video inside web pages without the use and need of any external plugins or executables. Any connected internet device may use WebRTC. This can be enabled from phones, tablets, televisions and more.

How does WebRTC work:

          There are several variations of WebRTC. Some variations of WebRTC will include more API layers, however they use the same default variation that is provided by the original WebRTC source code. The original variation includes usage of several core JavaScript API layers which allows WebRTC to function properly. Each of the API Layer’s provides unique functions. These layers include the following below:[1]           Please Visit the link below to learn more about the API layers

  • getUserMedia(): captures audio and video.
  • MediaRecorder: records audio and video.
  • RTCPeerConnection: stream audio and video between users.
  • RTCDataChannel: stream data between users.

WebRTC’s problem with VPN’s and other Tunneling Methodologies:

WebRTC had a leak discovered in 2015 that resulted in host IP’s being revealed despite the usage of privacy filters such as proxies and virtual private networks. WebRTC will ultimately allow websites to dig and find the user’s IP address without the knowledge or consent of the user. In order to discover where the exact problem is, you must know why the leaks are being caused.

Causation of WebRTC-VPN Leaks:

The WebRTC API’s enable real-time communication of audio, video and data in web and native apps. With the usage of RTCPeerConnection in the WebRTC API, it uses signaling which allows you to communicate and send control messages across the web.[2] This allows the usage of STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relay NAT) servers to function properly and allow clients to traverse the NAT gateways (NAT TRAVERSAL)[3] and firewalls to allow for peer to peer connection via ICE (Interactive Connectivity Establishment) protocol. The STUN servers are able to obtain the IP of the host while the TURN servers relay in case the peer to peer communication doesn’t work. With the usage of the STUN mechanism, this also crosses in between VPN’s (Virtual Private Networks). The STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.)[4] This allows WebRTC to request information due to the unique Nat Traversal and firewall properties and request the STUN servers to return your particular endpoint IP along with your local network address thus compromising privacy.

Problem Impact:

In 2018 there are more than two billion browsers installed that are enabled and work with WebRTC, including the three dominant web browsers in the US (Internet Explorer, Google Chrome, Mozilla Firefox).[5]  The following below accounts for popular internet browsers in the US. These browsers have WebRTC enabled by default

  • Desktop Browsers
    • Brave
    • Edge (it does not leak at the moment due to recent unsupported usage of ‘createDataChannel’)
    • Epiphany (Gnome)
    • Mozilla Firefox
    • Google Chrome
    • Opera
    • Safari
    • Vivaldi
  • Android
    • Google Chrome on Android
    • Internet (Samsung Browser)
    • Google Chrome 28 (enabled by default since 29)
    • Mozilla Firefox 24[28]
    • Opera Mobile 12
  • iOS
    • Mobile Safari/WebKit
    • Chrome on iOS

As data privacy is a major concern across the world, the exposure of one’s IP address can result in a loss in integrity and create security risks for many internet users. At the time being, multiple VPN’s SOCKS, HTTP Proxies do not account for WebRTC which ultimately means that these features will not obscure and compromise your IP address. In other words, even when using any of the features that anonymous your IP, any connected endpoint, whether it be users, websites, or more, can still see your real address.

Testing Done:

          For this project, I have used Daniel Roesler’s [6]code to create an implementation for leak testing WebRTC for ten VPN providers and well-known protocols. The following below are the scenarios and the date tested using Mozilla Firefox and Google Chrome on Windows 10. Please keep in mind of the date tested, the VPN provider could have altered it to support webrtc-vpn configurations after test date.

  1. Astrill VPN                                         Leaks (10/11/2018)
  2. Hide my Ass VPN                              Does not Leak (10/11/2018)
  3. Ipvanish VPN                                                 Does not Leak (10/11/2018)
  4. PHP Proxy                                          Leaks (10/11/2018)
  5. HolaVPNChrome VPN                      Leaks (10/11/2018)
  6. Slick VPN                                           Does not Leak (11/15/2018)
  7. Perfect Privacy VPN                          Does not Leak (11/15/2018)
  8. IVPN                                                  Does not Leak (11/15/2018)
  9. Tunnel Bear VPN                               Does not Leak (11/15/2018)
  10. Socks Proxy                                         Leaks (11/15/2018)

Below is the JavaScript needed to run the tests on your browser and corresponding STUN servers to access.

The code allows to access the JavaScript WebRTC STUN server’s request that contains the local and public IP addresses for the user during that request. The code will loop through it and return the local and public IP addresses for the user.

function findIP(onNewIP) {
var myPeerConnection = window.RTCPeerConnection || window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
var pc = new myPeerConnection({iceServers: [{urls: "stun:stun.l.google.com:19302"}]}),
noop = function() {},
localIPs = {},
ipRegex = /([0-9]{1,3}(.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/g,

function ipIterate(ip) {
if (!localIPs[ip]) onNewIP(ip);
localIPs[ip] = true;


pc.createOffer(function(sdp) {
sdp.sdp.split('\n').forEach(function(line) {
if (line.indexOf('candidate') < 0) return;
pc.setLocalDescription(sdp, noop, noop);
}, noop);

pc.onicecandidate = function(ice) {
if (!ice || !ice.candidate || !ice.candidate.candidate || !ice.candidate.candidate.match(ipRegex)) return;

var ul = document.createElement('ul');
ul.textContent = 'Your IPs are: '

function addIP(ip) {
console.log('got ip: ', ip);
var li = document.createElement('li');
li.textContent = ip;


You can swap the STUN servers to test different connection to different STUN servers (Line 3) however it would not have an effect on the returned IP. The code will use the API wrapper function (RTC peer connection) of web77RTC to help identify your own IP by requesting the IP that was given. The test and the results will show the current IP received by the request. If you see your original IP and not the VPN’s IP, then your privacy factor or provider is actually leaking your IP.

Solution to the Problem:

A quick and simple solution to VPN Leaks is to disable WebRTC on your browsers. This will disable the information request from and to the STUN servers needed for WebRTC. Tutorials on how to disable WebRTC for your browser or application can be found with a quick google search. Disabling WebRTC will cause major downfalls. Aside from many file sharing or multiparty video services being disable on browsers, a lot of big native applications such as Discord, Google Hangouts, and Facebook Messenger will not work properly[7].

In the case you need WebRTC and at the same time you would still like to anonymize and protect yourself on the World Wide Web, one can use a WebRTC supported VPN. A full list of supported VPN’s and tests can be found in the link documented below.[8]

Lastly you can provide yourself by running a VPN on your router instead of your computer. This would protect all connected devices since the VPN will encrypt all connections of the router.


WebRTC is still improving to this day and recent releases included automation, faster connections, and more bandwidth.[9] As WebRTC isn’t limited to just voice and video, it allows sending of arbitrary data and future iterations will include more features. As for the usage of privacy networks, WebRTC still compromises privacy and will continue to do so until a fix is released by the privacy providers. For VPN providers out there, they need to create a less fallible system that can take into consideration the usage of WebRTC. The VPN Companies that try to hold onto the old way of doing things will see their value erode on the privacy market while the privacy companies, that are willing to work around the new technology, will be around for future iterations.

[1] https://codelabs.developers.google.com/codelabs/webrtc-web/#0

[2] https://codelabs.developers.google.com/codelabs/webrtc-web/#0

[3] https://en.wikipedia.org/wiki/NAT_traversal

[4] https://voidsec.com/vpn-leak/

[5] https://www.callstats.io/2017/12/06/webrtc-metrics-report-pre-call-test/

[6] https://github.com/diafygi?tab=repositories

[7] https://bloggeek.me/massive-applications-using-webrtc/

[8] https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0

[9] http://pdfs.callstats.io/web/viewer.html?file=..%2Ffiles%2FWebRTC-Metrics-Report-2017-02-1bc2.pdf?utm_source=www&utm_medium=banner&utm_campaign=wmr-2017-03

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s