i want to understand more about WebRTC security when using vpn. id like to know if it is more secure with VPN than without… or even if its recommended to use WebRTC with VPN.
i created a webrtc demo: https://chat.positive-intentions.com/#/webrtc (the corresponding code its created with: https://github.com/positive-intentions/chat/blob/staging/src/components/pages/webrtc/WebRTC.jsx)
if i generate a “WebRTC offer” then i see a bunch of information including my IP address.
if i do the same with VPN, i see that my ip address isnt in that payload.
following the information here: https://thehackernews.com/2015/02/webrtc-leaks-vpn-ip-address.html?m=1
and using the demo here: https://ipleak.net/
it seems even with vpn, the local ISP ip seems detected.
a recurring concern ive had on reddit about the security of my app is that webrtc exposes ip addresses. im investigating using the app with vpn. it seems to work like normal.
in the example details given above, i see while the local ISP IP is exposed, the personal ip address is still hidden. im sure what is exposed there is not worthless, but it could help users with privacy and security.
on the back of this investigation id like to see if i can add something like a toggle in my app called “enforce VPN” which will first check to see if you are on a vpn, and if you are, open the rest of the app.
my app is using peerjs-server as the connection broker. this is a third party i have no contractual agreement to provide me with a service. it could help to hide your IP from this service.
https://mullvad.net/en/help/webrtc
A good VPN client like mullvad prevents webrtc leaks, but even if that isn't a option you can use a browser like mullvad browser to ensure your client doesn't ignore your main network vpn.
But regardless this is why Qubes is so important, with Qubes it's impossible to subvert the network path you configure, because its controlled at the hypervisor level and not in the local operating system software that could get misconfigured.
if you want to protect your users you can use a vpn detector script and just show them a warning if it triggers with a override - Yes, I understand the risks, etc.
Thanks! As a webapp I generally have no choice but advise that users select a device/os/browser combo they trust.
It's important to note "disabling webRTC" is not a goal here. My app critically relies on it.
The webapp form factor is important for accesability. While things likes Qubes are secure by design, that isn't something I can suggest to potential users. VPN however is a lot more commonly used in today's digital scene, so I think that's a step that easier to advocate to users.