How to Know If Your IP Address Is Leaking Over the VPN (and How to Stop It)
VPNs are great for security, but one of the main reasons many people use them is to mask or change their IP address. This allows you to bypass location-based content restrictions or check if your ISP is restricting your connection. Unfortunately, a new security flaw can reveal your real IP address to prying eyes, even if you are using a VPN and is easy to use. Here’s how it works and what you can do about it.
What is all this now? Is my data at risk?
Let’s go back a little. A VPN or VPN is great for encrypting your data and increasing security , but it’s also useful to hide your IP address. Your IP address is assigned to your internet connection by your service provider, and it can show who your service provider is and (in general) where you are located. If you’ve ever visited YouTube and saw “Sorry, this video is not available in your country” or tried to subscribe to a new service just to find out that your country is not supported, they will find out your IP address. …
Many people use VPNs specifically to get around these location restrictions . When you log into a VPN, you can usually choose an “exit server” or where your VPN will “pretend” to be. This is usually enough to convince the service that you are in a supported country.
However, a recently discovered security flaw allows remote sites to use WebRTC ( real-time communication over the Internet, a feature built into most browsers) to reveal a user’s true IP address, even when they are connected to a VPN. As far as we know, sites are not yet exploiting this vulnerability, but given that services like Hulu, Spotify, Netflix and others are taking steps to identify and block VPN users, it’s not hard to assume they’ll start.
A few lines of code are all it takes to remove the location protection you get from using a VPN and figure out where you really are and who your ISP really is (who can then associate your address with Who are you Specifically.) While the vulnerability is mostly browser based right now, any application that can render web pages (and uses WebRTC) is affected, which means anyone who wants to can see outside of your VPN where you really are and who you really are. Advertisers, data brokers, and governments can use it to view your VPN connection to see where your connection is actually coming from. If you use services such as BitTorrent, you have a set-top box such as Roku, or you are simply streaming music or movies to your computer through a site that is not available in your country (or you are an expat and live abroad), applications and services. which you are using may suddenly stop working.
How can I check if my VPN is damaged?
The flaw was documented by developer Daniel Roesler on GitHub . Rosler explains how this process works:
Firefox and Chrome have implemented WebRTC, which allows requests to be made to STUN servers that return local and public IP addresses for the user. These query results are available to javascript, so you can now get users local and public IPs in javascript. This demo is an example of how this can be done.
In addition, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console and cannot be blocked by plugins such as AdBlockPlus or Ghostery. This makes these request types available for online tracking if the advertiser sets up a STUN server with a wildcard domain.
To see if your VPN is affected:
- Visit a site such as What Is My IP Address and write down your actual IP address provided by your ISP.
- Log into your VPN, select an egress server in a different country (or use whichever egress server you like best) and make sure you are connected.
- Go back to ” What’s my IP address” and check your IP address again. You should see a new address that matches your VPN and the country you selected.
- Visit the Roseler WebRTC test page and note the IP address displayed on the page.
If both tools show the IP address of your VPN, then everything is in order. However, if What Is My IP Address shows your VPN, and the WebRTC test shows your normal IP address, then your browser broadcasts your ISP-provided address to the world.
When TorrentFreak spoke to VPN providers about the problem , including our beloved Private Internet Access , they noted that they might duplicate the problem, but weren’t sure how they could stop the vulnerability on their side. Since IP verification occurs directly between the user and the site to which they are connected, it is difficult to block it. However, they posted a blog post warning users about this issue. TorGuard , another of our favorite providers, has also warned its users . These warnings also say that the problem only occurs with Windows users, but this is not necessarily the case – many comments (and our own testing) point out that depending on your VPN and its configuration, your IP address may be leaked, even if you are using Mac or Linux system.
How can I protect myself?
Luckily, you don’t have to wait for VPN providers to fix the problem on their part in order to protect yourself. There are a number of things you can do right now, and most of them are as simple as installing a plugin or disabling WebRTC in your browser.
The easy way: disable WebRTC in your browser
In Chrome, Firefox and Opera (and browsers based on them), WebRTC is usually enabled by default. Safari and Internet Explorer do not, and therefore are not affected (unless you specifically enable WebRTC). In any case, if the above test worked in your browser, you are affected. You can always switch to a browser that doesn’t have WebRTC enabled, but since most of us love the browsers we use, here’s what to do:
- Chrome and Opera : Install the ScriptSafe extension from the Chrome Web Store. It’s overkill, but WebRTC will be disabled in your browser. Opera users can also use this add-on, you just need to jump over some obstacles first .
- Firefox : you have two options. You can install the Disable WebRTC add-on from Mozilla Add-ons (h / t to @YourAnonNews for the link), or disable WebRTC directly by opening the tab and selecting “about: config” in the address bar. Find and set media.peerconnection.enabled to false. (You can also install NoScript , which is very similar to ScriptSafe, but as we mentioned, this is probably overkill.)
While Roesler notes that privacy-protecting browser extensions such as AdBlock, uBlock, Ghostery, and Disconnect do not stop this behavior, these methods will definitely work. We’ve tested them to make sure they work and are monitoring them – your favorite ad blocker or privacy add-on is likely to be updated to block WebRTC in the near future.
It should be noted that disabling WebRTC may break some web applications and services. Browser apps that use your microphone and camera (for example, some chat sites or Google Hangouts) or automatically detect your location (for example, food delivery sites) will stop working until you turn them on again.
Best way: set up a VPN on your router
Update : We’ve talked to a number of people in the security community about this issue, and after these conversations, we’re not sure if configuring your VPN at the router level is more efficient (or rather terribly effective at all.) Than blocking WebRTC in the browser. While we still recommend configuring VPN at the router level for a number of reasons (outlined below) regarding this issue, right now we recommend that you use one of the browser add-ons mentioned above while we all do more research looking for the root cause – and unmistakable fix it.
If you want a more reliable way to protect yourself, other than installing add-ons and making changes to your browser every time you install or update, there is a more permanent method. Run VPN on your router, not directly on your computer.
This approach has several advantages. First, it protects all devices on your home network, even if they are not vulnerable to this particular flaw. It also provides all your devices like smartphones, tablets, set-top boxes and smart devices with the same protection and encryption as your desktop with a VPN.
However, there are caveats. First, if you are the type of person who likes to frequently change exit servers (for example, one day you want to view as if you are in Japan, another in Iceland, and the third in the USA), this means that you will have to configure your router every time you want to change location. Likewise, if you only need to be connected occasionally and not otherwise – for example, you use a VPN to work but not while streaming Netflix – you will need to enable or disable VPN on your router every time you need to switch. This process can be simple or complex, depending on your router and your VPN.
Many VPN providers suggest you configure the VPN at the router level anyway. Some even sell certain routers that are pre-configured to use their services, but chances are you can use your existing router (if not provided by your ISP). Log in to your router’s admin page and check the “security” or “connectivity” settings. Depending on your model, you will see a VPN section where you can enter the name of the VPN provider you are connecting to, their server hostnames, and your username and password. Once enabled, all your traffic will be encrypted.
If you can’t see it, all is not lost. Contact your VPN provider and tell them what type of router you have. They may have instructions that guide you through the process. If not, see if your router is supported by open source router firmwares such as DD-WRT ( find supported devices here ), Open WRT ( see Supported devices here ), or Tomato ( see Supported devices here ). We showed you how to install and configure DD-WRT and set up Tomato earlier, so if you’re a beginner, start with our guides. All these special firmwares will allow you to configure VPN at the router level.
This is a serious vulnerability, but on the other hand, it is easy to fix. If anything, this is a reminder to never take your privacy for granted, even if you use all the necessary tools to protect it. When we talked about how to protect ourselves from DNS leaks , we were talking about the same thing: blindly trust a privacy tool because it says the right thing is a bad idea. Trust but verify and take your privacy and security into your own hands.