VPNs are great for security, but one of the big reasons many people use one is to mask or change their IP address. This lets you get around location-based restrictions on content, or check if your provider is throttling your connection. Unfortunately, a new security flaw can reveal your real IP address to prying eyes, even if you’re using a VPN, and it’s easy to exploit. Here’s how it works and what you can do about it.
Pictures: Nemo, James Lee, Paul Joseph, Walt Stoneburner
What’s All This Now? Is My Data At Risk?
Let’s back up a bit. A Virtual Private Network, or a VPN, is great for encrypting your data and boosting security, but it’s also useful to obscure your IP address. Your IP address is assigned to your internet connection by your service provider, and it can reveal who your service provider is and (in general) where you’re located. If you’ve ever visited YouTube and seen “Sorry, this video isn’t available in your country” or tried to sign up for a new service only to find out your country isn’t supported, your IP address is how they know.
Many people use VPNs specifically to get around those location restrictions. When you sign in to a VPN, usually you can choose an “exit server” or a location your VPN will “pretend” you’re actually located. Usually, that’s enough to convince a service you’re in a supported country.
However, a recently discovered security flaw allows remote sites to take advantage of WebRTC (Web Real Time Communication, a feature built in to most browsers) to reveal a user’s true IP address, even if they’re connected to a VPN. As far as we know, sites aren’t taking advantage of the flaw yet, but considering services like Hulu, Spotify, Netflix and others are taking steps to identify and lock out VPN users, it’s not a stretch to assume they will start.
A few lines of code is all it takes to remove the location protection you get from using a VPN, figure out where you’re actually located, and who your internet service provider really is (who can then tie your address back to who you are specifically). While the vulnerability is primarily browser-based right now, any application that can render web pages (and uses WebRTC) is affected, meaning anyone who wants to can see past your VPN to where you really are and who you really are. Advertisers, data brokers and governments can use it to peek through your VPN to find out where your connection is really coming from. If you use services such as BitTorrent, have a set-top box, or just stream music or movies on your computer through a site that’s not available in your country, the apps and services you use could suddenly stop working.
How Can I Check If My VPN Is Affected?
The flaw was documented by developer Daniel Roesler over at GitHub. Roesler explains how the process works:
Firefox and Chrome have implemented WebRTC that allow requests to STUN servers be made that will return the local and public IP addresses for the user. These request results are available to javascript, so you can now obtain a users local and public IP addresses in javascript. This demo is an example implementation of that.
Additionally, these STUN requests are made outside of the normal XMLHttpRequest procedure, so they are not visible in the developer console or able to be blocked by plugins such as AdBlockPlus or Ghostery. This makes these types of requests available for online tracking if an advertiser sets up a STUN server with a wildcard domain.
To see if your VPN is affected:
- Visit a site like What Is My IP Address and jot down your actual ISP-provided IP address.
- Log in to your VPN, choose an exit server in another country (or use whichever exit server you prefer) and verify you’re connected.
- Go back to What Is My IP Address and check your IP address again. You should see a new address, one that corresponds with your VPN and the country you selected.
- Visit Roseler’s WebRTC test page and note the IP address displayed on the page.
If both tools show your VPN’s IP address, then you’re in the clear. However, if What Is My IP Address shows your VPN and the WebRTC test shows your normal IP address, then your browser is leaking your ISP-provided address to the world. When TorrentFreak talked to VPN providers about the problem, including our favourite, Private Internet Access, they noted that they could duplicate the issue, but they weren’t sure how they could stop the vulnerabilty on their end. Since the IP check takes place directly between the user and the site they’re connected to, it’s difficult to block. Even so, they published a blog post warning users about the issue. TorGuard, another of our favourite providers, also issued a warning to its users. Those warnings also say that the issue only appears to affect Windows users, but that’s not necessarily the case — many comments (and our own testing) note that your IP address may be leaked, even if you use a Mac or Linux system, depending on your VPN and how it’s configured.
How Can I Protect Myself?
Luckily, you don’t have to wait for VPN providers to address the issue on their ends to protect yourself. There are a number of things you can do right now, and most of them are as easy as installing a plugin or disabling WebRTC in your browser.
The Easy Way: Disable WebRTC In Your Browser
Chrome, Firefox and Opera (and browsers based on them) generally have WebRTC enabled by default. Safari and Internet Explorer don’t and thus aren’t affected (unless you’ve specifically enabled WebRTC). Either way, if the test above worked in your browser, you’re affected. You can always switch to a browser that doesn’t have WebRTC enabled, but since most of us like the browsers we use, here’s what to do:
- Chrome and Opera: Install the WebRTC Block extension from the Chrome Web Store. It will disable WebRTC in your browser. Opera users can use this add on as well.
-
Firefox: You have two options. You can install the Disable WebRTC addon from Mozilla Add-ons (h/t to @YourAnonNews for the link), or disable WebRTC directly by opening a tab and going to
about:config
in the address bar. Find and set the “media.peerconnection.enabled” setting to false.
While Roeseler notes that privacy-protecting browser extensions such as AdBlock, uBlock, Ghostery and Disconnect don’t stop this behaviour, these methods will definitely do the job. We’ve tested them to make sure they work, and keep an eye out — your favourite ad blocker or privacy add-on will likely update to block WebRTC in the near future.
We should note that disabling WebRTC may break some web apps and services. Browser-based apps that use your microphone and camera (like some chat sites or Google Hangouts), or automatically know your location will stop working until you re-enable it.
The Better Way: Configure Your VPN on Your Router
If you want a more surefire way to protect yourself beyond installing add-ons and making tweaks to your browser every time you install or update, there is a more permanent method: Run your VPN at your router instead of on your computer directly.
There are a number of benefits to this approach. For one, it protects all of the devices on your home network, even if they’re not vulnerable to this specific flaw. It also gives all of your devices, including your smartphones, tablets, set-top boxes and smart appliances the same protection and encryption that your VPN gives your desktop.
There are caveats though. For one, if you’re the type who likes to change exit servers often, this means you’ll have to tweak your router setup every time you want to switch locations. Similarly, if you only need to be connected sometimes but not others — like you use a VPN for work but not when you’re streaming Netflix, you’ll need to enable or disable your VPN on your router every time you need to switch. That process can be easy or complicated, depending on your router and your VPN.
Many VPN service providers suggest you set up your VPN at the router level anyway. Some even sell specific routers that come pre-configured to use their service, but odds are you can use your existing router (as long as it’s not provided by your internet service provider). Log in to your router’s admin page, and check your “security” or “connection” options. Depending on your model, you’ll see a VPN section, where you can type in the name of the VPN provider you’re connecting to, their server hostnames, and your username and password. Once it’s enabled, all of your traffic will be encrypted.
If you don’t see it, all isn’t lost. Check with your VPN provider and let them know what type of router you have. They may have instructions to walk you through the process. If they don’t, see if your router is supported by open-source router firmwares such as DD-WRT ( search supported devices here), Open WRT (see supported devices here) or Tomato (see supported devices here). We’ve shown you how to install and set up DD-WRT, so start with our guide. All of those custom firmwares will allow you to set up your VPN at the router level.
This vulnerability is serious, but it’s easily mitigated. If anything, it’s a reminder to never take your privacy for granted, even if you use all the right tools to protect it. When we talked about how to protect yourself from DNS leaks, we made the same point: Blindly trusting a privacy tool because it says the right things is a bad idea. Trust, but verify, and take your privacy and security into your own hands.
Comments
13 responses to “How To See If Your VPN Is Leaking Your IP Address (And How To Stop It)”
I’ve had issues in the past flashing routers. I’ve always wanted a DD-WRT device that I can use in conjunction with my PureVPN account, but I’ve had no luck making my own. When I’ve bricked a router in the flashing process, I’ve found my warranty voided, and a useless hunk of plastic sitting on my desk. I guess that was good for making paperweights, but I was looking for a DD-WRT VPN router here. I found a company called FlashRouters that sells pre-configured routers… they were able to make the router plug and play with my PureVPN account… having a PureVPN network right out of the box. If you wanna avoid being forced to use your router as a paperweight, give FlashRouters a call…
WebRTC Block extension from the Chrome Web Store DOES NOT WORK.
ScriptSafe DOES work
+1 for ScriptSafe
I’m finding the same thing.
Safescript does appear to work though
I use OverPlay and it never leaks my real IP address. Also, it never disconnects, so I don’t worry about my real IP address suddenly showing up because my VPN connection disconnected and I didn’t notice. So yeah, I’d recommend OverPlay: http://overplay.net/?a_aid=OVRPLY
using Torguard seemed to leak my ip when using Roseler’s WebRTC test page, installed the chrome WebRTC plugin, now no problems with leaked, also run peerblock coz im paranoid like that
Great article! I’ve looked for the answers you provide everywhere & found only here.
I have a tiny question:
I’m using Firefox, & used the last method (about:config). Then used Roseler’s test. No Ip address showed at all. It said your local IP address & then a blank line. Your public IP address & then a blank line.
Does that mean I’ve disabled WebRTC or not?
thanks in advance.
Same question here as above …. WebRTC Block extension from the Chrome Web Store did not work at all, I installed Scriptsafe and now I get no IP address at all showing when I use Roseler’s test.
So, does that mean it’s working or not?
Does this affect torrent? Can people get my original IP in uTorrent?
Thanks
I use Express VPN with an Asus RT-N66U router. All home pc’s, tablets and laptops are routed through Asus router which is connected to the ISP’s modem. The asus is great and easy to work with, even for a novice like me, my only concern is that i could only setup an openVPN client with Express VPN, none of the others worked, not sure if this is a router issue (which i think it is), a dummy user issue (me) or the VPN provider (which i am sure it is not as they provide all config options for connecting).
Tried tests and both IP’s were the same, kerching!! but I still installed the WebRTC addon for firefox and now the Web RTC test page cannot see my IP, so all looking good. I used to use Tor but found it so hard to work with and as i do nothing illegal i could not be arsed with keep using it. I do all this because as we are monitored constantly, data is given to marketing companies i cannot be bothered helping them. the old argument of “if you have nothing to hide…..yanna yanna” is rubbish, anyway as i watch online movies and youtube a lot it is now great my ISP do not throttle my bandwidth when i watch video content. previously even on fiber it was buffering contantly, now on VPN it never buffers.
Kommondant said:-
I use Express VPN with an Asus RT-N66U router. All home pc’s, tablets and laptops are routed through Asus router which is connected to the ISP’s modem. The asus is great and easy to work with, even for a novice like me, my only concern is that i could only setup an openVPN client with Express VPN, none of the others worked, not sure if this is a router issue (which i think it is), a dummy user issue (me) or the VPN provider (which i am sure it is
not as they provide all config options for connecting).
I have used AirVPN with the Sabai supplied ASUS RTN66U for a number of years. It is easy to control various household devices. Also, changing end server is easy, I have used UK, Singapore and California all at different times.
The ASUS requires an OVPN file. I note that a number of VPN providers also supply OVPN files. I have also used Strong VPN in the past without any problems.
I’ve been using Tor Guard previously and I know they leak info about your IP. There are many VPN providers on Web but only handful of them seems to offer quality service. I’m using HIDE-MY-IP now, I’m very satisfied with them.
I use Overplay as well. It disconnects always after about an hour, very annoying
A lot of VPNs are working in the country but it is difficult to choose a right for Australia which protect the internet activates from hackers and surveillance agencies. Six months ago I took the subscription of best Australia – PureVPN and it is working flawlessly, it allows download and streaming with anonymity and fast speed with no IP leaking.
WebRTC seems to be no problem at all if you browse only trusted pages since the only way to get the Javascript RTC request into the browser is by downloading it with an HTML Get function.
A more pressing problem is the leaking of the VPN user’s identity by hidden connections made by applications and the windows OS itself like svchost, AppleDeviceService, OneDrive, and any firewall product like Norton or Kaspersky. All of these carry information which uniquely links the VPN user’s machine and account name to the “anonymous” IP address.
“more pressing problem is the leaking of the VPN user’s identity by hidden connections made by applications and the windows OS itself”
This is a problem that really renders VPN’s useless. When you put this question to the VPN providers’ forums they accuse you of trolling and block your account. So it must be a very sensitive issue with them.
Super helpful article.. TorGuard doesn’t support Viscosity anymore. Downloaded the TorGuard app and everything works great as far as I can tell. One weird thing though, whatsmyip shows me on the server i select, but Google Analytics shows me in UAE, which is not the server i selected or where i am physically located