Jump to content

webRTC browser IP leak fix via Windows Firewall


A.lemane

Recommended Posts

UPDATED: moved to a port-based approach 9 Feb 2015; crossposted to github, & onsite echo.
We've implemented a client-side solution to this Windows leak, which has just recently been posted.
NOTE that one must have Windows Firewall enabled on the local machine for this patch to function (h/t, again, @KaganKongar). If WF isn't your preferred firewall setup, feel free to port these rules into whatever you use - and if you think to report back here or in the github repository on the rules you develop, that'd be helpful for others doing the same. Thanks.
As kongar noted, the problem isn't so much the webRTC protocol itself as the fact that the Windows kernel consistently leaks UDP packets carrying the protocol's payload outside of the virtual NIC & thus encrypted tunnel. That means both that they're not able to be nullrouted simply by "catching" them as they show up at cryptostorm exitnodes (for example) - since the leaked packets don't follow that routing pathway - and that they're difficult to squash with some conventional packet management tools given that they're already "out-of-pocket."
Turns out there's a small number of STUN servers used by Firefox and Chrome for these lookups. With the help of a hefty pack of friends and fellow investigators on twitter today (full details in the opening post at our new blog: cryptostorm.is/bloggy (we also pointed kfuckoffnow.com at it because it was sitting around and... why not, really?)
Here's the whittled-down final script to implement the needs packet filtering rules on Windows to ensure none of these packets get off the machine. It requires no fiddling with browsers, adding extensions that may or may not work consistently, etc.
@echo off::save as a .bat file, run as administrator::then visit https://diafygi.github.io/webrtc-ips/ to verify::no more public IP leaking :-Dnetsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=19302
(yes, the emoticon is in df's pushed-to-production script - it's not an unintended render...)
And, lastly, we striped in a little workspace at github both to help in collecting & de-duplicating the STUN addresses, and to publish the above-quoted script so it's easily accessible for anyone who decides to build on it, expand it, etc.
github.com/stunner

credit to : Pattern_Juggled

Link to comment
Share on other sites


  • Replies 11
  • Views 2.6k
  • Created
  • Last Reply
  • 2 weeks later...
  • 1 month later...

I added only this one:

netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=3478

and it's not leaking Public IP anymore, so i suppose that one is enough.

eRG8IB9.png

Link to comment
Share on other sites


Adguard For Windows, latest Alpha version now provides with an option to block webRTC IP leak :showoff:

But it's not working right yet.

Link to comment
Share on other sites


Adguard For Windows, latest Alpha version now provides with an option to block webRTC IP leak :showoff:

But it's not working right yet.

why u say so?

Have tested here and my IP is leaked with the new function of Adguard enabled. And my local IP (not public one) is leaked here too.

Link to comment
Share on other sites


Recommended about:config tweak for Firefox Users — without having to install any add-on or even changing anything at firewall level:—

("media.peerconnection.enabled", false)("media.peerconnection.ice.stun_client_maximum_transmits", 0)
Link to comment
Share on other sites


  • 2 weeks later...

Just exactly what is port 19302? I added the other port and it was known as nat-stun, but the 19302 was unknown.

Just 3478 seemed enough to cause ipleak.net to not get public IP (VPN or WAN).

Link to comment
Share on other sites


  • 4 weeks later...

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...