webRTC browser IP leak fix via Windows Firewall

[A.lemane]

UPDATED: moved to a port-based approach 9 Feb 2015; crossposted to github, & onsite echo.

We've implemented a client-side solution to this Windows leak, which has just recently been posted.

NOTE that one must have Windows Firewall enabled on the local machine for this patch to function (h/t, again, @KaganKongar). If WF isn't your preferred firewall setup, feel free to port these rules into whatever you use - and if you think to report back here or in the github repository on the rules you develop, that'd be helpful for others doing the same. Thanks.

As kongar noted, the problem isn't so much the webRTC protocol itself as the fact that the Windows kernel consistently leaks UDP packets carrying the protocol's payload outside of the virtual NIC & thus encrypted tunnel. That means both that they're not able to be nullrouted simply by "catching" them as they show up at cryptostorm exitnodes (for example) - since the leaked packets don't follow that routing pathway - and that they're difficult to squash with some conventional packet management tools given that they're already "out-of-pocket."

Turns out there's a small number of STUN servers used by Firefox and Chrome for these lookups. With the help of a hefty pack of friends and fellow investigators on twitter today (full details in the opening post at our new blog: cryptostorm.is/bloggy (we also pointed kfuckoffnow.com at it because it was sitting around and... why not, really?)

Here's the whittled-down final script to implement the needs packet filtering rules on Windows to ensure none of these packets get off the machine. It requires no fiddling with browsers, adding extensions that may or may not work consistently, etc.

@echo off::save as a .bat file, run as administrator::then visit https://diafygi.github.io/webrtc-ips/ to verify::no more public IP leaking :-Dnetsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=3478netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP localport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP localport=19302netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=in action=block protocol=UDP remoteport=19302

(yes, the emoticon is in df's pushed-to-production script - it's not an unintended render...)

And, lastly, we striped in a little workspace at github both to help in collecting & de-duplicating the STUN addresses, and to publish the above-quoted script so it's easily accessible for anyone who decides to build on it, expand it, etc.

github.com/stunner

https://cryptostorm.is/nostun.txt

credit to : Pattern_Juggled

[A.lemane]

https://github.com/gorhill/uBlock/releases/tag/0.9.9.3

has the same feature but only local ip s

[A.lemane]

https://github.com/gorhill/uBlock/releases/tag/0.9.9.3

has the same feature but only local ip s

same here but not an ad block

https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?utm_source=chrome-app-launcher-info-dialog

[jamesDDI]

Script in first post works flawlessy ;)

[xyzdev]

I added only this one:

netsh advfirewall firewall add rule name="No STUN leak for j00!" dir=out action=block protocol=UDP remoteport=3478

and it's not leaking Public IP anymore, so i suppose that one is enough.

[dcs18]

Firewall leak test at post # 2827 — take the test, now. B)

The Windows Firewall Control (WFC) tutorial and the test results.

[J4NY4R]

Adguard For Windows, latest Alpha version now provides with an option to block webRTC IP leak :showoff:

But it's not working right yet.

[J4NY4R]

Adguard For Windows, latest Alpha version now provides with an option to block webRTC IP leak :showoff:

But it's not working right yet.

why u say so?

Have tested here and my IP is leaked with the new function of Adguard enabled. And my local IP (not public one) is leaked here too.

[dcs18]

Recommended about:config tweak for Firefox Users — without having to install any add-on or even changing anything at firewall level:—

("media.peerconnection.enabled", false)("media.peerconnection.ice.stun_client_maximum_transmits", 0)

[CODYQX4]

Just exactly what is port 19302? I added the other port and it was known as nat-stun, but the 19302 was unknown.

Just 3478 seemed enough to cause ipleak.net to not get public IP (VPN or WAN).

[mazigh]

Hotspot Shield seems implemented an IP leak fix too =)