1. Home
  2. SIP Over WebRTC
  3. Does WebRTC Leak My IP Address?

Does WebRTC Leak My IP Address?

Web Real-Time Communication (WebRTC) is an essential technology that powers seamless voice, video, and data sharing over the internet in real-time. It’s commonly used in applications such as video calls, online meetings, and peer-to-peer (P2P) file sharing. However, a known concern surrounding WebRTC is its ability to potentially reveal users’ IP addresses, raising privacy issues for some.

Understanding the Concern: How WebRTC May Leak Your IP Address

When establishing a peer-to-peer (P2P) connection, WebRTC requires each device to know the network paths available to connect to each other. This involves disclosing IP addresses to enable the devices to communicate directly. In the process of creating a direct connection, WebRTC may inadvertently reveal both your local IP (within your private network) and your public IP (used on the internet).

For example:

  1. Public IP Leak: By default, WebRTC will expose your public IP address, which is the IP provided by your internet service provider and accessible from outside your local network. This IP can be identified by other connected peers and may expose your geographic location or identity.
  2. Local IP Leak: In some cases, WebRTC can also reveal your local IP address (e.g., 192.168.x.x or 10.0.x.x), the IP assigned within your internal network. While this doesn’t directly compromise privacy, it can indicate your internal network structure to connected peers.

IP addresses leak would be through the Session Description Protocol (SDP), which is part of the WebRTC connection setup. The SDP is exchanged during the WebRTC signaling process and includes details about the connection, such as codecs, media formats, and network information (including IP addresses). Here’s an example of how an SDP might look and where IP addresses appear.

Example of SDP with Potential IP Leaks

Below is a simplified example of an SDP offer created by WebRTC. This SDP contains the IP addresses in the c= and a=candidate lines, which could expose both public and local IPs:

v=0
o=- 46117356 2 IN IP4 192.168.1.2
s=-
t=0 0
a=group:BUNDLE audio video
a=msid-semantic: WMS

m=audio 54400 UDP/TLS/RTP/SAVPF 111 103 104
c=IN IP4 192.168.1.2
a=rtcp:9 IN IP4 0.0.0.0
a=candidate:842163049 1 udp 1677729535 192.168.1.2 54400 typ srflx raddr 10.0.0.2 rport 54400 generation 0
a=candidate:842163050 1 udp 1677729535 203.0.113.1 54400 typ host generation 0
a=ice-ufrag:abc123
a=ice-pwd:def456
a=fingerprint:sha-256 3D:B9:0E:A8:8D:32:...

m=video 54402 UDP/TLS/RTP/SAVPF 96 97 98
c=IN IP4 203.0.113.1
a=rtcp:9 IN IP4 0.0.0.0
a=candidate:842163049 1 udp 1677729535 192.168.1.2 54402 typ srflx raddr 10.0.0.2 rport 54402 generation 0
a=candidate:842163050 1 udp 1677729535 203.0.113.1 54402 typ host generation 0
a=ice-ufrag:ghi789
a=ice-pwd:jkl012
a=fingerprint:sha-256 7A:98:AC:21:...

In this example:

  • c=IN IP4 192.168.1.2: This line exposes the local IP address (e.g., 192.168.1.2), which may leak network details.
  • a=candidate:842163049 1 udp 1677729535 192.168.1.2 54400 typ srflx ...: This candidate line includes both the local IP (192.168.1.2) and a public IP (203.0.113.1) as ICE candidates. These IPs allow WebRTC to attempt various routes for an optimal connection.

Masking IP Addresses in SDP with SIPERB Media Relay

When using a media relay (TURN server), only the relay’s IP address should appear in the SDP, hiding the peer’s actual IP addresses. Below is an example of how an SDP might look when using a TURN server:

v=0
o=- 46117356 2 IN IP4 203.0.113.100
s=-
t=0 0
a=group:BUNDLE audio video
a=msid-semantic: WMS

m=audio 54400 UDP/TLS/RTP/SAVPF 111 103 104
c=IN IP4 203.0.113.100
a=rtcp:9 IN IP4 203.0.113.100
a=candidate:842163049 1 udp 1677729535 203.0.113.100 54400 typ relay raddr 0.0.0.0 rport 0 generation 0
a=ice-ufrag:abc123
a=ice-pwd:def456
a=fingerprint:sha-256 3D:B9:0E:A8:8D:32:...

m=video 54402 UDP/TLS/RTP/SAVPF 96 97 98
c=IN IP4 203.0.113.100
a=rtcp:9 IN IP4 203.0.113.100
a=candidate:842163050 1 udp 1677729535 203.0.113.100 54402 typ relay raddr 0.0.0.0 rport 0 generation 0
a=ice-ufrag:ghi789
a=ice-pwd:jkl012
a=fingerprint:sha-256 7A:98:AC:21:...

In this TURN-mediated example:

  • The c= and a=candidate lines now reflect only the IP address of the TURN server (203.0.113.100), which acts as the relay.
  • This configuration prevents direct IP exposure, as only the TURN server IP is visible to both peers.

Applying IP Masking in Code

In the JavaScript code example, specify only relay candidates to enforce media routing through the TURN server:

const configuration = {
  iceServers: [
    {
      urls: "turn:your-turn-server.siperb.com:3478",
      username: "your-username",
      credential: "your-password"
    }
  ],
  iceTransportPolicy: "relay" // Forces all connections to go through the TURN server
};

const peerConnection = new RTCPeerConnection(configuration);

Setting iceTransportPolicy: "relay" tells WebRTC to exclude other candidates (e.g., host and srflx), ensuring the media traffic routes only through the TURN server, masking the user’s real IP.

These types of IP address exposures are a natural part of WebRTC’s design for efficient direct connections. But, for those prioritizing privacy, this raises a valid concern: is there a way to participate in WebRTC communications without exposing these details?

Why WebRTC Peer Connections Require IP Address Exposure

The exposure of IP addresses in WebRTC is not accidental but rather a fundamental part of how it works. When creating a peer connection, WebRTC uses a process called Interactive Connectivity Establishment (ICE). ICE gathers a list of available IP addresses, network types, and ports for a device, creating an ideal set of paths for the best possible connection. For WebRTC to establish an efficient, low-latency P2P connection, IP addresses must be available to ensure the best route for media and data transfer. Without sharing IPs, a direct peer-to-peer connection would be impossible, resulting in greater latency, decreased quality, or even an inability to connect.

How SIPERB Addresses WebRTC IP Leaks: Topology Hiding and Media Relays

SIPERB understands the privacy concerns associated with IP address exposure in WebRTC connections, which is why we employ topology-hiding techniques to mitigate this issue. For users who want added privacy, SIPERB offers an optional Media Relay feature, which only exposes the live IP address of our Media Relay server. Here’s how it works:

  • Topology Hiding Techniques: SIPERB uses advanced topology-hiding methods that minimize the exposure of user IP addresses during WebRTC communications.
  • Media Relay Option: By routing media through a SIPERB Media Relay, the peer connection sees only the IP address of the relay server. This means that both parties in a WebRTC session will not see each other’s actual IP address, only the IP of the Media Relay server, preserving user privacy.

How SIPERB Connects Your Own PBX to Client Devices Securely

One of SIPERB’s key features is its ability to connect your own Private Branch Exchange (PBX) to client devices, such as mobile phones and desktops. When you connect to SIPERB, only users within your trusted network need access to your PBX. As a result:

  • Controlled IP Exposure: Any potential IP address exposure (when not using the Media Relay) is limited to a predefined, trusted set of users, such as your employees or colleagues who use the same PBX network. This approach reduces the risk of exposing your IP to unknown or unauthorized users.
  • Enhanced Privacy within Known Networks: By configuring SIPERB with your PBX, any IP address exposure happens within a familiar and secure environment, adding a layer of privacy for organizations that use SIPERB as their WebRTC provider.

Conclusion

While WebRTC requires IP address exposure for direct connections, SIPERB provides robust methods to limit this exposure. With topology-hiding techniques and an optional Media Relay, SIPERB ensures that only the relay server’s IP is visible, shielding your actual IP address. Additionally, by using SIPERB with a private PBX, any IP exposure is limited to a trusted network, ensuring a secure, private experience for your WebRTC communications.

For those seeking a balance of performance and privacy in their WebRTC communications, SIPERB offers practical solutions tailored to address IP exposure concerns effectively.

Related Articles