'How to Mask IP Leak from WebRTC in Firefox?

I was reading about online privacy and became aware that one's IP address is leaked by WebRTC technology even when using proxies. According to an article I read it is possible to disable WebRTC in Firefox by navigating to about:config and setting media.peerconnection.enabled to false. While this indeed turned WebRTC off I think it created a new set of problems and that is that by having WebRTC turned off I am identifying myself as the "guy who doesn't want WebRTC" enabled. Which may be suspicious to some websites. As someone once wrote "I'd rather be a needle in a large hay-stack than a needle in a handful of hay".

How can I keep WebRTC enabled but modify it in a way that it only reveals the IP of my proxy or some random IP instead of my real IP?

firefoxproxyipwebrtcprivacy


Solution 1:[1]

To address the potential XY: you don't really stand out merely by having WebRTC disabled. It can be disabled for lots of very routine reasons, like a corporate group policy.

If you're worried about fingerprinting to that degree, you should also worry about fingerprinting by monitor size and resolution, and any number of other features that can be detected via JavaScript. In which case, use Tor browser, which does a lot to obfuscate you.

As to hiding your IP address:

In about:config set

  1. media.peerconnection.ice.proxy_only to true. Undocumented feature that blocks WebRTC that does not come through your proxy.
  2. media.peerconnection.ice.relay_only to true. This can be used to block all local (LAN) and external IP addresses from being generated as candidates. This does not hide your external IP address from the TURN server itself, so if your attacker attempts to start a connection and specifies a TURN server they control, this won't be enough.

To mitigate the risk from #2 above but still use WebRTC, additionally set

  1. media.peerconnection.use_document_iceservers to true and then
  2. media.peerconnection.default_iceservers to the list of servers you wish to use and trust, uch as your VPN's.

When use_document_iceservers is false, it will refuse to use peers specified by the web page and instead only use the ones specified in default_iceservers. If you fail to provide a list of default_iceservers, FireFox may revert use_document_iceservers as a fallback.

As to a "canonical method to deliberately leak a fake IP through WebRTC instead of simply disabling it entirely", in a way which will not disable WebRTC but which will break it, set media.peerconnection.ice.force_interface to a 0.0.0.0, a non-routable address (or anything in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 should work).

It's probably simplest to just disable it - there are lots of other ways a sneaky page can fingerprint or track you in a regular browser.

References: https://wiki.mozilla.org/Media/WebRTC/Privacy

Note to future readers: These are all moving parts, some are currently semi- or un-documented, so things may change by the time you read this.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Express and nginx net::ERR_CONTENT_LENGTH_MISMATCH

Express and nginx net::ERR_CONTENT_LENGTH_MISMATCH

git:// through proxy

iOS 13 Burp Suite Proxy Unable to Connect

difference between http_proxy and https_proxy

What does "trust proxy" actually do in express.js, and do I need to use it?

Ubuntu 18.04 Problem Making Certificate Request, string too short

Tunnel MTPROTO proxy on whole device

First run of Android Studio. Unable to access Android SDK add-on list

Nginx reverse proxy issue long request

Zuul routing the requests through an external proxy server

Error "Gradle sync failed: Connection refused: connect"

I can't setup proxy in mern stack(react-vite) and do not know the reason

How does VPN extensions authenticate users?

Proxied IOS App doesn't send http/s requests? How are they fetching the data then?