[Feature request] WebRTC leak protection

[VPNPrivacy922]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

If you look at the Mullvad Website and try to figure out what Mullvad does to protect it customers against WebRTC leaks it's pretty slim to non. So either Mullvad does nothing to protect users against this vulnerability or the communication regarding WebRTC protection needs to be updated.

The Mullvad Website answers the question about what to do about WebRTC, in their FAQ section, with a link. If you click it you get a guide on how to disable WebRTC in browsers.

Well that's great and you can definitely disable WebRTC in browsers... But: WebRTC isn't just used by browsers. It is implemented into a lot of apps and programs. This affects both mobile as well as Windows users. Apps that use WebRTC in both their Windows and mobile applications include: Snapchat, Discord, Facebook Messenger and Instagram. Just to name a few examples. It is widely used!

Well other VPN providers have reacted to this fact and have implemented protections for their users. Or at least they claim that they have. Idk if it is allowed here to name other company's so I will just quote their claims without providing names of the providers, if asked I can provide the names tho.

First example taken from the Website of one provider: "A good VPN app will use firewall rules and other platform-specific techniques to ensure your real IP address can’t be exposed by WebRTC. "

Second example (different company) from both the Website and a video that they posted about the issue: Are you safe from WebRTC leaks when using (Name of VPN provider)? And the answer is yes! (Name of VPN provider) is engineered to be leak proof. It blocks any IP adresses through WebRTC, while allowing authorized WebRTC connections to continue under your anonymous IP adress.

My fear right now is that Mullvad does nothing to protect their users against WebRTC leaks and just tell them to disable it, which is only possible in Browsers, not in apps that depend on the protocol.

I hope that I'm wrong though and Mullvad already has put protections against those kinda leaks into place.

What is the case?

In case that there are no protections implemented right now I strongly suggest and request that this is fixed for all platforms asap.

Alternative solutions

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux

[faern]

I'd be interested in seeing what protections other providers do have. Except disabling WebRTC in each individual app I have a hard time coming up with any effective means of protection. I guess it would be possible to block the ports commonly used by STUN servers for the discovery of peers for WebRTC. But I doubt that is covering the entire problem really.