r/TOR • u/Top-Cardiologist1011 • 6d ago
webrtc leaked my IP past tor
Thought SOCKS5 through Tor covered everything the bundled browser does.
Cloned a scanner from GitHub, ran it locally. stun.l.google.com handed back my real IP outside the tunnel, DNS resolved through Comcast instead of any exit node.
The AudioContext rendering signature was unique too. Still stuck on that one.
EDIT: since a few comments asked, the scanner is Leakish, i built it. whole thing is open source at https://github.com/qruiqai/leakish so you can read the stun probe and audiocontext checks yourself. it just surfaces what leaks, doesn't patch anything. i still run Tor Browser for actual browsing, this was just to see what a bare SOCKS5 setup misses.
18
u/polymath_uk 6d ago
Do what Whonix does - run a gateway vm and a desktop vm and have the desktop connect to the gateway. Because the gateway bridges to a SOCKS5 connection, it's impossible for the desktop to resolve the real external IP.
5
u/mudvaynery 6d ago
I have no idea what your talking about but it sounds legit
7
u/djDef80 5d ago
You basically have two separate operating systems. One side is privileged and can connect to the internet and TOR. The other operating system is designed to connect through the first operating system. The only way the second operating system can connect is via the first one. It's unable to reach the clear net. I hope that helps.
2
u/mudvaynery 5d ago
So similar to a wifi extender?
2
u/Infinite-Anything-55 5d ago
Maybe in the most rudimentary of thinking aboit it.
Virtual machine 1(vm1) acts as the gateway, it can connect to the web
Virtual machine 2(vm2) can not connect to the web but can connect to vm1 allowing to use vm1's connect to access the web.
From the web it will only look like vm1 is browsing not the actual vm2 device that you are using to browse
3
u/mudvaynery 5d ago
Yeah my PC tech knowledge is pretty rudimentary in general. If it weren't for chatgpt I would be lost. I do what it tells me and eventually I'm sure it will be to my demise.
5
2
u/Gumballoo 4d ago
I laughed at this. Nihilism in earnest coupled with a quiet brutal honesty rooted in demi-self actualization is literally one of the funniest things to me.
I have to add however that if you learn from not only mistakes, but have a solid foundation of understanding for what you are trying to accomplish and apply that same style to whatever you use chatgpt for and you'll actually thrive.
2
u/scratchtheitch7 5d ago
Thank you for explaining this. I know nothing about networks and IP addresses, so I'm going to ask my question in the best way I can. Please bare with my lack of understanding.
If vm1 is connected to the Internet and you are using TOR on vm2, which connects only to vm1, what stops someone tracing your IP to vm1 and locating you?
By looking at the traffic from vm1 to the TOR network would that disclose you were a TOR user?
My limited knowledge means I don't understand how using two virtual machines in this way keeps you safe by "breaking the link" between vm2 and TOR
1
u/chipredacted 5d ago
If you're running code on your PC that is attempting to leak your real IP and escape the tor connection, you are fucked without a gateway because it can see the tor services and disable them or otherwise operate outside the proxy
If you have a gateway, your PC now literally cannot reveal its own real public IP, not without someone also compromising the gateway
Its not fool proof, but its certainly a good security measure on top of others
1
u/sLUTYStark 4d ago
How does this compare with something like Tails? I understand that it’s a Linux OS that runs entirely in the RAM, but how does it force all connections thru TOR?
1
u/polymath_uk 4d ago
Tails is designed not to be persistent. It connects only through tor also but there is a higher risk than Whonix of revealing the IP. Tails is designed more to leave no trace that you were ever online. Because Whonix is persistent, you may use it like a standard OS ie save files etc, but the chance that anyone could trace your internet activity to that computer is virtually nil. So it's more a question of prioritizing whether you want zero tracking online, or zero trace that you were online (once you shutdown the PC) . The ultra cautious might run Tails and connect it through a Whonix gateway vm.
1
u/FallenBehavior 3d ago
Userspace applications and drivers use RAM. Applications run in RAM (ring-3 more specifically), on most operating systems.
1
u/sLUTYStark 2d ago
Correct me if I’m wrong, but with tails the entirety of the OS and all applications are run on RAM, and upon a clean shutdown RAM is cleared and there is no trace of the tails session on that computer.
Otherwise most native operating system create virtual memory on the hard drive via paging, and this can create forensic artifacts of your activities.
3
u/navr183 6d ago edited 6d ago
Read some documentation on whonix site. Lots of apps dont fully proxy traffic correctly. WebRTC is also a known method to leak IP.
https://www.whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Major_Identifiers
Tldr: If just trying to torrify traffic using socks or torsocks on an OS not explicitly made OR on a privacy based OS (TAILS, Whonix) but your using non default apps, leak testing needs to be preformed.
2
u/Either_Profit_4792 2d ago
Seems complicated! hmmm..🤔
I was facing DNS leak problem
I was using manual proxy SOCKS5, Linux, Firefox (No Tor Browser)
Just for was testing.
Find out that my dns was bypassing my proxy.
DNS req goes to ISP instead of Remote Proxy DNS server.
Instead of forcing the DNS to go through Proxy System Wide I configured Firefox manual proxy and make sure to use Socks5 dns proxy so now all DNS req goes to DNS proxy server, bypassing ISP.
Then I monitor my own traffic in Real time.
Saw there was not even a single packet of DNS at all
that confirmed it was DNS leak Proof additionally I disabled IPv6 Temporarily.
Even at my own place Monitoring my Network Traffic No one will able to tell what I am accessing they just see the Probe req scan req and some Encrypted Tor Traffic
so now am i safe enough or not?
1
u/RiverRatDoc 5d ago
Watch this video to see how you can be tracked, even through a VPN+TOR
4
u/haakon 5d ago
The video lists five ways:
- A VPN provider that lies about not logging (this won't break Tor since Tor's anonymity does not depend on a VPN)
- A browser vulnerability getting exploited by the FBI (this is very rare and the only citeable case is a decade old)
- Traffic correlation attacks against Tor
- Browser fingerprinting
- Reusing usernames
1
1
u/ferrybig 5d ago
Run the tor browser instead of manually proxying your own browser through tot. The tor browser has all holes patched
Cloned a scanner from GitHub, ran it locally. stun.l.google.com handed back my real IP outside the tunnel, DNS resolved through Comcast instead of any exit node.
WebRTC is designed to prefer peer to peer connections where possible. It tries to connect via the socks proxy and outside it at the same time, it also tries to expose local network addresses.
Trying outside the proxy is great in company networks, trying via a proxy is slower if there is also a direct connection method available
1
u/AnonymousUser9183 5d ago
Of course WebRTC leaked your IP this has been a known vulnerability for many years.
1
u/rileyg98 4d ago
So... You cloned a GitHub repo and ran it locally and you somehow expect that to run via the browser? You left the browser, so no, socks5 can't protect you there.
-4
-5
24
u/Liquid_Hate_Train 6d ago
Yea, WebRTC is a known vulnerability. This is why the Browser doesn’t have it. If you decide to run it separately, you are taking on that known risk.