That's why site-based VPNing is considered the gold standard. Instead of using a VPN client on a PC, you use a network appliance, that way the PC never has a concept of what your "true" IP is. Thus cannot leak it.
Some people have been toying with doing the same but using Virtual Machines. The VM wouldn't have a concept of what the true IP is and since everything goes through the virtual router it acts like a site-to-site VPN connection hiding your true address.
It looks like it, but with pfsense you get more control I think. I have several more segments (read: virtual adapters) that route through a VPN or just from my home ip.
So then I can go to mange>adapter settings>lan segments in my vmware settings and change my upstream gateway. This is all 100% transparent to the programs running inside the VM (only problem is that not all protocols support being routed in this sense).
But tcp works, as does DNS over tcp, so most programs you use will work.
Which is great on a desktop or a home office situation. That's what I have. But for mobile situation where it's just your phone and the telco, that is not an option (unless you're in the habit of carrying a suitcase with your appliance).
The problem with this is that the VAST majority of endpoint appliances don't support OpenVPN. You're limited to PPTP, L2TP, or IPSec with pretty much every single vendor.
The important issue is that some WebRTC capable browsers can leak your internal address to a random page you are visiting even if you are not using WebRTC. If you are actually using WebRTC then you probably don't care if they know what your internal IP address is. ... that is of course if you ever care...
Reminder: WebRTC data channels can silently leak your internal and (if behind a VPN) real IP address.
I have been writing an MMO server, and I would be glad to use WebRTC datachannels, but only for client-server communications. I am far more interested in UDP-like semantics than peer to peer.
>This demo secretly makes requests to STUN servers that can log your request. These requests do not show up in developer consoles and cannot be blocked by browser plugins (AdBlock, Ghostery, etc.).
That's a bit of an overstatement. Running NoScript. No scripts, no WebRTC.
Well, imagine you're in a controlled environment (eg, China) and having your non-vpn IP leaked could compromise your identity. Having an easy way for a site to reveal you is therefore a security issue.
Even if he is, it's still information that doesn't need to be revealed. It's not a security issue in and of itself, but if combined with another exploit, it could help an attacker. Good security is all about layers and protecting information.
LAN IPs are also useful for distinguishing computers from the same external IP which could help compromise your identity or privacy.
And I'm fairly sure my Sys Admin won't want random websites knowing my internal IP address.
Network shares etc. would likely be somewhere on the same range and they could launch subsequent attacks to try to sniff confidential documents and resources.
Again: that is a problem. If that is possible your internal network is insecure.
The castle and moat model is obsolete anyway. Most attacks today come through "pulled" vectors that bypass the firewall. If you rely on a physical network perimeter for security your security is an illusion.
No, any website can detect your local IP address, then use ajax to scan a targeted IP subnet range fairly quickly (and completely hidden from the user) to find any shitty CORS-enabled web interface your company has (think some "modern" internal accounting webapp that enables CORS for its "API").
Prior to WebRTC you'd have to scan much larger IP ranges to try and find internal network webapps that are CORS enabled.
Browser fingerprinting. If a site knows your Internet-facing IP address and your local IP address, then they can uniquely identify you, even if you delete your cookies or use private browsing mode.
https://diafygi.github.io/webrtc-ips/
https://bugzilla.mozilla.org/show_bug.cgi?id=959893