Browsers leaks Public IP through WebRTC protocols while routing traffics through browser specific proxies such as chrome vpn extensions. but using Native VPN Application (OS Specific) doesn't produce public ip through WebRTC.
How to overcome this problem and force chromium to use proxy IP instead of public IP for WebRTC communication.
Note- Blocking WebRTC from Browser does hide the public ip but many websites eg. google.com, godaddy.com treats you as a bot and blacklist you from using some of their services.
This issue is more related to browser fingerprinting than ungoogling stuffs..
No Extensions available to solve this problem till now but some of the automation tools such as Kameleo.com is able to do such things but those are pricy.
Possible solutions
Force chromium to use proxy ip through ICE Framework TURN/STUN signaling services
I also don't know how to seup STUN connection so please also guide me for the coding part.
https://isaacbrains.com
TLDR: Configure and deploy your own TURN server and configure your WebRTC app to use relay candidates only via iceTransportPolicy and use only TURN for your iceServers.
Something like this:
let config = {
iceServers: [{urls: "turn:turn.yourdomain.com:3478"}],
iceTransportPolicy:"relay"
};
WebRTC does not use browser proxies. Browser proxies bridge connections via http/https to websites. And browser proxies don't fit into the model WebRTC uses to connect to another client ad-hoc packet transfer of UDP packets.
STUN exists primarily for clients to discover and share their own public IP address and port mapping. It sounds like you want to avoid STUN since you don't want srflx candidates anyway.
TURN is a relay server protocol for WebRTC, VOIP, and other types of P2P connections. It's primary job is to be a fallback when direct client to client communication is not possible. But it sounds like you want to avoid that altogether and just have the SDP advertise your relay (TURN) addresses only.
Related
So I've seen projects like trojan-go,v2ray-go
They are making their own proxy protocols in user space level. I am trying to do the same thing but I don't know how to redirect network traffic from clients to proxy server.
Basically I don't understand how those tools (or any tool) can redirect internet traffic of the device to a certain server, so when the packets are going to the internet they go to the proxy server first instead of their destination ip address.
How can I do it in golang without dealing with netlink and Iptables?
I know apps like wireguard do this by dealing with layer 3-4 stuff using netlink API but I need to know how apps do it without adding a new network interface.
I have a WebSocket server running on an Android device on my local network. I would like to have the ability to discover this server using DNS-based Service Discovery (DNS-SD). I believe this is possible for plain sockets but is this possible for WebSockets? If not, are there any other mechanisms besides DNS-SD that would allow me to discover a WebSocket server on a LAN besides iterating through all possible IP:port combinations? If this is possible, how can I go about naming my service so that it is discoverable?
In short we have two separate servers for our web app. The first one is the main server that uses Websockets for handling "chat rooms", and the second server only handles WebRTC audio chat rooms via Websocket. Both servers use Express to create a HTTPS server, use secure Websocket and the port 443.
I recently encountered a problem where a corporate client's firewall blocked the wss-connection to only the WebRTC server. The error logged in the user's browser was "ERR_CONNECTION_TIMED_OUT", which means the user never connects via Websocket. This has not happened with any other clients.
The Websocket connection works normally between the user and the main server, and no rules have been added to their firewall to use our app.
Has anyone encountered something similar? What kind of a firewall setting might cause this? Could this be a cors problem, since the servers are on their own sub-domains?
The main server could be restricting the type of data sent on port 443, which will use SSL to secure that transmitted data.
Refer to this page for information on the "Well-know port numbers".
The WebRTC audio data may need to be transmitted on its own dedicated port number that has been configured on the main server for this.
The problem was that the main server WebSocket used TCP and the WebRTC server used UDP, and UDP was blocked by corporate firewall on default.
WebRTC should use TCP as a backup, but I'm assuming UDP is still needed for the handshake.
I have an ios app that needs an API to works yet this API is deployed using Kubernetes that doesn't support IPv6 for now.
I am intending to create proxy server that do the redirection of packets to the actual api. How could be done using google compute engine? A load balancer?
You do not need a proxy but a reverse-proxy. Therefore, yes a load balancer is a way to comply to your need. Do not forget to configure the DNS with the IPv4 and IPv6 addresses of the load balancer.
But when you say I have an ios app that needs an API to works [...] support IPv6. If what you are saying is based on the fact that Apple wants iOS apps in their store to support IPv6, note that having an IPv6 server is not compulsory. Apple expects your client application to work correctly when connected to an IPv6-only network, but that IPv6-only network MUST help your application by offering a DNS resolver that is DNS64 compliant and also offering a NAT64 IPv6-to-IPv4 translation gateway. This means your client application makes a DNS request to www.myipv4onlyserver.com and the resolver replies with a fake IPv6 address routed to a NAT64 gateway. Thus, your client application talks with IPv6 to this gateway and this gateway translates the data channel to your IPv4 server, like a transparent proxy.
So, to be compliant with Apple expectations, if you only use high-level network libraries and address-agnostic APIs, such as getaddrinfo() and getnameinfo(), then you do not need to support IPv6 on the server side.
At the moment, GCE instance don't support IPv6, so you cannot terminate IPv6 on an instance or set up the (reverse) proxy yourself.
However Google Cloud HTTP(S), SSL and TCP proxy do support IPv6. You could use this to accept IPv6 connections and forward them to your GKE nodes. It might even be possible to do this with the HTTP LB created as part of a Kubernetes Ingress, and thus have it automatically connected to the correct pods.
Shall I use WebSocket on non-80 ports? Does it ruin the whole purpose of using existing web/HTTP infrastructures? And I think it no longer fits the name WebSocket on non-80 ports.
If I use WebSocket over other ports, why not just use TCP directly? Or is there any special benefits in the WebSocket protocol itself?
And since current WebSocket handshake is in the form of a HTTP UPGRADE request, does it mean I have to enable HTTP protocol on the port so that WebSocket handshake can be accomplished?
Shall I use WebSocket on non-80 ports? Does it ruin the whole purpose
of using existing web/HTTP infrastructures? And I think it no longer
fits the name WebSocket on non-80 ports.
You can run a webSocket server on any port that your host OS allows and that your client will be allowed to connect to.
However, there are a number of advantages to running it on port 80 (or 443).
Networking infrastructure is generally already deployed and open on port 80 for outbound connections from the places that clients live (like desktop computers, mobile devices, etc...) to the places that servers live (like data centers). So, new holes in the firewall or router configurations, etc... are usually not required in order to deploy a webSocket app on port 80. Configuration changes may be required to run on different ports. For example, many large corporate networks are very picky about what ports outbound connections can be made on and are configured only for certain standard and expected behaviors. Picking a non-standard port for a webSocket connection may not be allowed from some corporate networks. This is the BIG reason to use port 80 (maximum interoperability from private networks that have locked down configurations).
Many webSocket apps running from the browser wish to leverage existing security/login/auth infrastructure already being used on port 80 for the host web page. Using that exact same infrastructure to check authentication of a webSocket connection may be simpler if everything is on the same port.
Some server infrastructures for webSockets (such as socket.io in node.js) use a combined server infrastructure (single process, one listener) to support both HTTP requests and webSockets. This is simpler if both are on the same port.
If I use WebSocket over other ports, why not just use TCP directly? Or
is there any special benefits in the WebSocket protocol itself?
The webSocket protocol was originally defined to work from a browser to a server. There is no generic TCP access from a browser so if you want a persistent socket without custom browser add-ons, then a webSocket is what is offered. As compared to a plain TCP connection, the webSocket protocol offers the ability to leverage HTTP authentication and cookies, a standard way of doing app-level and end-to-end keep-alive ping/pong (TCP offers hop-level keep-alive, but not end-to-end), a built in framing protocol (you'd have to design your own packet formats in TCP) and a lot of libraries that support these higher level features. Basically, webSocket works at a higher level than TCP (using TCP under the covers) and offers more built-in features that most people find useful. For example, if using TCP, one of the first things you have to do is get or design a protocol (a means of expressing your data). This is already built-in with webSocket.
And since current WebSocket handshake is in the form of a HTTP UPGRADE
request, does it mean I have to enable HTTP protocol on the port so
that WebSocket handshake can be accomplished?
You MUST have an HTTP server running on the port that you wish to use webSocket on because all webSocket requests start with an HTTP request. It wouldn't have to be heavily featured HTTP server, but it does have to handle the initial HTTP request.
Yes - Use 443 (ie, the HTTPS port) instead.
There's little reason these days to use port 80 (HTTP) for anything other than a redirection to port 443 (HTTPS), as certification (via services like LetsEncrypt) are easy and free to set up.
The only possible exceptions to this rule are local development, and non-internet facing services.
Should I use a non-standard port?
I suspect this is the intent of your question. To this, I'd argue that doing so adds an unnecessary layer of complication with no obvious benefits. It doesn't add security, and it doesn't make anything easier.
But it does mean that specific firewall exceptions need to be made to host and connect to your websocket server. This means that people accessing your services from a corporate/school/locked down environment are probably not going to be able to use it, unless they can somehow convince management that it is mandatory. I doubt there are many good reasons to exclude your userbase in this way.
But there's nothing stopping you from doing it either...
In my opinion, yes you can. 80 is the default port, but you can change it to any as you like.