check.torproject.org should have WebRTC IPv4 and IPv6 address leak detection to protect Orbot VPN users
Orbot for Android offers an option to use Tor as a VPN. This is great because Orweb is End-of-Life, and other browsers don't allow configuring proxies and the VPN feature also tunnels traffic for apps through Tor.
However, the Android's VPN feature doesn't hide the IP addresses from WebRTC's STUN requests. This means that Orbot users will still leak their IP addresses when using the VPN feature and using a browser with WebRTC capabilities.
Here's the proof-of-concept I wrote to detect IP addresses via WebRTC. Please include this test code in your https://check.torproject.org/ website, so that users who are stuck using regular browsers on Android can know about the IP address leak.
https://github.com/diafygi/webrtc-ips
Trac:
Username: diafygi