webrtc candidates leaking internal IP addresses

[tomuta]

So I set up go2rtc on a VPS, and I am using it to distribute an rtcp stream that is sent to that VPS through a VPN connection. I configured the static IP address of the VPS as documented:

webrtc:
  listen: ":8555" # external TCP/UDP port
  candidates:
    - "xxx.xxx.xxx.xxx:8555"
    - "[xxxx:xxxx:xxxx:xxxx::xxx]:8555"

When streaming (using stream.html) and looking at the websocket messages I noticed that I also see all my internal IP addresses in the webrtc/candidate messages, such as all my docker containers as well as my VPN connections. Is there a way to only use the candidates specified rather than in addition to all network interfaces that it can find? I don't really want to leak all my internal IP addresses, which don't really make a lot of sense on the internet anyway.

[AlexxIT]

It's not leaking. It's how WebRTC works. It sends: all local IP from all interfaces, all external IP from STUN servers, all IP from TURN servers.

Candidates from YAML it is not standard. They are my personal idea in addition to the usual library behaviour.

But I can add filter to local interfaces. It won't add much meaning to the candidates exchange. Just a cosmetic feature.

[tomuta]

But for a public server none of these internal ip addresses make sense as no client would be able to connect to them, unless they were to connect from one of these internal networks. Which of course could be the case.

I wonder if a list of interface names would make sense. If that list is not configured then the default behavior would apply, otherwise advertise only the IP addresses associated with those interfaces.

[gfduszynski]

I have similar issue, docker container ip used for nginx proxy is being unnecessarily served.
Asterisk provides black list feature with its ICE https://github.com/asterisk/asterisk/blob/master/configs/samples/rtp.conf.sample#L113