I noticed when using a router-based VPN the default setting for Brave Shield under “WebRTC IP Handling Policy” allows webRTC to identify my local LAN IP. Not good.
Changing to “Default Public Interface only” resolves this and reports the VPN exit host. The deviceID is still reported/visible under Media Devices, kind: audiooutput.
Does this not allow for fairly unique fingerprinting? If that is the case DeviceID should not be exposed over webRTC in a browser which has privacy as key feature and “Default Public Interface only” should be the the default for WebRTC.
I used https://browserleaks.com/webrtc to verify this.