Как предотвратить лик адреса через WebRTC при использовании sing-box?

Конфигурация моей сети такова: провайдер → сервер (sing-box тут) → роутер → клиенты. У сервера раздельные порты WAN и LAN. Пытаюсь завести Discord, добавил в фильтр по ruleset geosite-discord, приложение работает исправно, но при попытке зайти в головой чат - ошибка при подключении к WebRTC. В логах sing-box видны обращения к frankfurt2034.discord.media:443 через vpn-out. UDP трафик у меня не блокируется.

DNS запросы под Discord идут через VPN. Весь QUIC на не-RU адреса идет через VPN. Идеи кончились. Думаю сейчас на утечку адреса через WebRTC, но как ее предотвратить с такой конфигурацией, я не нашел. Прошу помочь.

Прикладываю конфиг sing-box.

{
  "log": {
    "level": "warn"
  },
  "dns": {
    "rules": [
      {
        "rule_set": [
          "antizapret",
          "db-google-deepmind",
          "db-google-trust-services",
          "db-google-play",
          "db-openai",
          "db-youtube",
          "db-speedtest",
          "db-figma",
          "db-jetbrains",
          "db-jetbrains-ai",
          "db-microsoft",
          "db-intel",
          "db-imgur",
          "db-cisco",
          "db-custom",
          "db-discord",
          "db-oracle"
        ],
        "server": "g-doh-dns-au"
      }
    ],
    "servers": [
      {
        "tag": "g-doh-dns-ru",
        "address": "https://8.8.8.8/dns-query",
        "detour": "direct-out"
      },
      {
        "tag": "g-doh-dns-au",
        "address": "https://8.8.8.8/dns-query",
        "detour": "vpn-out"
      },
      {
        "tag": "g-dns-au",
        "address": "8.8.8.8",
        "detour": "vpn-out"
      },
      {
        "tag": "block",
        "address": "rcode://success"
      }
    ],
    "strategy": "ipv4_only"
  },
  "inbounds": [
    {
      "type": "tun",
      "tag": "tun-in",
      "interface_name": "tun0",
      "inet4_address": "172.20.0.1/30",

      "mtu": 1500,
      "stack": "gvisor",
      "gso": true,
      "auto_route": true,
      "auto_redirect": true,

      // Exclude Avahi, nginx, paper
      "exclude_uid": [70, 981, 982, 961],
      // Exclude WAN
      "exclude_interface": "enp6s0",

      "udp_timeout": "5m",

      "sniff": true,
      "sniff_override_destination": true,
      "sniff_timeout": "500ms",
      "domain_strategy": "ipv4_only"
    },
    // Make LAN use sing-box's DNS resolving results
    {
      "type": "direct",
      "tag": "direct-in",

      "listen": "192.168.128.1",
      "network": "udp",
      "listen_port": 53,

      "override_port": 53,
      "override_address": "8.8.8.8",

      "domain_strategy": "ipv4_only",
      "detour": "vpn-out"
    }
  ],
  "outbounds": [
    {
      "type": "vless",
      "tag": "vpn-out",
      "server": "",
      "server_port": 443,
      "uuid": "",
      "flow": "xtls-rprx-vision",
      "packet_encoding": "xudp",
      "tcp_fast_open": true,
      "connect_timeout": "5s",
      "tls": {
          "enabled": true,
          "insecure": false,
          "server_name": "google.com",
          "utls": {
              "enabled": true,
              "fingerprint": "chrome"
          },
          "reality": {
              "enabled": true,
              "public_key": "",
              "short_id": ""
          }
      }
    },
    {
      "type": "direct",
      "tag": "direct-out"
    },
    {
      "type": "dns",
      "tag": "dns-out"
    },
    {
      "type": "block",
      "tag": "block-out"
    }
  ],
  "route": {
    "rules": [
      // At first, process antizapret rules.
      {
        "rule_set": "antizapret",
        "outbound": "vpn-out"
      },
      // Then, forward some externally blocked websites through VPN.
      {
        "rule_set": [
          "db-google-deepmind",
          "db-google-play",
          "db-google-trust-services",
          "db-openai",
          "db-youtube",
          "db-speedtest",
          "db-figma",
          "db-jetbrains",
          "db-jetbrains-ai",
          "db-microsoft",
          "db-intel",
          "db-imgur",
          "db-cisco",
          "db-custom",
          "db-discord",
          "db-oracle"
        ],
        "outbound": "vpn-out"
      },
      // Then, allow government websites - they don't like VPN.
      {
        "rule_set": [
          "db-category-gov-ru"
        ],
        "outbound": "direct-out"
      },
      // Allow QUIC for russian IPs through direct - it's not being filtered on TSPU
      {
        "protocol": "quic",
        "rule_set": "ip-ru",
        "outbound": "direct-out"
      },
      // Forward all other QUIC connections to VPN
      {
        "protocol": "quic",
        "outbound": "vpn-out"
      },
       // Forward DNS requests to specified DNS servers
      {
        "protocol": "dns",
        "outbound": "dns-out"
      }
    ],
    "rule_set": [
      {
        "tag": "db-custom",
        "type": "inline",
        "rules": [
          {
            "domain_regex": [
              "yt[0-9]\\.ggpht.*"
            ]
          }
        ]
      },
      {
        "tag": "antizapret",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/savely-krasovsky/antizapret-sing-box/releases/latest/download/antizapret.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-openai",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-openai.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-google-deepmind",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-google-deepmind.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-google-play",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-google-play.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-google-trust-services",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-google-trust-services.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-youtube",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-youtube.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-speedtest",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-ookla-speedtest.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-figma",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-figma.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-jetbrains",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-jetbrains.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-jetbrains-ai",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-jetbrains-ai.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-microsoft",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-microsoft.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-intel",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-intel.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-imgur",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-imgur.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-cisco",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-cisco.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-category-gov-ru",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-category-gov-ru.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-discord",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-discord.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "db-oracle",
        "type": "remote",
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geosite/raw/rule-set/geosite-oracle.srs",
        "download_detour": "vpn-out"
      },
      {
        "tag": "ip-ru",
        "type": "remote", 
        "format": "binary",
        "url": "https://github.com/SagerNet/sing-geoip/raw/rule-set/geoip-ru.srs",
        "download_detour": "vpn-out"
      }
    ],
    "final": "direct-out",
    "default_interface": "enp6s0"
  },
  "experimental": {
    // Cache DNS resolving results
    "cache_file": {
      "enabled": true
    }
  }
}

в листах v2ray (предполагаемый источник ruleset файлов) нету ip адресов дискорда

поверить на слово не получается, если вы пытаетесь завести дискорд, то значит udp трафик у вас всё же заблокирован