Skip Navigation

Novel attack against virtually all VPN apps neuters their entire purpose

134 comments
  • That's why half decent VPN apps also add firewall rules to prevent leakage. Although nothing can beat Linux and shoving the real interface in a namespace so it's plainly not available to anything except the VPN process.

    • Yes, I don't agree with the no way to mitigate statement.

      I suspect on windows the only real defence is something like.

      • Check if the network has suspicious multiple routes setup from the DHCP
      • If so, either use the IP/Mask/Gateway with manual IP config (to not receive the CIDR routes) or steer clear of an at best questionable network entirely.
      • Maybe use the windows firewall to block all traffic outbound EXCEPT from the firewall program (with perhaps exceptions for local networks as per below linux example). For whatever reason the windows firewall doesn't seem to have a way to specify an interface. But you can specify a program.

      I did look for some way to control Window's handling of DHCP options. But it seems there isn't anything obvious to limit this otherwise. I do not know if the windows firewall has this kind of fine-grained control with its own fire

      For linux, I used to have my own blackout firewall rules. That only allowed the specific LAN range (for mobile use you could include all RFC1918 ranges) and the specific VPN IP out of the internet facing interface. Only the VPN interface could otherwise access the internet.

  • This is the best summary I could come up with:


    Researchers have devised an attack against nearly all virtual private network applications that forces them to send and receive some or all traffic outside of the encrypted tunnel designed to protect it from snooping or tampering.

    TunnelVision, as the researchers have named their attack, largely negates the entire purpose and selling point of VPNs, which is to encapsulate incoming and outgoing Internet traffic in an encrypted tunnel and to cloak the userโ€™s IP address.

    The attack works by manipulating the DHCP server that allocates IP addresses to devices trying to connect to the local network.

    A setting known as option 121ย allows the DHCP server to override default routing rules that send VPN traffic through a local IP address that initiates the encrypted tunnel.

    When apps run on Linux thereโ€™s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks.

    This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.


    The original article contains 903 words, the summary contains 196 words. Saved 78%. I'm a bot and I'm open source!

  • Meh, option 121 shenanigans can be detected and remediated via post connection scripting.

134 comments