Tunnel Vision Oopsie

Saw this today

Makes me wonder if a packet tagging Killswitch in pfsense can avoid this problem.

What are your thoughts?

1 Like

Seems like they are specifically talking about the VPN application itself. If the application decides to send traffic outside the tunnel then yeah that is an issue. If the provider lets you use third party software like OpenVPN then you can make sure to pass all traffic through the tunnel via your firewall. The extra step for a kill switch is fine to do to make sure no traffic escapes. But not due to OpenVPN going outside the tunnel for traffic.

Unless I am not understanding how it works, this “Decloaking” requires that the server you are connecting to be under the control of an attacker who can add routes via DHCP. An attacker with access to the VPN server could also just view the traffic.

Yes that was my understanding as well. The attacker already needs to have a foothold in the network to carry this attack. They also need to be able to run a rogue DHCP server undetected in that network.

If they have that level of control over the VPN to do things like spoof DHCP, you probably also are able to inspect the traffic. I don’t really get it.

OK, I took the time to read it again and it’s interesting. Its a feature, not a bug as it is an option in the DCHP server to set new routes and if a local attacker has control of the network you are on they can add those routes easily by setting short DHCP leases that upon renewal, but after your VPN is established, can peel off data back to local instead going through the VPN.

Any network you connect to thinking your communication is secure because you have a VPN on your laptop… hotels, hotspots. It’s not a bug, clearly has legitimate uses, but the public at large needs a lot more awareness this could happen so they can guard against it.

And how exactly would you guard against this?

I fully agree with your thoughts and afterthoughts about it. Ars tech classics. Big headlines, but the more you dig into it you go ‘yeah ok’.

But if I’m not mistaking is more targeted toward ‘‘paid’’ popular VPNs?
To my understanding the attacker forces a kind of ‘‘split tunneling’’ vpn that goes unnoticed but I don’t understand exactly how they could hijack example: Packets from your home network VPN to your laptop in a hotel room?

That’s exactly it. Or the Internet Cafe you use to conduct business online. Or the rogue AP in the airport you just connected to.

Several ways.

One would be to ignore DHCP route option packets. I would expect there already are, and if not already then soon enough, commercial and open source applications that will enable this option.

Secondly, you could have a road warrior type device that connects to the Wifi instead of your laptop. That device gets, or ignores, the route option, it doesn’t matter. Then your laptop behind the road warrior device establishes the tunnel.

Thirdly, your phone can act as the road warrior device. Android apparently is immune to this type of attack.