I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?...
I added clarification that the HTTPS part is assuming that the attacker has already performed the DHCP attack. Thanks for the note!
The DHCP race is one part I didn't go into detail about since I'm not very familiar with the details, but what you wrote makes sense. One potential danger is a hacker at a coffee shop, where the shop owner is unlikely to be monitoring the network, and there are going to be many new connections coming in all the time. It's still an unlikely scenario, but it also isn't a particularly difficult attack.
If exposing hostnames and IP addresses is dangerous
It's not necessarily dangerous, but it's a major privacy issue. Hiding your browsing history from other people (except for the VPN provider) is one of the main reasons why people get a commercial VPN in the first place. And this vulnerability mainly concerns those users.
Yeah, you don't have to dig very deep to find out how insecure our networks are. Mac addresses can be spoofed, ports can be scanned, TCP numbers can be guessed, etc...
Great write-up, I've been looking for something like this. I've heard of vopono and eznetns before but not namespaced-openvpn, and this is the first post I've seen where somebody details how they use a tool like this, so thanks! I'll have to try setting it up some time.
From a privacy standpoint I don't think it would make a big difference over not using a VPN at all. It will take a bit of time but your new IP will become associated with your identity. From the perspective of Facebook and Google, it will just look like you moved and are living inside a datacenter now.
Though if you have any alternatives for vanilla wireguard users like me, I'll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?
How do you route all a host system's traffic through Gluetun? If you use routing tables, wouldn't it similarly be affected by TunnelVision? In which case you would still need a firewall on the host...
Also, the host system likely makes network requests right after boot, before a Gluetun container has time to start. How do you make sure those don't leak?
I am curious though, how you were able to route all host traffic through Gluetun. I know it can be used as a http/socks proxy, but I only know of ways to configure your browser to use that. What about other applications and system-level services? What about other kinds of traffic, like ssh?
Actually my firewall is persistent, just like many of the other good VPN clients, so "kill switch" is a bit of a misnomer. Which is why I called it wg-lockdown, named after Mullvad's lockdown mode. Persistent firewalls are effective, they just add a very tiny side-channel, as discussed in the link in my post. I just used the terms "kill switch" in my post because that's what many other people use.
Though the point about the LAN is a good point, I didn't consider that. I added LAN access because without it, the firewall was interfering with the networking of my docker container and virtual machines, which use local subnets. Even the official Mullvad client has issues with this. What do you recommend in this case? Manually whitelist the local subnets used by docker and my other virtual networks?
Edit: actually upon reading Mullvad's statement on TunnelVision, I realized that my firewall is still effective because it only allows traffic directed to LAN IP's to bypass the VPN. So regular internet traffic will be blocked if the attacker tries to redirect it to the LAN. I'm glad I used Mullvad as a reference implementation 😅
why is a split tunnel relevant? I thought all VPNs are vulnerable unless they use a firewall like I do, or network namespaces.
At least the way I understand it, a normal VPN redirects your internet traffic to instead go through a virtual network interface, which then encrypts and sends your traffic through the VPN. This attack uses a malicious DHCP server to inject routes into your system, redirecting traffic to the attacker instead of towards the virtual network interface.
I see what you mean now. I wouldn't advocate for people to disable DHCP features either. It should be the VPN provider's responsibility to provide a proper VPN client that mitigates attacks like these.
addressing misconceptions about the recent TunnelVision vulnerability
I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?...
Does self-hosted VPN make sense?
Hey all,...
sharing my simple wireguard kill-switch for Linux
cross-posted from: https://lemmings.world/post/8926396...
sharing my simple wireguard kill-switch for Linux
In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs....
Novel attack against virtually all VPN apps neuters their entire purpose ( arstechnica.com )