In a recent development, the public has proposed an attack method known as tunnelvision. This attack allows for the redirection of VPN traffic to the attacker’s host, provided there is access to a local network or control over a wireless network. The attack targets VPN clients that do not use isolated network subsystem names, potentially allowing the attacker to bypass packet filter rules and intercept traffic.
The crux of the attack involves the attacker launching a DHCP server to alter routing information on the client’s device. By utilizing DHCP rfc-3442, the attacker can modify the victim’s route table and direct traffic outside of the VPN. This is achieved through the manipulation of route priorities, leading traffic to flow through the attacker’s physical network interface.
This attack is capable of targeting operating systems that support the 121 DHCP option, which includes Linux, Windows, iOS, and MacOS. Notably, the Android platform is immune to the attack as it does not process the 121 DHCP option. While the attack allows for traffic access, it does not grant the ability to decrypt secure application-level protocols such as TLS and SSH, preserving the confidentiality of transmitted data.
To safeguard against such attacks, users can implement measures like blocking DHCP packets with option 121, preventing the sending of packets to the VPN interface through other network interfaces, utilizing VPN within a separate isolated virtual machine or container, or configuring special tunnel settings using Network Namespace. For those interested in testing the attack, a set of scripts has been published for experimentation.