Leaderboard

Hello! As reported in the very informative and well written article, provided that unfortunately the adversary has the ability to crack your local network and install inside it an evil DHCP server, an excellent mitigation is based on firewall rules exactly as they are enforced by AirVPN's Network Lock. Kill switches are ineffective as usual, nothing new here, but Network Lock greatly mitigates the problem. This mitigation is very hard to circumvent, as it would require traffic analysis first and more operations later (check "Problems with Firewall Rule Mitigations" in the article). Please note that traffic splitting MUST be avoided, otherwise firewall rules of Network Lock will have exceptions which can be in themselves a dangerous enlargement of the surface attack and that can be again exploited by TunnelVision. As a double protection, you may consider to disable DHCP option 121, an option which can be reported even as “Disable Classless Static Route”. Without DHCP option 121 the attack lacks its essential pre-requisite. Check the downsides, though. We will have the paper investigated by independent reviewers in the next days and if anything relevant on top of all of the above comes out we will publish it. Kind regards

https://www.leviathansecurity.com/blog/tunnelvision Apparently this affects both OpenVPN and WireGuard protocols. Technically it's not a vulnerability but it was easier for the title...

@valkyrie89 Hello! Inbound remote port forwarding is a feature divorced from the VPN p-t-p communication protocol, it all relies on NAT configuration through packet mangling, so you can use it both with OpenVPN and WireGuard. Kind regards

Well… I don't see it coming to life in the near future. That's all I can offer you. 😕