New TunnelVision Attack Explained (May 2024)

20 thoughts on “New TunnelVision Attack Explained (May 2024)”

• @Lawrence Systems what did you use to make the animated diagram?

• Wait…what's the issue? Seems like everything is working as intended.

• Great explanation, thanks Tom! I bought a gli travel router before our last family holiday but didn't take it in the end because I already had a bag full of electronics :)) but I will make room for it next time we travel..

• Hey Tom, totally unrelated question, but what software are you using to make those drawings/diagrams? 🙂

• What I love about wireguard is that the IP configurations are statically assigned to the users. Plus wireguard can force all traffic to go through the tunnel which is what I currently have it set at.

• It is actually a useful feature if you know how to use it. Not a bug at all nor should be categorized as a vulnerability in my opinion

• So the solution is Double NAT? Huh

• If a feature is found to be a potential security issue then we need a feature to disable it.

• Well, since you brought them up, I'd love to see a good in-depth setup tutorial on configuring travel routers. Most I've seen use the gl-inet hardware with their baked in firmware. It's ok, but it's several versions behind the full opensource version, which doesn't speak highly of staying on top of vulnerabilities. What they have done, is optimize the settings to make it much more accessible to the general user — and the default open source version is anything but user friendly. I'd love to see a tutorial on setting up the devices with the latest open source version and talking through the various configuration options. There's literally nothing out there (that's current). It'd bridge the gap from the other channels like Chris at crosstalk that simply promotes the custom firmware and ignores the potential security issues with that stance. Just a thought.

• Or you could just assign the ip staticly once you get it from the dhcp server…

• I laughed when I saw the notification for this "vulnerability". It's a nothing burger, unless you put yourself into a position for it to happen.

• Not only can DHCP do this but I'm like 99% sure ICMP itself has a way to "suggest" routes to computers via different gateways. I'm not certain if those can be made gratuitous though.

• Tom, I think you could have also mentioned that it's not really an issue for overlay networks that tend to poke /32 routes into your routing table.

  Also, it's not difficult to remediate. Any VPN client could monitor your routing table for conflicting routes, or any end point protection system could monitor for suspicious routes in DHCP replies.

  Depending on the configuration of your DHCP client, an attack like this would be easily identified in your logs.

• Sounds like all the commercial VPN services like NordVPN just lost a major selling point.

• is this why microsoft broke VPNs in a recent windows10/11 update?

• NONE of my VPNs have Internet or ANY routing!

  Need to check/secure end-points by forcing their traffic through a funnel?

  You are doing it WRONG!

• Could you or someone elaborate on 5:45 ? Should I not be running the VPN client on my travel router?

• Hi Tom if i understand correctly this routes can be overriden with static dns servers right??? Would this also be a solution???

• Thanks Tom for breaking this down and getting the word out.

• Thanks Tom

Comments are closed.