Attackers can decloak routing-based VPNs
Attack mechanism and behavior
- Core issue: a malicious DHCP server can use Option 121 (classless static routes) to push more-specific routes (e.g., 0.0.0.0/1, 128.0.0.0/1) that override a VPN’s default route and send traffic over the physical interface instead of the tunnel.
- Discussion clarifies this is about both route specificity and the interface field: routes learned via DHCP are bound to the non‑VPN interface.
- Result: traffic that users expect to be tunneled can be transparently decloaked and observed on the local network, while the VPN client still reports “connected”.
Threat model and feasibility
- Attacker must effectively become the DHCP server on the victim’s L2 network (e.g., public Wi‑Fi, compromised home router).
- Some point out this is a known class of “malicious DHCP” attacks and that any device using DHCP already implicitly trusts that environment.
- Others stress that public/untrusted Wi‑Fi is a primary advertised use case for consumer VPNs, so being able to silently neutralize them is significant.
Mitigations and platform behaviors
- Strong defense on Linux: separate routing domains via network namespaces or VRFs; only the VPN process uses the “real” routing table affected by DHCP.
- Firewall‑based “kill switches”: block all off‑VPN traffic except to the VPN endpoint; this converts the attack from data leakage to denial‑of‑service on those routes.
- Debate on a proposed “side-channel”: using blocked vs allowed traffic volumes to infer VPN destinations; several commenters consider this impractical/overstated.
- Android reportedly doesn’t implement Option 121 and is therefore unaffected, at the cost of some networking features.
- Other mitigations mentioned: static IP/gateway, disabling Option 121, DHCP snooping on switches, using dedicated VPN routers or travel routers, userspace network stacks.
Severity and VPN ecosystem
- One camp calls this “nothing new”: any decent VPN with proper leak‑protection firewalling is already safe; clients doing only routing‑table tweaks are “broken by design”.
- Another camp sees it as a genuine and underappreciated flaw, especially because many commercial VPN clients rely on fragile “kill switches” that react to tunnel state rather than enforcing strict network policy.
- Some criticize sensational headlines and possible “CVE mining”; others welcome the detailed primer and see value in exposing misconfigurations and weak client designs.