Security News > 2024 > May > Watch out for rogue DHCP servers decloaking your VPN connections
"TunnelVision's effect is independent of the underlying VPN protocol because it reconfigures the operating system network stack the VPN relies on."
Anyone who is able to operate a DHCP server on the same network as someone using a VPN, and get that VPN client's machine to use that DHCP server, can decloak their traffic because of a particular feature in the configuration protocol: option 121, which allows administrators to add classless static routes to client routing tables.
A rogue DHCP server using a DHCP starvation attack against the true DHCP, then responding to new clients.
A rogue DHCP server racing to respond to DHCPDISCOVER broadcasts to abuse DHCP clients' common behavior where they implement first-offer lease selection.
Once a miscreant is in a position to issue DHCP leases to a target's machine, they can use option 121 to force all data - even traffic that's supposed to be destined for a VPN tunnel - through a gateway set up by the DHCP server and then read whatever traffic they can.
If it's possible to tell your system to ignore DHCP rule 121 while a VPN is active, that would be a good plan, and Leviathan also recommends using a VPN through a dedicated, password-protected wireless hotspot for an added layer of security.
News URL
https://go.theregister.com/feed/www.theregister.com/2024/05/07/vpn_tunnelvision_dhcp/