From the article.
Requirements for decloaking VPN traffic
- The targeted host must accept a DHCP lease from the attacker-controlled server
- The targeted hostâs DHCP client must implement DHCP option 121
We want to stress that there are ways an attacker who is on the same network as a targeted user might be able to become their DHCP server:
For a normal home, this seems pretty unlimely given that an attacker would have already breached your network.
Ill revise my opinion, this could be used in internet cafe, airport wifi, restaurants and other oublic wifi where you donât control the network. This might be a little more bad that I initially thought.
I hope that the people finding these issue can stoo coming woth stupid attack names. This is basic network operation, but with a small tweak that defeat a vpn on the side, not a heavy critical and deep vulnerability issue.
There is another explanation of the attack.
This is a serious problem. While it is true that this sort of attack doesnât actually compromise the VPN per se, it does compromise the router/gateway/DHCP server the device is connected to.
While this isnât a problem if you are on your own home network, this is a pretty damn major issue if you connect to public WiFi or are traveling. As the article states, the only way to mitigate is to connect via android or your bridged WiFi device. Even Linux is somewhat vulnerable.
VPN providers are either going to have to implement some sort of solution in-app with routing tables, or kernals/drivers are going to have to be updated to ignore option 121.
Does this impact connections to the Tor network too? I donât know enough about networkingâŚ
Rogue DHCP servers are not a new thing
Just yesterday I was debating if I should buy a used Windows laptop and drop Linux on it or buy a Pixel tablet and flash GrapheneOS.
Considering androids ignore option 121 that is a point in the tabletâs favour.
The issue seems to be solved on linux too though, well kinda sorta mostly solved
You may want to be aware of this. Especially relevant if you run your own VPN.
I still really hate that this got granted a CVE and a witty cool name, itâs a misconfiguration not a vulnerability 
But that aside, I think the pertinent information most people really need to know is that:
- if you use a VPN to âmake public wifi safeâ, you should probably only use Proton/other VPNs with killswitch or just not use public wifi
- if you use a VPN for creating a virtual private network to access network resources not normally available via the internet, this is not an issue
Edit: I should probably explain why I strongly believe this is a misconfiguration and not a vulnerability. Basically, the âvulnerabilityâ relies on a network not having sufficient protections against rogue DHCP servers (i.e., it is misconfigured). This is very easy to do with any network hardware that can drop unauthorised DHCPOffer packets, you just allowlist the real DHCP server and you literally cannot have a rogue server replying to devices on the network.
Misconfiguration well yeah but if thatâs what a default is that is is still a vulnerability imho. I understand where you are coming from tho. Technically you should have good TSCM (technical state compliance monitoring) but when a specific version of a piece of software has some weakness that can still be classified as vulnerability which needs to be patched with an update. Essentially all vulnerabilities in a way are misconfigurations.
Might also be a good time to mention again that the Killswitch of proton is still pretty broken on Macs with a T2 Security chip (Kill switch issue on Intel-based macOS devices - Proton VPN Support)
So, are the firewall rules mentioned in Mullvad and Protonâs blogs implemented by default or is it the same as Kill Switch feature?
Curious about how ProtonVPN implements their firewall rules for iOS. Not used their service before. Can anyone share any insight?
According to IVPN which uses TunnelKit (afaik), the issue canât be mitigated on iOS. Perhaps @viktorivpn can comment?
Mullvad still uses wireguard-go for their iOS app, which is incompatible with some of the flags available via Appleâs APIs, so thatâs understandable. Theyâve been working on replacing wireguard-go for some time (ever since the TunnelCrack vulnerability) according to their blog, but theyâre not there yet.
We concluded that the key question is whether the mitigation method âincludeAllNetworksâ used for iOS firewall is sufficient to prevent this attack. Based on our first tests using âincludeAllNetworksâ does not block DHCP traffic on a local network, and this assertion is backed up by relevant Apple documentation:
If thatâs the case, even though we use this property on iOS, itâs not effective against TunnelVision.
Proton claims âincludeAllNetworksâ, resolves this issue. Mullvad (last time I heard about this from them, might not be up to date) does not utilise it yet.
Note/caveat: doing a full replication of the attack is in our backlog, only after that we can verify that our hypothesis is correct.
Based on the above we decided for now to suggest to customers that our iOS app is potentially affected by TunnelVision.
Canât even use a VPN safely on iOS, lol. So much for a âprivacy-respectingâ OS developed by a âprivacy-respectingâ corporation.
Appreciate the transparency, please post updates!
More like network admins suck, and iOS doesnât protect you from headass incompetent network admins 
Apple is just incompetent. You should be protected, no matter if the network administrators suck or have just done something to be malicious.