TunnelVision - How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak

I would think this is more likely to arise from a malicious network admin than a misconfigured network or rogue DHCP server.


At what point does it stop being Apple/Microsoft/Linux Distro Dev/dev who fully implemented all DHCP options’ problem and start being the end user’s problem for using an untrusted network though? I still stand by my assessment that this should never have gotten a CVE assigned, because in any practical, real deployment you should have protection against rogue DHCP servers and VPN providers should get reamed for false advertising

There is a lot of misinformation about this whole thing unfortunately.

One the one hand, you have VPNs that claim they protect you which you see here they cannot always do. That btw to me is an actual vulnerability in the OS.

On the other hand, there are a lot of self claimed security experts that deny the wide existence of WiFi based attacks. They claim one should not have to worry being hacked when using public WiFi because of TLS (or https as they call it).

In my eyes both are wrong.


Personally, TunnelVision vulernability is kind of shocking to me (I admit me being naive and ignorant), as I always assumed PC with VPN (killswitch enabled) , firewall enabled and with only essentail software installed should be quite sufficient, turns out these “defenses” could be bypassed effortlessly.

I think it somehow demonstrates (again) the inherited risks of OSes like windows and Linux (not sure about Mac) that designed with compatibility / flexibility / configurability in mind.

Sure the OS vulnerabilities should be fixed, but I think the root cause is the internet standards failed to keep up with the risks? By the way, is DHCP option 121 essential at all?

Again I am just an average user so I think I could and would be wrong here.

Not an OS vulnerability, a network infrastructure misconfiguration.

Yes, it’s useful for some routing use-cases.

The risk here being, people want to be able to use untrusted networks safely. I will say, DHCP could be updated to include some sort of authentication (maybe preshared certs? or TOFU?) but it still wouldn’t solve all the random “free wifi” shit floating around that wouldn’t get updated if DHCP was upgraded in that way, the ancient networking gear would stick around.

Which, a) is so depressing, but b) keeps me in a job. So we take those I guess

Just curious, so you think it is an expected behaviour if the router is configured that way?

This is the main benefit VPNs advertise themselves to have, so I feel like it is understandable that a user would expect using a VPN would allow them to do so.


Be honest, in some countries, even cell networks are not safe as operators work with Government to crackdown civil societies and really cant be treated as “trusted networks”.

Same thing goes to all networks that the user has no full control over, even friends’ home or workplace, not saying they are malicious, but the routers might not be “properly configured”, sometimes even the router admin credential were remain default and might be compromised (happened to my friend once), or the ISP / router manufecturer can simply push bad updates to your router and “MISCONFIGURE” your network.

If tunnelvision is being treated as merely a misconfiguration, then I think the most reasonable thing to do to “avoid” “misconfigurations” is to use devices where the system ignores option121.

I know it sounds dramatic but there are places on earth where people (just ordinary people but with opinions) really cant take that risk.

I wish we could just consider all DHCP options to be a gigantic vulnerability, outside of simply providing IP addresses. Why the fuck would I want anyone to be able to remotely configure any of these things on my device in any context?


Enterprises should use an MDM to configure this stuff on their devices, and there aren’t any non-enterprise scenarios where this would be useful…

Well there are quite some useful parts.

NTP, DNS, bootfile size, tcp and arp ttl params… etc

NTPP is also in the list which is also a protocol used to exchange status updates and commands, important for failover systems to name something.


might be fun to share, I am retesting this kill switch feature on an intel based mac and so far no issues. Perhaps it has been silently fixed? Will report back should I find issues again.

1 Like

Notably, there are no enterprises where BYOD devices are used widely, such as educational institutions. Clearly they should MDM student devices that do not belong to the organisation : D

And in many countries you can have incompetent cellular network operators who don’t bother to validate BGP configurations and take down their entire network for 12 hours. So yeah I would agree that cellular networks should absolutely be trusted less if not untrusted, generally.


Eh, not quite the same. And besides, you probably should not be using a personal device for personal things at work on or your work network. If you’re in the camp of “you can’t trust your workplace ever!” then you might enjoy “Das Kapital” by old man Marx and the concept of “worker-owned companies”

Right, which is why you also said that networks where you’re not in control of the network (and I will add, where someone you trust is not in control of the network) are untrusted – no one who seriously cares about privacy and security would be using an ISP router, that’s extremely silly because at best you’ll get barely any updates and at worst, actively malicious updates.

Yes, which is dodgy marketing.

1 Like

Thank you very much for the elaboration, I shall dig
(And mor importantly, read to learn more) deeper and try to find out what should be done.

That is not true as at times the better privacy option is more money up front which many of us can not afford. Having a router from the ISP tends to be very cheap monthly, but buying one with the same capabilities? It would cost me 25x the cost of one month, roughly.

Because of that many of us that are in fact serious about security and privacy are left with using what we are able to use, even if it potentially lowers privacy/security.

Plus what you said here in a few countries (EU, Canada, Usa, Etc) could happen would have blowback and has at this time to my knowledge never been done in such a way.

Please correct me if I am wrong and ISPs have updated routers they rent out on purpose for malicious actions that were ordered by a governmental office.

I’m only familiar with the Australian context, but as far as I’m aware there is no evidence of active malicious updates, only incompetence such as the previously mentioned BGP route fuckery.

Yeah, which is not a great state of affairs. I’ll soften my comment to “Anyone who cares about privacy and security would not be using an ISP route by choice”, since, as you said, it’s expensive in a lot of places to get decent networking gear.

Fingerprinting VPNs with Custom Router Firmware

Not related to TunnelVision

Useful to spell out the concept to people, though this has already been possible with enterprise firewalls for a long time, as anyone who’s seen logs from them with nicely labelled application categories can attest lol