Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

  • @Deckweiss
    link
    24
    edit-2
    7 months ago

    Use a killswitch then… no vpn, no internet

    • @reflectedodds
      link
      397 months ago

      In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.

      This is the only place they mention kill switch. I feel like it needs a slight clarification on whether it was enabled and didn’t work, or if was just disabled and therefore not “engaged”.

    • @[email protected]
      link
      fedilink
      127 months ago

      As I understood it, VPNs don’t work in this threat model because it’s essentially routing traffic through a compromised router before it ever reaches the VPN, so the VPN acts normally but there’s a snooper before you ever connect to it

      • @Deckweiss
        link
        4
        edit-2
        7 months ago

        Huh? I thought the whole point of a VPN is to encrypt all traffic between my PC and the VPN server. Please be so kind and educate me on anything I have a misconception of:

        For example, I use Safing Portmaster and I have set it up in a way where all the packets have to go through their VPN and if they don’t, they get dropped before they leave my PC.

        Before that I was running openvpn with a killswitch, which I thought besically did the same, it had a tunnel to the VPN server and if it is down, no packet leaves the PC.

        Is that not how VPNs normally work?

        • @[email protected]
          link
          fedilink
          3
          edit-2
          7 months ago

          I have set it up in a way where all the packets have to go through their VPN and if they don’t, they get dropped before they leave my PC.

          That is the function of a firewall and not of the VPN. As I understand portmaster it does both. But that is not normal VPN behavior.

          VPNs are not magic. They are a piece of software that encrypt traffic and send it to a special server. They do that by creating a virtual Internet connection (think like pluging in an additional Ethernet cable or connection to an addition WiFi at the same time). Everything that is sent through the virtual connection is encrypted. Your system now has (at least) two valid Internet connections (one real and one virtual). For every packet it sends it needs to decide which connection it should send it from. This is decided by something called the routing table. When you start the VPN it will put two routes into the table.

          • traffic going to the VPN server goes through the real connection (so the encrypted VPN traffic is routed correctly)
          • everything else goes through the virtual connection (the VPN tunnel where it gets encrypted)

          The attack described is a way how a network router can add a new route into your devices routing table to basically override the second route from the VPN. The route is still there, there just is another one that has a higher priority.

          A VPN is not the ultimate authority over your network traffic. It is just another program sending and recieving taffic.

          • @Deckweiss
            link
            17 months ago

            Thanks for the detailed explanation. I think I get it now!

            I did look into it with ip route show when using nothing vs portmaster vs openvpn and it is just like you said, when using openVPN it just creates additional routes with a higher priority, but the normal route is still open.

      • youmaynotknow
        link
        fedilink
        1
        edit-2
        7 months ago

        I’m not saying it could not happen, but when you use VPN, the local network equipment does not determine protocols, the VPN infrastructure and it’s configuration in the device do. Any local connection, including the internet gateway, just serve as the road for those packets to go out or come in.

        If anyone thinks I’m wrong, please let me know, I’m not 100% certain this is the case, but it is my understanding of how VPNs work.

        • @[email protected]
          link
          fedilink
          8
          edit-2
          7 months ago

          You aren’t wrong, per se, I think you just don’t fully grasp the attack vector. This is related to DHCP option 121, which allows routes to be fed to the client when issuing the ip address required for VPN connectivity. Using this option, they can send you a preferred default route as part of the DHCP response that causes the client to route traffic out of the tunnel without them knowing.

          E. It would likely only be select traffic routing out of the tunnel. I could, for example, send you routes so that all traffic destined for Chase Bank ip addresses comes back to me instead of traversing the tunnel. Much harder to detect.

          • youmaynotknow
            link
            fedilink
            17 months ago

            Oh crap! That’s concerning as hell. I’m going to try that in my PFSense and test it with ProtonVPN, Tailscale, Wireguard to my UnRaid and NordVPN. See if maybe any of them have a way of hardening that, or at least completely dropping the packages if not.

            If no VPN can be hardened for this, is there a chance that Tor or I2P can be used to avoid it instead?

            Thank you very much for such a wakeup call.

    • @[email protected]
      link
      fedilink
      English
      47 months ago

      This won’t mitigate this specific attack, however running your VPN as a full tunnel will.

      • @[email protected]
        link
        fedilink
        17 months ago

        Full tunnel would not mitigate this attack because smaller routes are preferred over larger ones. So, sure, 0.0.0.0/0 is routed over the tunnel, but a route for 8.8.8.8/32 pointing to somewhere layer2 adjacent, pushed via DHCP option 121, would supercede that due to being more specific.

        • @[email protected]
          link
          fedilink
          English
          17 months ago

          Full tunnel using routing wouldn’t work but many full tunnel implementations use a shim where once the Tunnel is connected, the system route table isn’t referenced anymore, so you can put as many static routes etc as you want, but all traffic will hit the VPN interface before routing is done. For example Cisco any connect removes route look-up from the TCP/IP stack of the local system.