All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
A rogue DHCP server within your network can and will hijack your VPN traffic
This DHCP server may be your thermostat, smart TV, access point, dildo, and such. From Bing Chat:
A malicious DHCP server can set routing rules on a DHCP client computer that hijack packets generated locally by the client machine which are destined to the VPN, and redirect them toward another destination. This is possible by using the DHCP option 121, which allows the DHCP server to specify classless static routes for the client. The DHCP server can send a route for the VPN network that points to a different gateway than the VPN server, or to a non-existent gateway, effectively hijacking or dropping the VPN packets.
For example, if the VPN network is 10.8.1.0/24 and the VPN server is 10.8.1.1, the DHCP server can send a route like this:
10.8.1.0/24 via 192.168.1.100
This will cause the client to send the packets destined to the VPN network through the gateway 192.168.1.100, which may be a malicious system controlled by the attacker, instead of the VPN server 10.8.1.1. The attacker can then intercept, modify, or drop the packets, depending on their goal.
If such packets are hijacked by malicious routing rules set by the rogue DHCP server, they are never encrypted because they don’t reach the VPN interface. The VPN interface only encrypts the packets that are routed through it, not the packets that are routed to it. Therefore, the packets that are destined to the VPN network but are redirected by the DHCP server are sent in plain text over the network, exposing the data and the credentials of the VPN client.
To prevent this attack, the DHCP client should verify the DHCP options before accepting them, and reject any routes that are not consistent with the VPN configuration. The DHCP client should also use encryption and authentication for the VPN connection, and use certificates or pre-shared keys to verify the identity of the VPN server. The DHCP client can also use tools like
ip route
orroute
to check the routing table of the computer and make sure it is correct.
Comments
I googled for an hour around this issue but I cannot find much about it. It seems that most don't care.
The simplest solution is to
apt-get purge
the DHCP client and go static. Mr Bing also suggests to have something like this in/etc/ dhcp/ dhclient-exit-hooks.d/
as a compromise:That's true, importance of the network security is underestimated.
Among these options I would go with second because it scales better - all modern VPN solution I am aware of are already doing server authentication, OpenVPN and Wireguard are doing client authentication as well with optional PSK available, so I don't see any reason to use dhclient hooks.
@tentor Bing gets confused sometimes; mutual authentication in VPN's is ubiquitous. It is the processes that send data thru the VPN that are at risk, as the packets they send to the VPN don't reach the VPN and pass thru a MITM unencrypted.
Read about these security mechanisms: DHCP Snooping, Dynamic ARP Inspection and IP Source Guard. Sure, you can configure everything statically, but as your infrastructure grow (or smart teapots dynamically allocated in your apartments) it becomes exponentially harder.
Oh, my bad. I thought kill-switches exist to fight unexpected routing table changes similar to the scenario of this attack.
In home environments? I think most home/office folks using a VPN for its alleged security are 100% exposed to smart devices in their home, and to whomever controls them via arbitrary remote software updates, to potentially being hijacked away from the VPN.
BOOM I dropped the bomb. Argument won m8
(Un)fortunately, I am unaware of consumer grade network equipment enough to participate in this discussion. At my home I have router with OpenWRT installed. I use few VLANs to isolate untrusted devices from hardened ones.
Logic checks out m8
"Vulnerability" in question is called TunnelCrack.
You can learn more on: https://tunnelcrack.mathyvanhoef.com/
And a response from my VPN providers of choice:
https://mullvad.net/en/blog/2023/8/9/response-to-tunnelcrack-vulnerability-disclosure/
https://www.ivpn.net/blog/ivpn-tunnelcrack-vulnerability-assessment/
I have VPN client in the home router: 192.168.121.0/24 goes to the VPN server.
Rogue devices can reach this prefix too but they will just find downloads from pubic tracker.
A firewall that selectively blocks outbond packets to protect from hijacking seems like a pain to set up if
/etc /hosts
is a large and non-contiguous beast. And/etc /nftables.conf
would have to redefine part of the same entries. The solutions linked above for Mullvad and Ivpn both unconditionally block all outbond packets with destination to public addresses.What are common solutions to unify the management of
/etc /hosts
and/etc /nftables.conf
(and possibly of other config files where the same network resources need to be redefined)?That's to spoof traffic shaping I imagine. I do the same with an ssh socks5. But mine works like shit because socks5 is poorly supported by torrent clients.
Damn, damn that Wifi Dildo.......
On Tor they probably sell wifi dildo passwords by the million. A pain in the ass indeed.