The new TunnelVision technique can bypass VPN encapsulation.

The VPN bypass technique known as TunnelVision is a new tool that allows attackers to eavesdrop on user traffic, circumventing the encryption provided by VPNs. Researchers from Leviathan Security recently discovered this innovative attack scheme, which utilizes the built-in capabilities of the DHCP (Dynamic Host Configuration Protocol) to redirect user traffic out of the VPN tunnel, making it vulnerable to interception.

When using this technique, the VPN loses the ability to encrypt certain packets, making the data accessible to attackers. This process has been termed "decloaking" by researchers. Furthermore, during the attack, the VPN control channel remains active, and users still appear to be connected to the VPN, making it difficult to detect the attack.

TunnelVision manipulates routing tables that are responsible for transmitting network traffic through a VPN tunnel. This technique exploits a vulnerability known asCVE-2024-3661This represents a design flaw in DHCP. Within this vulnerability, messages such as the classless static route (option 121) are not authorized and can be altered by attackers. Option 121 allows administrators to add static routes to client routing tables using non-classful ranges. The limitation on the number of routes that can be set simultaneously only pertains to the size of the packet.

An attacker with the ability to send DHCP messages can alter routes by redirecting VPN traffic. This gives them the opportunity to intercept, interfere with, or even manipulate network traffic. An attacker within the local network can use this method to redirect traffic to the local network instead of the VPN section.

Malicious actors will only be able to send traffic bypassing the VPN if the target machine accepts a DHCP lease from a server controlled by the attacker, and the DHCP client on the target machine supports option 121.

Furthermore, researchers report on their experimental results, where they were able to develop spoofed DHCP servers to locally respond to DHCPDISCOVER requests. They stated that their method allows them to intercept traffic by routing it through a spoofed gateway. When the traffic passes through their gateway, they can apply forwarding rules to send the traffic on to the legitimate gateway, recording it in the process.

Researchers also noted that the victim, during the attack, does not notice the disconnection from the VPN. Moreover, the vulnerability is not tied to a specific VPN provider or its implementation. The TunnelVision method proves to be effective against most IP routing-based VPN systems.

According to experts, this vulnerability may have existed in the DHCP protocol since 2002, when option 121 was implemented. There is a possibility that this method has already been discovered and used by attackers in practice. To reduce risks, VPN providers can implement network namespaces in supported operating systems, allowing for the isolation of interfaces and routing tables from local network control.

Experts also suggested additional protective measures, such as:

• the use of firewall rules,
• refusal of part of option 121,
• the use of a Wi-Fi access point or virtual machines,
• avoiding the use of unreliable networks.

At the end of their report, the researchers expressed their difficulties related to testing numerous VPNs. They initially tried to notify companies about their findings through bug bounty programs, but realized that this was becoming ineffective.

The research team also engaged with organizations such as EFF and CISA to widely communicate the issue before publicly disclosing their findings. The conclusion of the report states: "We express our immense gratitude to everyone who helped us with this matter." The researchers published a video demonstrating a Proof of Concept (PoC) attack, showing how TunnelVision can be implemented in practice.