A new attack was published, named TunnelVision, explaining how to snoop all the unencrypted VPN traffic through a local system.

In summary, the attack make the local DHCP server auto configuring workstations network to send a gateway address that is similar to the one used by the VPN but with a higher priority, so the operating system will send its VPN traffic to that address instead of the VPN server.

This attack is not discrete, it could be easily spotted in the network settings.

https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/

#Android seems unaffected.

#QubesOS is immune as long as you do not establish a VPN in the qube connected to the real world network (by defaut it's either sys-net or sys-firewall).

=> https://qubes-os.org

#OpenBSD is certainly affected as DHCP option 121 allowing that trick is implemented into dhcpleased (the dhcp client).
However, using a different rdomain for the VPN should prevent any kind of snooping. I wrote a guide explaining how to use WireGuard tunnels on different rdomains https://dataswamp.org/~solene/2021-10-09-openbsd-wireguard-exit.html

=> https://www.openbsd.org

Linux users using WireGuard can configure namespaces as a protection: (thanks @zgou for the link)

=> https://www.wireguard.com/netns/

Tor users do not have to worry, this does not affect Tor at all (it works at a different layer in the network). However, in case you use Tor over VPN, this could potentially leak the fact that you use Tor, but Tor data is still encrypted.

#infosec #opsec #cybersecurity