Researchers at Leviathan Security have discovered a technique that allows access to a VPN tunnel without compromising its encryption. By utilizing DHCP, traffic can be forwarded outside the VPN, enabling the monitoring of a user. VPNs are known for providing a secure and private connection to the Internet by encrypting traffic and concealing user identities. However, vulnerabilities exist, as highlighted by Leviathan Security’s research on bypassing VPN encapsulation.
The technique, named TunnelVision, makes use of a modified DHCP server on the same network as the target VPN user to act as a gateway. This gateway forwards traffic outside the VPN tunnel, allowing for spying on the user’s activity. While not classified as a true vulnerability, the researchers stress that VPNs do not protect against LAN attacks on the physical network, and promoting such capabilities can be risky.
The approach involves DHCP option 121, enabling clients to create static routes from the DHCP server. As a result, Windows, Linux, iOS, and MacOS are susceptible to this technique due to their compatibility with option 121. Android, however, is not impacted as it lacks this compatibility. Leviathan Security emphasizes the importance of understanding the limitations of VPNs and the potential risks associated with network vulnerabilities.