New TunnelVision Attack Explained (May 2024)

​@@robyee3325 At the ISP I used work for, we used Option 121 to provide the routes for the Microsoft Mediaroom (IPTV) servers b/c the STB's were all behind the one gateway/router that also provided WiFi and internet. The home modem/router would get a private IP for the video connection (on one VLAN or VPI/VCI) and also an IPv4 public address for regular internet (on another VLAN or VPI/VCI). This was the recommended way by Microsoft and the integrators and is how many ISP's deployed it back in the day (2011-2016). I would assume they are still doing it the same way today for the Mediaroom IPTV solution (whomever owns it now).

lawrence.video/diagrams

@@LAWRENCESYSTEMS awesome, hadn't thought of searching through the vids, thanks!

It's funny that people that use gl-inet hardware are often tinfoil hats. Until recently gl-inet had a Seattle based address that was a USPS PO Box. Now they have a Fairfax, VA based address that looks like a virtual office.

I’m not making any assumptions on what anyone’s views or reasons are for using them. I think there are plenty of valid reasons that have nothing to do with VPNs, security or privacy. I have noticed the same thing with those routers and several other popular brands. That’s exactly why I think it’s a good idea to re-image them with the latest OSS version. It’s not hard, but it’s not user friendly, either. It took me about five tries before I figured out the radio configuration that worked, and even then, the default menus bury important settings. The average user would give up and just reinstall the regular firmware on it, if they didn’t give up and trash the thing to begin with. A solid tutorial for the masses would be a huge service to the masses. Tom’s perspective on it would generate a lot of acceptance, in my opinion.

In the context of this video, the travel router has to do nothing more than be a NAT device between your personal device and the public wi-fi. The "setup" is as simple as connecting your device to your travel router and connecting the travel router to the public wi-fi.

I'm sure DHCP client updates are forthcoming.

An intern I'm sure

lawrence.video/diagrams

I do my own diagrams and my own stunts!

@@LAWRENCESYSTEMS LOL, fair

Running the VPN on a travel router would make it vulnerable to this attack provided the travel router supported that DHCP option

@@LAWRENCESYSTEMS got it, but you mentioned "if you're doing it right" ... Outside of this "attack" , is it generally a bad idea I guess is my question?

Thank you for the video!

@@Emerald13 Outside of this attack it should be fine to use a VPN on a travel router.

ICMP Redirect. Most systems ignore this now. It is too easy to forge.

Trust me, this was reported to VPN vendors before. They just don't consider this to ´fit their model´

@@JLT9150 I would generally agree with them. Similar to Tom, my first reaction was that everything is working as intended. But upon further reflection, I can understand how this might be surprising behavior to someone less accustomed to thinking about routing tables.
I'd say it's more in scope for an endpoint security tool to monitor and warn about weird DHCP routes than a VPN client.

Because DHCP adding routes is a feature.

@@LAWRENCESYSTEMS VPN configuration can specify what traffic/destinations/sources it encapsulates. Failure to encapsulate the correct traffic is a vpn configuration problem.

Why would you advertise routes via DHCP?

@@LAWRENCESYSTEMS 1. routes are needed; 2. options: static config on each client, routing protocol, or DHCP; 3. everything does DHCP with no added effort; 4. DHCP puts the config in one place and works for most clients of concern (not the tplink smart gadgets).
The reason routes are needed is because I run multiple subnets with a DMZ, with the sensitive subnets behind another firewall+router. And these days almost nothing respects ICMP Redirect. That worked fine in the 1990s and early 2000s, but "security."
'net connections to primary router with subnets: DMZ, VOIP, smart gadgets, guest wifi, test
On the DMZ: home router, work router. Behind each of those are multiple subnets. Work typically has had multiple routers for development and test, because since 2008 I was doing router and security appliance firmware.

Not really an issue there.

Yes because everyone is to be expected to statically assign IP's to their own devices every time they connect to the VPN. What a genius solution. Can't wait to see the faces of the users at a company where an IT person tries to explain this process they have to do every time they connect on the VPN.

Shows only you understand very little.

The point is that it overrides routes and sends the traffic out over the internet instead of over your VPN.

You didn’t understand correctly as your underpinning knowledge is insufficient.

DNS servers are not routes, so no. Simply put, a routing table tells the system how some traffic should flow, DNS servers answer queries about IP-addresses, but has nothing to do with setting up the routing table.

Subnet separation/isolation. The public wi-fi dhcp server doesn't issue any configuration to the clients behind the travel router. You run the VPN on your device as before, not the travel router.

Nope, that was their usual bungling of updates.