• PowerCrazy@lemmy.ml
    link
    fedilink
    English
    arrow-up
    22
    arrow-down
    1
    ·
    8 months ago

    Any vpn solution that uses a TCP/IP shim in full tunnel mode will ignore option 121 or any other routing options (static routes, etc). Most corporate VPNs like Global Protect/Cisco Any Connect, Appgate, etc will enforce full-tunnel. Any user who is using a VPN for privacy reasons should also use a full tunnel as well especially when connecting to an untrusted networks.

    • floofloof@lemmy.caOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      8 months ago

      I dunno, tunnel vision is when you can’t see outside the tunnel. The problem is you apparently can.

      Edit: Oh, do they mean you can see into the tunnel? That sort of makes more sense.

    • chicken@lemmy.dbzer0.com
      link
      fedilink
      arrow-up
      7
      ·
      8 months ago

      Not quite what the article says:

      When apps run on Linux there’s a setting that minimizes the effects, but even then TunnelVision can be used to exploit a side channel that can be used to de-anonymize destination traffic and perform targeted denial-of-service attacks. Network firewalls can also be configured to deny inbound and outbound traffic to and from the physical interface. This remedy is problematic for two reasons: (1) a VPN user connecting to an untrusted network has no ability to control the firewall and (2) it opens the same side channel present with the Linux mitigation.

  • ulkesh@beehaw.org
    link
    fedilink
    English
    arrow-up
    3
    ·
    8 months ago

    So basically don’t be stupid when on a network you don’t control. I mean I would think that would be common sense by now. Just because you’re on a VPN doesn’t mean that the local network doesn’t have some semblance of capabilities.

    And maybe I read it wrong, but perhaps don’t use DHCP on a network you don’t control. Wouldn’t that wholly mitigate this?

    I get that this is concerning for people who don’t know any better. But I don’t think it’s as devastating as the title makes it sound.

  • WeirdGoesPro@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    3
    ·
    8 months ago

    How did nobody discover this sooner if it is a common network option? This seems like it should have been well known to professionals. Who dropped the ball?