Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

xabadak

@xabadak@lemmings.world

This profile is from a federated server and may be incomplete. Browse more on the original instance.

addressing misconceptions about the recent TunnelVision vulnerability

I've been seeing a lot of confusion around the TunnelVision vulnerability. While I'm no expert, I've done a fair share of research and I'll edit this post with corrections if needed. The goal of this post is to answer the question: does this affect me?...

xabadak OP , (edited )

I added clarification that the HTTPS part is assuming that the attacker has already performed the DHCP attack. Thanks for the note!

The DHCP race is one part I didn't go into detail about since I'm not very familiar with the details, but what you wrote makes sense. One potential danger is a hacker at a coffee shop, where the shop owner is unlikely to be monitoring the network, and there are going to be many new connections coming in all the time. It's still an unlikely scenario, but it also isn't a particularly difficult attack.

xabadak OP ,

If exposing hostnames and IP addresses is dangerous

It's not necessarily dangerous, but it's a major privacy issue. Hiding your browsing history from other people (except for the VPN provider) is one of the main reasons why people get a commercial VPN in the first place. And this vulnerability mainly concerns those users.

xabadak OP ,

That sounds very cool, I've been interesting in network namespaces but it's hard to find information on how to use them. How did you do it?

xabadak OP ,

Yeah, you don't have to dig very deep to find out how insecure our networks are. Mac addresses can be spoofed, ports can be scanned, TCP numbers can be guessed, etc...

xabadak OP ,

Great write-up, I've been looking for something like this. I've heard of vopono and eznetns before but not namespaced-openvpn, and this is the first post I've seen where somebody details how they use a tool like this, so thanks! I'll have to try setting it up some time.

xabadak OP ,

So it's really that simple...I can see why there are security issues 😅

xabadak ,

From a privacy standpoint I don't think it would make a big difference over not using a VPN at all. It will take a bit of time but your new IP will become associated with your identity. From the perspective of Facebook and Google, it will just look like you moved and are living inside a datacenter now.

xabadak OP ,

Isn't gluetun for docker? Are there people running it on the host system?

xabadak OP ,

I'm no network security expert, so I mainly followed Mullvad VPN for my implementation. I looked at the nftables rules that official Mullvad linux client uses, and also their document here: https://github.com/mullvad/mullvadvpn-app/blob/main/docs/security.md.

Though if you have any alternatives for vanilla wireguard users like me, I'll gladly switch. I know somebody mentioned Gluetun but I thought that was for docker only. Do you know of any others?

xabadak OP , (edited )

How do you route all a host system's traffic through Gluetun? If you use routing tables, wouldn't it similarly be affected by TunnelVision? In which case you would still need a firewall on the host...

Also, the host system likely makes network requests right after boot, before a Gluetun container has time to start. How do you make sure those don't leak?

I am curious though, how you were able to route all host traffic through Gluetun. I know it can be used as a http/socks proxy, but I only know of ways to configure your browser to use that. What about other applications and system-level services? What about other kinds of traffic, like ssh?

xabadak OP ,

Yeah, it does come down to threat model and preference. If you only need to route specific apps, Gluetun sounds like a great solution.

xabadak OP ,

No offense taken, on the contrary thanks for the constructive criticism! I'll add some more details to my repo to make things more clear.

xabadak ,

I saw that but unfortunately it doesn't detail how to set it up persistently on every boot. And I also haven't seen anybody using this method, probably because of the lack of tooling around it. For example afaik the official Mullvad client on linux just uses a firewall.

xabadak ,

Do you know how to make it so all the host's traffic is sent through the VPN namespace? I couldn't figure out how to do this so I ended up just writing my own firewall. Network namespaces seems like a better solution.

xabadak ,

It all depends on how much you trust the devices on your LAN. So your ISP can't do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.

xabadak ,

No worries, and thanks for providing a response nonetheless. I'll look into your suggestion when I have the time. The official Wireguard website also had some guide on network namespaces here but afaik it didn't explain how to set it up persistently

  • All
  • Subscribed
  • Moderated
  • Favorites
  • incremental_games
  • meta
  • All magazines
    •