Jump to content

Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables


Recommended Posts

Hello Staffers:

Worth a read?





Virtual Private Networks (VPNs) authenticate and encrypt
network traffic to protect users’ security and privacy, and are
used in professional and personal settings to defend against
malicious actors, to circumvent censorship, remotely work from
home, etc. It is therefore essential that VPNs are secure.
In this paper, we present two novel attacks that cause VPN
clients to leak traffic outside the protected VPN tunnel. The
root cause of both attacks is a widespread design flaw in how
clients configure the Operating System (OS) to route all traffic
through the VPN tunnel. This is typically done by updating
the system’s IP routing tables such that all traffic will first pass
through the VPN client. However, some routing exceptions
are added to ensure the system keeps functioning properly,
namely that traffic to the local network, and to the VPN server
itself, is sent outside the VPN tunnel. We show that by setting
up a Wi-Fi access point or by spoofing DNS responses, an
adversary can manipulate these exceptions to make the victim
send arbitrary traffic in plaintext outside the VPN tunnel. We
confirm our findings in practice by conducting 248 experi-
ments against 67 of the most representative VPN providers
on Windows, macOS, iOS, Linux, and Android. Our experi-
mental results reveal that a significant number (126 and 39)
and proportion (64.6% and 73.6%) of free, paid, open-source,
corporate, and built-in VPN clients are vulnerable to (variants
of) our two attacks, respectively, suffering from leaky traffic.
We discuss countermeasures to mitigate the vulnerabilities
and confirm the effectiveness of selected defenses in practice.


Edited by 1PW
Link to post
Share on other sites

  • Root Admin

In regard to the discovered VPN vulnerabilities, you can mitigate the LocalNet attack by disabling "local network access" in your VPN client. Unfortunately, not all VPN clients offer such a feature.

Thank you for the post @1PW

I have always discouraged use of excluding applications from the tunnel or allowing Local Network sharing. I'll pass along the information though.


  • Thanks 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.