this post was submitted on 09 May 2024
69 points (98.6% liked)

Linux

48287 readers
627 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won't need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I'm a noob and I couldn't find any scripts or tools to do it that way.

you are viewing a single comment's thread
view the rest of the comments
[–] LodeMike@lemmy.today 2 points 6 months ago* (last edited 6 months ago) (2 children)

~~The vulnerability doesn't work on Linux~~

[–] AnEilifintChorcra@sopuli.xyz 13 points 6 months ago (1 children)

Unfortunately Linux is affected https://github.com/leviathansecurity/TunnelVision

TunnelVision appears to work on any operating system that has a DHCP client that implements support for DHCP option 121. Most modern operating systems support this such as Linux, Windows, iOS and MacOS. Notably, Android does not appear to have support for option 121 and remains unaffected.

A fix is available on Linux when configuring the VPN users host to utilize network namespaces.

I read the Arstechnica article too where they say Linux isn't affected then link to the researchers video where they show Linux being affected...

[–] LodeMike@lemmy.today 1 points 6 months ago (1 children)

Oh. It doesn't work with WireGuard then. It probably works with garbage. Thank you.

[–] metiulekm@sh.itjust.works 10 points 6 months ago (1 children)

I am afraid you are still a bit misled; WireGuard is exactly what they use for the demo video. In general the underlying protocol does not matter, since the vulnerability is about telling the system to direct the packages to the attacker, completely bypassing the VPN.

[–] delirious_owl@discuss.online 2 points 6 months ago* (last edited 6 months ago) (1 children)

You're still right in 99% of all use cases.

Nobody operates VPNs for privacy in split tunnel. So everyone running Linux that would be concerned about this is unaffected.

[–] xabadak@lemmings.world 1 points 6 months ago (2 children)

I thought TunnelVision applies to all VPN users that don't use firewall / network namespaces

[–] delirious_owl@discuss.online 1 points 6 months ago (1 children)

It doesn't apply to Linux unless you do split tunnel, which no commercial VPN configs use, because it doesn't make sense to

[–] xabadak@lemmings.world 1 points 6 months ago

why is a split tunnel relevant? I thought all VPNs are vulnerable unless they use a firewall like I do, or network namespaces.

At least the way I understand it, a normal VPN redirects your internet traffic to instead go through a virtual network interface, which then encrypts and sends your traffic through the VPN. This attack uses a malicious DHCP server to inject routes into your system, redirecting traffic to the attacker instead of towards the virtual network interface.

[–] progandy@feddit.de 1 points 6 months ago* (last edited 6 months ago)

A separate routing table that takes precedence over the one modified by DHCP should works as well I think. Oh, and of course you have to use a vpn that forces its own nameserver or set one manually to prevent redirections.