You all probably heard of Tunnelvision attack on VPN's. Basically, it is about this: the attacker in rogue LAN abuses DHCP option 121 to set a route on the VPN user’s system that is more specific than those used by most VPNs. By abusing this option, an attacker on the local network can set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates. And can therefore eavesdrop on target computer.
So what would be a solution?
One would be to ignore DHCP option 121, but probably much better would be to implement "VPN kill switch" - something, that blocks all internet activity, UNLESS, it is going to the VPN server.
So here is my script. First you run this (only once):
MyVPN="xx.xx.xx.xx"sudo ufw default deny incomingsudo ufw default deny outgoing# DNS, also from local interfaces:sudo ufw allow out on any from any to any port 53# DHCP, also from local interfaces:sudo ufw allow out on any from any to any port 67sudo ufw allow out on any from any to any port 68# If you are using default OpenVPN istallation on 1194/UDP:sudo ufw allow out to $MyVPN port 1194 proto udp# If you are using OpenVPN on 443/TCP:sudo ufw allow out to $MyVPN port 443 proto tcp# If you are using default Wireguard installation on 451194/UDP:sudo ufw allow out to $MyVPN port 51194 proto udp# Assuming OpenVPN uses tun0 interface:sudo ufw allow out on tun0 from any to any# Assuming Wireguard uses wg0 interface:sudo ufw allow out on wg0 from any to any# If we want to allow connections from VPN network to our computer (again, OpenVPN - tun0, Wireguard - wg0)sudo ufw allow in on tun0 from any to anysudo ufw allow in on wg0 from any to any # Enable UFWsudo ufw enableNow the "VPN kill switch" is on.
If you want to turn it off:
sudo ufw default allow outgoingIf you want to turn it back on:
sudo ufw default deny outgoing(You can use these commands in OpenVPN or Wireguard "post up" / "post down" commands). So when your VPN connection is established, turn the switch on automatically.
Now, there are a couple of problems.
1. This works quite well, but after I turn the switch on, the NetworkManager's WiFi icon (I am using WiFi connection to LAN on my computer) shows I am not connected to the internet. Why, because wlp3s0 network interface (my WiFi) is trying to connect to connectivity-check.ubuntu.com. And it is blocked by "VPN kill switch". Please not that if I ping connectivity-check.ubuntu.com from the terminal, connection is established, but that is because terminal uses tun0/wg0 interface.
Now, the problem is, that UFW can not allow (or block) connections to domains (FQDN), but to IP addresses. And connectivity-check.ubuntu.com has a pool of always changing IP addresses.
A quick and dirty solution would be to use /etc/hosts file, but what if Canonical changes IP addresses of their servers?
So one option would be to redirect all traffic from wlp3s0 to VPN (tun0/wg0 interface).
My question is:
- how to do that?
- are there any serious drawbacks if I am redirecting ALL traffic from
wlp3s0interface?
2. I have read that it would be wise to allow some connections to wlp3s0 (and other local interfaces). Like DHCP and similar protocols.
So my question is: is enough to allow 67 and 68 ports (and 53 for DNS) for all interfaces, or I need to do something else?
BTW, Android has a really nice feature, called "Block connections without VPN". Unfortunately Ubuntu does not have a setting like this. Are there any plans to implement this? Is there some GUI application, that already has implemented this "kill switch"?