I see what you mean now. I wouldn’t advocate for people to disable DHCP features either. It should be the VPN provider’s responsibility to provide a proper VPN client that mitigates attacks like these.
I see what you mean now. I wouldn’t advocate for people to disable DHCP features either. It should be the VPN provider’s responsibility to provide a proper VPN client that mitigates attacks like these.
Yeah TOR is an example of a mixnet. WHat I was talking about was a combination of your Scenario A and Scenario B, where you have a mixnet where everybody’s traffic goes through multiple proxies, and many people are using each proxy, and you have padding and timing added to make sure traffic flows are consistent. As far as trusting nodes, you have to do that regardless of your set up. If you don’t use any VPN, you have to trust your ISP. If you use a VPN like Mullvad, you have to trust Mullvad. If you use a mixnet, you have to trust that all your chosen proxies aren’t colluding. So like you said, it’s up to your own judgement and threat model.
why is a split tunnel relevant? I thought all VPNs are vulnerable unless they use a firewall like I do, or network namespaces.
At least the way I understand it, a normal VPN redirects your internet traffic to instead go through a virtual network interface, which then encrypts and sends your traffic through the VPN. This attack uses a malicious DHCP server to inject routes into your system, redirecting traffic to the attacker instead of towards the virtual network interface.
Hypothetically, what if everybody in the world were using mixnets to obfuscate destination/origin, and then mullvad’s DAITA to obfuscate traffic timing and size. Would netflow analysis be able to defeat that?
It all depends on how much you trust the devices on your LAN. So your ISP can’t do anything unless they own and control your router, since that is on your LAN. So one concern might be if you connect your PC to coffee shop wifi, since all other devices in the shop are on the same LAN, not to mention the coffee shop owns the wifi router and can also perform the attack. Another concern might be if a family member in your house has a device that got hacked, then all devices in your house are vulnerable.
I think you both are talking past each other. You said “But if nobody else is using those same endpoints.” but @[email protected] said “There’s plenty of people who are going to be renting VPSes and will have their traffic originate from the same IP range as mine”. Reading this thread, it seems like you both have different network setups in mind.
Do you know how to make it so all the host’s traffic is sent through the VPN namespace? I couldn’t figure out how to do this so I ended up just writing my own firewall. Network namespaces seems like a better solution.
I saw that but unfortunately it doesn’t detail how to set it up persistently on every boot. And I also haven’t seen anybody using this method, probably because of the lack of tooling around it. For example afaik the official Mullvad client on linux just uses a firewall.
Using untrusted networks is quite common, like coffee shop wifi or airport wifi.
what features are you talking about?
Actually my firewall is persistent, just like many of the other good VPN clients, so “kill switch” is a bit of a misnomer. Which is why I called it wg-lockdown, named after Mullvad’s lockdown mode. Persistent firewalls are effective, they just add a very tiny side-channel, as discussed in the link in my post. I just used the terms “kill switch” in my post because that’s what many other people use.
Though the point about the LAN is a good point, I didn’t consider that. I added LAN access because without it, the firewall was interfering with the networking of my docker container and virtual machines, which use local subnets. Even the official Mullvad client has issues with this. What do you recommend in this case? Manually whitelist the local subnets used by docker and my other virtual networks?
Edit: actually upon reading Mullvad’s statement on TunnelVision, I realized that my firewall is still effective because it only allows traffic directed to LAN IP’s to bypass the VPN. So regular internet traffic will be blocked if the attacker tries to redirect it to the LAN. I’m glad I used Mullvad as a reference implementation 😅
I thought TunnelVision applies to all VPN users that don’t use firewall / network namespaces
No worries, and thanks for providing a response nonetheless. I’ll look into your suggestion when I have the time. The official Wireguard website also had some guide on network namespaces here but afaik it didn’t explain how to set it up persistently