In light of the recent TunnelVision vulnerability I wanted to share a simple firewall that I wrote for wireguard VPNs.

https://codeberg.org/xabadak/wg-lockdown

If you use a fancy official VPN client from Mullvad, PIA, etc, you won’t need this since most clients already have a kill switch built in (also called Lockdown Mode in Mullvad). This is if you use a barebones wireguard VPN like me, or if your VPN client has a poorly-designed kill switch (like NordVPN, more info here).

A firewall should mitigate the vulnerability, though it does create a side-channel that can be exploited in extremely unlikely circumstances, so a better solution would be to use network namespaces (more info here). Unfortunately I’m a noob and I couldn’t find any scripts or tools to do it that way.

  • @taladar@sh.itjust.works
    link
    fedilink
    -118 months ago

    That “vulnerability” seems more like a case of “people who use hostile networks have not considered which features that work as designed should be disabled in their use case”.

      • @taladar@sh.itjust.works
        link
        fedilink
        -38 months ago

        It does matter if people now advocate to routinely disable useful features by default because they are a problem for their particular use case.

        • @xabadakOP
          link
          28 months ago

          what features are you talking about?

          • @taladar@sh.itjust.works
            link
            fedilink
            18 months ago

            The ability to set static routes via DHCP server or for that matter the ability to remote boot systems via DHCP server which has similar problems if you can’t trust the DHCP server.

            • @xabadakOP
              link
              18 months ago

              I see what you mean now. I wouldn’t advocate for people to disable DHCP features either. It should be the VPN provider’s responsibility to provide a proper VPN client that mitigates attacks like these.

    • @xabadakOP
      link
      38 months ago

      Using untrusted networks is quite common, like coffee shop wifi or airport wifi.