Skip to content

TunnelVision

TunnelVision is an attack that uses DHCP option 121 to set higher priority routes so that traffic does not go through the VPN.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661

Status

Android

Android does not handle DHCP option 121 and is not affected.

Apple platforms

Update sing-box graphical client to 1.9.0-rc.16 or newer, then enable includeAllNetworks in SettingsPacket Tunnel and you will be unaffected.

Note: when includeAllNetworks is enabled, the default TUN stack is changed to gvisor, and the system and mixed stacks are not available.

Linux

Update sing-box to 1.9.0-rc.16 or newer, rules generated by auto-route are unaffected.

Windows

No solution yet.

Workarounds

  • Don't connect to untrusted networks
  • Relay untrusted network through another device
  • Just ignore it