September 29, 2023

TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. An adversary can abuse these vulnerabilities to leak traffic outside the VPN tunnel.

A team of academics – Nian Xue of New York University, Yashaswi Malla, Zihang Xia, and Christina Popper of New York University Abu Dhabi, and Mathy Vanhoef of imec-DistriNet and KU Leuven – explained how the attacks work, released proof-of-concept exploits, and reckoned “every VPN product is vulnerable on at least one device.”

Their tests indicate that every VPN product is vulnerable to at least one device and found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable. The discovered vulnerabilities can be abused regardless of the security protocol used by the VPN.


The two resulting attacks are called the LocalNet and ServerIP attack. Both can be exploited when a user connects to an untrusted Wi-Fi network. The attacks manipulate the victim’s routing table to trick the victim into sending traffic outside the protected VPN tunnel, allowing an adversary to read and intercept transmitted traffic.

LocalNet Attack

In the LocalNet attack, the adversary acts as a malicious Wi-Fi or Ethernet network, and tricks the victim into connecting to this network. An easy way to accomplish this is by cloning a popular Wi-Fi hotspot such as “starbucks”. Once connected, the adversary assigns a public IP address and subnet to the victim:

ServerIP Attack

In the ServerIP attack, they abuses the observation that many VPNs don’t encrypt traffic towards the IP address of the VPN server. This is done to avoid re-encryption of packets.


The built-in VPN clients of Windows, macOS, and iOS are vulnerable. Android 12 and higher are not affected. A significant number of Linux VPNs are also vulnerable. Additionally, we found that most OpenVPN profiles, when used with a vulnerable VPN client, use a hostname to identify the VPN server and, therefore, may result in vulnerable behavior. To prevent the attack, VPN clients should be updated to send all traffic through the VPN tunnel, except traffic generated by the VPN app itself.

The paper behind the attack is titled Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables and will be presented at USENIX Security 2023.

Leave a Reply

%d bloggers like this: