Tunnel Vision and Tunnel Crack Prevention

Platform-Specific Prevention Mechanisms

Type	Tunnel Vision	Tunnel Crack
Description	Tunnel vision refers to a scenario where the VPN client fails to properly route all network traffic through the VPN tunnel. This can happen when certain applications or system services bypass the VPN connection and send traffic directly over the local network, potentially exposing sensitive data.	Tunnel crack is a vulnerability that allows an attacker to intercept and manipulate network traffic that is not properly encrypted or authenticated within the VPN tunnel. This can lead to data leaks, man-in-the-middle attacks, or other security breaches.
Symptoms	• The VPN connection becomes unresponsive • Applications using the VPN connection time out or fail to connect • Ping tests or traceroutes through the VPN tunnel fail	• Using weak or outdated encryption ciphers that can be cracked • Improper authentication allowing unauthorized access to the VPN • Lack of integrity checks enabling data tampering • Leaking of DNS queries or IPv6 traffic outside the VPN tunnel
Solutions	1. Check the VPN client logs for any error messages or indications of routing problems 2. Verify that the VPN client's routing table is configured correctly 3. Ensure there are no IP address or subnet conflicts between the VPN and local network 4. Restart the VPN client or reestablish the VPN connection	1. Use strong, up-to-date encryption protocols like AES and SHA-2 2. Implement multi-factor authentication for VPN access 3. Configure the VPN to use secure DNS resolution 4. Ensure the VPN client properly routes all traffic, including IPv6, through the tunnel 5. Keep VPN client and server software patched and updated 6. Conduct regular security audits and penetration tests of the VPN infrastructure
Use Cases	A retail company has multiple branch offices connected to the main headquarters through site-to-site VPNs. The VPN connection to one of the branch offices suddenly becomes unresponsive, impacting critical business applications. The network team finds that the issue is caused by a misconfigured routing table on the branch office VPN router. A recent change introduced a routing loop that caused tunnel vision. By correcting the routing table and implementing proper change management procedures, the team resolves the issue and prevents future occurrences.	A healthcare organization sets up a point-to-site VPN to enable secure access to electronic health records (EHR) for their mobile clinicians. The VPN uses the PPTP protocol, which is known to have security vulnerabilities. An attacker manages to exploit a weakness in the PPTP encryption and captures packets transmitted over the VPN tunnel. By cracking the encryption, the attacker gains access to sensitive patient data, leading to a major data breach and HIPAA violation. To prevent such tunnel crack issues, the healthcare organization should transition to a more secure VPN protocol with strong encryption. They should also implement proper access controls, monitor for unusual activity, and regularly update their VPN software to patch any known vulnerabilities.
Prevention on Windows	Use Block Local Networks	Use Killswitch and Prevent IP Leaks
Prevention on Android⁽¹⁾	Not applicable	Not applicable
Prevention on iOS/macOS⁽²⁾	Use includeAllNetworks	Use includeAllNetworks

Note:

⁽¹⁾ Android does not support DHCP option 121, so the issue cannot occur on the Android OS. No action required in the Android SDK.

⁽²⁾ Set the includeAllNetworks property to true in the NetworkConfiguration object. When enabled, this setting ensures that all network traffic is routed through the VPN tunnel interface.

Example usage:

// ...

let networkConfiguration = NetworkConfiguration(
    // ...
    includeAllNetworks: true
    // ...
)

For more detailed information, refer to the official documentation: includeAllNetworks

For maximum security on untrusted networks like public Wi-Fi hotspots, we strongly recommend activating a combination of three key defense modules in your VPN software: Killswitch, PreventIPLeak, and Block Local Network.

Known Issues with includeAllNetworks

The includeAllNetworks setting is fully implemented by Apple and its behavior can vary significantly across different OS versions. While this setting provides enhanced security by preventing network leaks, be aware that it may exhibit different network behaviors depending on the specific OS version and system configuration in use.

Logging

The IncludeAllNetwork status is logged in the network extension logs as System killswitch enabled = ... along with other flags. This log entry helps developers and support teams verify whether the includeAllNetworks feature is properly activated and functioning within the VPN tunnel.