Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Andreas Theodorou

VPNs aren't broken – TunnelVision is being blown out of the water

An explosion in a large body of water.

You may have seen the rumblings about TunnelVision supposedly neutering even the best VPNs. When I first read about it, even I was worried. However, after speaking with VPN and cybersecurity experts, I've realized it's nothing more than sensationalism.

Because this technique has been a possibility for over two decades, it caused an immediate ripple of panic in the industry. VPN users everywhere stopped momentarily, horrified that they might've been acting under a false sense of security.

Let me show you why TunnelVision isn't something you should be worried about and, while problematic, it's pointless trying to use it.

What is TunnelVision?

In a blog post from Leviathan Security Group, TunnelVision is described as a "network technique that bypasses VPN encapsulation" by using an operating system's dynamic host configuration protocol (DHCP). 

As Dr Peter Membrey (Chief Engineering Officer at ExpressVPN) explained to me: "Part of this configuration is to tell your device exactly where it should send traffic so that it can reach the internet. There's a lesser-known DHCP feature, however, called Option 121, which enables setting alternative routes for specific destinations—say, the IP addresses that host www.google.com."

He continued, "Any device that supports Option 121 has the potential to have these additional gateways added, diverting the traffic that otherwise would follow the default path."

The problem with TunnelVision

Personally, I draw issue with the way TunnelVision has been represented. I disagree with Leviathan describing it as "decloaking" because only the TLS headers are revealed. If you're using a VPN, the contents of your data packet are still encrypted, because that's done at the device level before it goes out through the network.

TunnelVision isn't decloaking, it's rerouting—there's a difference.

Dr Membrey explained that "[Leviathan] have used the word decloaking, but that term means something very specific. Most people associate the term cloaking with a cloaking device, something found in the Star Trek universe. Decloaking a cloaked ship would mean that you had found a way to take a ship that was invisible, and render it visible. 

"In the case of TunnelVision, the traffic was simply routed outside of the tunnel. You can't decloak it, because it was never cloaked in the first place. That's like saying you decloaked a ship because you turned around and saw it sitting there. In both cases it is very unpleasant, but neither qualify as decloaking."

Does TunnelVision affect all devices?

Thankfully, no. Android devices don't have option 121 available in their OS. Similarly, iOS has limitations that also protect against this, so if you're on iPhone or Android, you should be safe.

In other words, you can't decloak what was never cloaked in the first place. Even if someone were to execute this attack against a person using VPN obfuscation (hiding the fact you're using a VPN), it would only come close to decloaking if you were using a sub-par VPN that wasn't doing its obfuscation properly.

Ultimately, there are so many protections in place at a network and device level, so as long as you're using a secure VPN, you'll be fine. This emphasizes the need to avoid VPN services that haven't proven their security.

What's more, when you use TunnelVision, it's immediately apparent that you're doing it. Think of it like a burglar driving a car through your front door instead of trying to pick the lock. Any hacker with an ounce of intelligence wouldn't want you knowing that they're there—so they wouldn't use such an obvious method to get the same data they could obtain perfectly silently through something like forced type 2 DNS leaks, identified by ExpressVPN in a recent paper.

If someone were to execute a TunnelVision attack, it would definitely be a problem, and the information gathered could be used as part of a wider correlation attack to identify you. However, it would take a significant amount of data to do that, and you'd likely be protected by the kill switch beforehand.

What the experts say

Don't just take my word for it, though. Listen to what experts in the industry had to say about the matter:

How to protect yourself against TunnelVision

It's really easy to defend against TunnelVision, and plenty of protections are already in place to keep you safe. Any VPN with a decent kill switch will be able to detect that the traffic isn't going through the VPN network and cut your internet immediately.

If you want a VPN that won't let you down, check out my top three picks below. Take advantage of their money-back guarantees to get three months of free VPN coverage without risking a penny.

Bottom line: don't worry about TunnelVision

There are so many circumstances that need to align for TunnelVision to genuinely be a threat, and with modern TLS protections, it just isn't as dangerous now as it could've been back in the days when Secure Socket Layer (SSL) encryption was the standard for web protection.

That's not to say it isn't a problem if it happens, but there are just so many reasons not to do it, that it's not worth all of the sensationalism that has been put out there.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.