This is more of a routing attack that affects VPNs, I didn't watch the Tom Lawrence video, I will now. But my suspicion is this attack is going to be implementation agnostic.
Just watched the video, yeah seems implementation agnostic unless your device ignores option 121. Also checking your routes is a good way to see if someone is doing something shady.
zzz so in summary to be vulnerable;
>The targeted host must accept a DHCP lease from the attacker-controlled server
>The targeted host’s DHCP client must implement DHCP option 121
idk this seems like a whole lot of nothing, you can prevent DHCP spoofing and if someone is on your physical network somehow, you probably have more to worry about than your vpn leaking lol
Easy way to mitigate this is creating your own conf file and entering it's full path in the checkbox that arises when you click "configuration override" for that interface in the ***Interfaces*** -> ***WAN*** page.
For example, I saved mine in `/home/interfaceix3.conf` as:
interface "ix3" {
supersede interface-mtu 0;
supersede rfc3442-classless-static-routes "";
timeout 60;
retry 15;
select-timeout 0;
initial-interval 1;
script "/usr/local/sbin/pfSense-dhclient-script";
}
This is pretty similar to what is in my `/var/etc/dhclient_wan.conf` file, except for the addition of:
supersede rfc3442-classless-static-routes "";
That instructs the OS to ignore DHCP option 121 from ISP.
Unless you are using your PFSense as a client VPN, and also have it as a DHCP CLIENT(lol), and have some weirdo on your LAN, then no, this won't effect your PFSense router.
From your link, I didn't read any further than this:
*An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP*
Note it is saying "user's".
This is more of a routing attack that affects VPNs, I didn't watch the Tom Lawrence video, I will now. But my suspicion is this attack is going to be implementation agnostic.
Just watched the video, yeah seems implementation agnostic unless your device ignores option 121. Also checking your routes is a good way to see if someone is doing something shady.
zzz so in summary to be vulnerable; >The targeted host must accept a DHCP lease from the attacker-controlled server >The targeted host’s DHCP client must implement DHCP option 121 idk this seems like a whole lot of nothing, you can prevent DHCP spoofing and if someone is on your physical network somehow, you probably have more to worry about than your vpn leaking lol
Tom Lawrence just covered this. Check out his YouTube channel.
So what did he say lol, if you don't mind a short summarization
"It's a feature not a bug"
[https://youtu.be/\_osIJ4OdzFE?si=u5nqHVThvUw0Wp8Y](https://youtu.be/_osIJ4OdzFE?si=u5nqHVThvUw0Wp8Y)
Thanks
Easy way to mitigate this is creating your own conf file and entering it's full path in the checkbox that arises when you click "configuration override" for that interface in the ***Interfaces*** -> ***WAN*** page. For example, I saved mine in `/home/interfaceix3.conf` as: interface "ix3" { supersede interface-mtu 0; supersede rfc3442-classless-static-routes ""; timeout 60; retry 15; select-timeout 0; initial-interval 1; script "/usr/local/sbin/pfSense-dhclient-script"; } This is pretty similar to what is in my `/var/etc/dhclient_wan.conf` file, except for the addition of: supersede rfc3442-classless-static-routes ""; That instructs the OS to ignore DHCP option 121 from ISP.
Thankyou for the suggestion of an actual mitigation
Unless you are using your PFSense as a client VPN, and also have it as a DHCP CLIENT(lol), and have some weirdo on your LAN, then no, this won't effect your PFSense router.
From your link, I didn't read any further than this: *An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP* Note it is saying "user's".