Recently there has been some news about a DHCP option that can be abused to allow decloaking VPN connections. The write up is here. I saw someones twitter post suggesting dhcpcd settings changes to mitigate. iirc Nix uses dhcpcd by default. I’m mostly curious if anyone here has already deployed any these mitigations on nix and have examples or suggestions?
Hi, were you able to deploy a solution?
I skimmed the article, I guess you just need
networking.dhcpcd.extraConfig = ''
nooption classless_static_routes
'';
to ignore static routes provided by the server.
Anyway, if you’re on a network with a malicious DHCP server, or where an attacker can run one, it’s game over anyway. See Libreswan and TunnelCrack - Libreswan.
Could it be mitigated by just disabling DHCP entirely?
No, how would you configure the network without DHCP or router advertisements (they can also install routes) then?
The only solution is to set up a local firewall that only allows outbound traffic towards the VPN server and what’s necessary to keep the network functional (ICMPv6 ND, ARP, DHCP, etc.).
1 Like