TunnelVision is a vulnerability present in all major operating systems that can force virtual private network (VPN) apps to route traffic outside the VPN tunnel. This could allow an attacker to snoop on your browsing history or even to inject malicious code into your internet traffic.
The vulnerability was discovered by security researchers who announced it in May 2024, and there are no known cases of hackers ever using it. However, the vulnerability may have existed as far back as 2002.
Proton VPN is broadly resistant to TunnelVision if you use Android, Windows, or enable the kill switch feature on Apple devices. The exception is our Linux app, but there are still ways to mitigate the risk. While most people are unlikely to encounter this attack, it’s important to be aware of the risks and how to stay safe while using Proton VPN.
Are Proton VPN apps vulnerable to TunnelVision?
Many VPNs are vulnerable to TunnelVision because the attack targets a commonly used protocol.
But it’s not an easy attack to pull off: To exploit the TunnelVision vulnerability, an attacker must first gain control of the local area network (LAN) that your device is connected to. That is, the router you connect to via WiFi or ethernet cable must be compromised (mobile cellular connections are not affected by TunnelVision).
This means it’s very unlikely to be an issue for devices connected to a home or office network. The real danger lies when connecting to things like public WiFi hotspots, which could be controlled by anybody.
After extensive tests on Proton VPN apps, we can confirm:
Android
Our Android app isn’t affected by the issue at all, as it doesn’t support option 121 (see below). Android is also highly resistant to similar attacks, thanks to the way it splits connections into multiple “zones”, each of which uses a different routing table.
Windows
The Windows operating system (OS) is vulnerable to TunnelVision, but the firewall rules we’ve implemented in our Windows app to ensure data can only be routed through the VPN tunnel mean that our Windows app is not vulnerable to TunnelVision.
Attempts to exploit routes vulnerable to TunnelVision can prevent an app from connecting to websites that could be otherwise exploited, but at no point is your data in danger.
macOS, iOS, and iPadOS
Apple devices themselves are vulnerable to TunnelVision, but our macOS, iOS, and iPadOS apps are not vulnerable when you enable the kill switch. This is because the firewall rules and other precautions used by the kill switch to prevent connections outside the VPN tunnel also secure your device against TunnelVision exploits.
Linux
Our Linux app is currently vulnerable to TunnelVision. We’re working on a fix for this, but until it’s available, we recommend against using our Linux app on networks that are potentially not secure (such as public WiFi hotspots). Unfortunately, manual OpenVPN and WireGuard configurations are also vulnerable.
If you must use our Linux app on unsafe networks, please contact our support team, who may be able to suggest ways to mitigate against the danger (such as using the VPN inside a virtual machine whose network adapter isn’t in bridged mode or using your mobile phone as a WiFi hotspot).
How does TunnelVision work?
IP addresses on a local network are allocated by the router using the Dynamic Host Configuration Protocol (DHCP). VPN apps are designed to ensure all internet traffic is routed through a local IP address that channels it into the encrypted VPN tunnel.
A setting known as option 121 allows the router to override such configurations and route traffic outside the VPN tunnel to the router itself. For the attack to work, the attacker must therefore control the router.
Frequently asked questions
Is my device vulnerable to TunnelVision?
If you use Proton VPN for:
- Android: No
- Windows: No
- macOS: No, if you turn on the kill switch
- iOS and iPadOS: No, if you turn on the kill switch
- Linux: Yes. But only if you’re connected to a router controlled by a malicious attacker
Is my device vulnerable on my home or office network?
Almost certainly not. The local network would need to be compromised by a malicious attacker, which is very unlikely. Public WiFi networks may be unsafe, however.
Is my mobile device vulnerable?
Devices using mobile (cellular) connections aren’t vulnerable to TunnelVision attacks. iPhones and iPads may be vulnerable if connected to a local network (e.g., by WiFi or ethernet cable), but this can be mitigated against by enabling the kill switch.
Why are some devices more vulnerable than others?
How data packets are routed depends on your operating system, not the VPN app. It’s therefore the OS that determines how vulnerable a platform is to the TunnelVision vulnerability. VPN apps can mitigate against the problem, but ultimately, it’s down to how each OS is designed.
