Proton VPN homepage
ProtonVPN

TunnelVision and Proton VPN

Reading
4 mins
Category
Proton VPN apps

TunnelVision is a vulnerability present in all major operating systems that can force virtual private network (VPN) apps to route traffic outside the VPN tunnel. This could allow an attacker to snoop on your browsing history or even to inject malicious code into your internet traffic. 

The vulnerability was discovered by security researchers who announced(new window) it in May 2024, and there are no known cases of hackers ever using it. However, the vulnerability may have existed as far back as 2002.

Proton VPN is broadly resistant to TunnelVision if you use Android, Windows, or enable the kill switch(new window) feature on Apple devices. The exception is our Linux app, but there are still ways to mitigate the risk. While most people are unlikely to encounter this attack, it’s important to be aware of the risks and how to stay safe while using Proton VPN.

Are Proton VPN apps vulnerable to TunnelVision?

Many VPNs are vulnerable to TunnelVision because the attack targets a commonly used protocol.

But it’s not an easy attack to pull off: To exploit the TunnelVision vulnerability, an attacker must first gain control of the local area network (LAN) that your device is connected to. That is, the router you connect to via WiFi or ethernet cable must be compromised (mobile cellular connections are not affected by TunnelVision). 

This means it’s very unlikely to be an issue for devices connected to a home or office network. The real danger lies when connecting to things like public WiFi hotspots, which could be controlled by anybody.

After extensive tests on Proton VPN apps, we can confirm:

Android 

Our Android app isn’t affected by the issue at all, as it doesn’t support option 121 (see below). Android is also highly resistant to similar attacks, thanks to the way it splits connections into multiple “zones”,  each of which uses a different routing table. 

Windows

The Windows operating system (OS) is vulnerable to TunnelVision, but the firewall rules we’ve implemented in our Windows app to ensure data can only be routed through the VPN tunnel mean that our Windows app is not vulnerable to TunnelVision.

Attempts to exploit routes vulnerable to TunnelVision can prevent an app from connecting to websites that could be otherwise exploited, but at no point is your data in danger. 

macOS, iOS, and iPadOS

Apple devices themselves are vulnerable to TunnelVision, but our macOS, iOS, and iPadOS apps are not vulnerable when you enable the kill switch. This is because the firewall rules and other precautions used by the kill switch to prevent connections outside the VPN tunnel also secure your device against TunnelVision exploits.

Linux

Our implementation of the WireGuard protocol on our Linux app was designed to address this issue. When using WireGuard, our Linux app is not vulnerable to TunnelVision.

How does TunnelVision work?

IP addresses(new window) on a local network are allocated by the router using the Dynamic Host Configuration Protocol (DHCP)(new window). VPN apps are designed to ensure all internet traffic is routed through a local IP address that channels it into the encrypted VPN tunnel.

A setting known as option 121(new window) allows the router to override such configurations and route traffic outside the VPN tunnel to the router itself. For the attack to work, the attacker must therefore control the router. 

Frequently asked questions

Is my device vulnerable to TunnelVision?

If you use Proton VPN for:

  • Android: No
  • Windows: No
  • macOS: No, if you turn on the kill switch
  • iOS and iPadOS: No, if you turn on the kill switch
  • Linux: Yes. But only if you’re connected to a router controlled by a malicious attacker

Is my device vulnerable on my home or office network?

Almost certainly not. The local network would need to be compromised by a malicious attacker, which is very unlikely. Public WiFi networks may be unsafe, however.

Is my mobile device vulnerable?

Devices using mobile (cellular) connections aren’t vulnerable to TunnelVision attacks. iPhones and iPads may be vulnerable if connected to a local network (e.g., by WiFi or ethernet cable), but this can be mitigated against by enabling the kill switch. 

Why are some devices more vulnerable than others?

How data packets are routed depends on your operating system, not the VPN app. It’s therefore the OS that determines how vulnerable a platform is to the TunnelVision vulnerability. VPN apps can mitigate against the problem, but ultimately, it’s down to how each OS is designed.

Didn’t find what you were looking for?

General contactcontact@proton.me
Media contactmedia@proton.me
Legal contactlegal@proton.me
Partnerships contactpartners@proton.me