|
|
|
|
|
|
by agwa
773 days ago
|
|
|
That's not really the problem - DHCP's subnet mask option is definitely not weird or legacy but can also be used to execute these attacks. The real problem is that encrypted packets from the VPN client use the same routing table as unencrypted packets from applications. This makes it very difficult to create a robust routing policy that says "all unencrypted packets are routed via the VPN, and all encrypted packets are routed via the physical network interface". |
|
|
worth noting that this really is very dependent on the specifics of your VPN implementation. For example StrongSwan (ipsec) and WireGuard by default afaik use separate route tables. In general using separate route tables for virtual vs physical networks is not exactly rocket science.