GNOME Bugzilla – Bug 749376
[RFE] protect high-priority routes (VPN) from being overwritten/hijacked from DHCP/SLAAC
Last modified: 2020-11-12 14:32:58 UTC
When you connect to a VPN it would be great to have an option to protect the routes that go over VPN so that cannot be overwritten. For example: your VPN adds 192.168.5.0/24 via tun0. An attacker on the local network could sent you via DHCP/SLAAC a more specific route to hijack that traffic. We already have NMRouteManager. When activating a high-priority interface (e.g. VPN), route-manager should forbid to accept more specific routes. The actual details are complicated, let's find them out along the way. See also https://bugzilla.gnome.org/show_bug.cgi?id=748442
Some people also have problems running a VPN-service that disable VPN when it notices route-hijacking. https://mail.gnome.org/archives/networkmanager-list/2015-June/msg00018.html https://mail.gnome.org/archives/networkmanager-list/2015-May/msg00016.html Preferably, this feature of protecting routes, should be designed in a way so that the user can also protect certain routes not to interfere with that external VPN service.
bugzilla.gnome.org is being shut down in favor of a GitLab instance. We are closing all old bug reports and feature requests in GNOME Bugzilla which have not seen updates for a long time. If you still use NetworkManager and if you still see this bug / want this feature in a recent and supported version of NetworkManager, then please feel free to report it at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/ Thank you for creating this report and we are sorry it could not be implemented (workforce and time is unfortunately limited).