- Multiple VPN protocols (OpenVPN, WireGuard, OpenConnect) incorporated into the products of major VPN providers are susceptible to attacks that permit reconnaissance of clients connected to the VPN, remove the encryption from the VPN tunnel, or take control of connections.
- There are multiple mitigation strategies, though some are only partial.
- The most common VPNs (NordVPN, ExpressVPN, SurfShark) are protected.
Most people assume that when they connect to a virtual private network (VPN), their subsequent online activity cannot be linked to them and that their communications are private. Unfortunately, this is not guaranteed because of the way modern VPNs are designed. In fact, modern VPNs’ design makes some attacks possible.
Our recent study into one of these attacks, Port Shadow, shows that half of the top 10 most popular VPNs used today are vulnerable to having their routes intercepted by an attacker. The attacks target server software, and because of this, clients can do little — they depend on the VPN server operator to properly secure and configure their VPN server.
How does the Port Shadow Work?
A VPN comprises two pieces of software: the VPN client, which runs on your PC or mobile device, and a VPN server, to which your VPN client connects. Once your VPN client connects to the VPN server, all of the Internet communications you send from that device are encrypted by the client and then sent to the VPN server. The VPN server removes the encryption and forwards traffic to your desired destination, such as Instagram, X, Reddit, or pulse.internetsociety.com
The Port Shadow allows an attacker to redirect communications sent to VPN clients in ways that undermine the VPN client’s security. This can lead to the attacker performing reconnaissance on VPN clients via port scanning, removing the encryption of the VPN tunnel and allowing the attacker to eavesdrop on the VPN client, or acting as if they are a router between the VPN client and VPN server, even if they do not control any of the routers in the path.
On many VPN servers, a connection tracking framework module changes your IP and masks your identity. This module is invoked whenever anyone connects to the VPN server, and because the VPN server is a shared resource to all VPN clients, so is the connection tracking framework. The connection tracking framework also affects how the VPN server routes packets between VPN clients and other machines on the Internet.
We found that an attacker can change the routing decision made by the connection tracking framework and cause it to route packets to an attacker. Our 2024 paper, “Attacking Connection Tracking Frameworks as Used by Virtual Private Networks,” covers more details.
Unfortunately, we found fundamental flaws in how modern VPNs use an operating system component to facilitate this capability.
Who is Affected?
As part of our study, we tested the most common operating systems and connection-tracking frameworks that run the actual VPN software and protocols. Specifically, we tested Ubuntu Linux Server and FreeBSD and their respective connection tracking frameworks.
We found both systems vulnerable to the most severe attacks when not correctly configured.
While we found evidence that five of the ten most common VPNs may be vulnerable to the Port Shadow. Fortunately, the most common VPNs (NordVPN, ExpressVPN, Surfshark) are not vulnerable to the attacks.
We did not test the VPN providers directly due to ethical concerns, as the attacks will likely interfere with legitimate VPN clients.
Our Recommendations
We encourage VPN users to check with their VPN provider to see if they have proper mitigation practices against Port Shadow.
These practices include not using the same IP addresses for client connections and connections leaving the VPN server. VPN providers that use a “multi-hop” configuration are not vulnerable to the Port Shadow.
Other options for clients are to use:
- A self-hosted VPN and not share it with other users, although this reduces individual clients’ privacy as their traffic is the only one entering or leaving their self-hosted server.
- Different types of VPNs, such as Tor or ShadowSocks.
Benjamin Mixon-Baca is a Security Researcher and Co-founder at Breakpointing Bad. This research was conducted collaboratively between Breakpointing Bad, Citizen Lab, ASU, UNM, and the University of Michigan.