Tunnelvision Attack Vulnerability

Explaining the TunnelVision Attack Vulnerability & How to Avoid It in 2024

sam chapman headshot
Last update: May 22, 2024

Quick Answer: TunnelVision Vulnerability

TunnelVision is only a problem if your VPN provider is falling down on the job. Use a well-reviewed VPN with a reliable kill switch and you’ve got nothing to worry about.

If you follow cybersecurity news, you’ve probably heard about the report that’s recently been roiling the VPN waters. Plenty of hyperbolic headlines have suggested that the TunnelVision attack vulnerability, identified by two Leviathan Security researchers, invalidates even the best VPNs and removes 100% of their ability to protect you online.

Like with any clickbait, these headlines leave out a lot of critical nuance. Researchers Lizzie Moratti and Dani Cronce were not trying to declare VPNs obsolete — their job is to raise issues that security software providers should know about. I don’t take exception to their work but rather to how it’s been covered in the media.

So, I decided to take part in setting the record straight. TunnelVision is entirely irrelevant to what 99% of you are doing with a VPN. If you use a decent VPN that regularly tests its kill switch, TunnelVision will not affect you at all.

The TunnelVision Vulnerability: What to Know

TunnelVision involves exploiting WiFi network quirks to redirect VPN traffic outside an encrypted tunnel. If an extremely determined hacker gained control of a public WiFi network or set up their own, they might be able to substitute their compromised server for the VPN server and receive data packets you meant to send to the VPN.

There are a few reasons why this is not as serious a problem as some breathless reports have claimed. First of all, since the VPN client on your device encrypts the data packets themselves, your actual data remains encrypted. Even with control of the network you’re on, a hacker still can’t see the sites you visit without being able to break symmetric encryption.

Second, a common VPN security measure known as a kill switch defeats this vulnerability. A kill switch monitors your VPN connection to make sure the network traffic is actually flowing between your device and a VPN server. If it notices a redirect like the one TunnelVision requires, the kill switch activates and shuts down your internet connection altogether.

In short, TunnelVision doesn’t mean that VPNs are now useless. It just means it’s more important than ever to pick a good one.

How Does the TunnelVision Attack Work?

I strongly recommend reading the Leviathan report in full. However, you’d be right to point out that reading long, technical documents is my job, so I’ll do my best to summarize it here. Keep in mind that this is a dramatic simplification.

If you’ve read my “What Is A VPN?” article, you’ll know that a VPN reroutes your traffic through an encrypted tunnel to a VPN server before sending it to its outbound destination. The TunnelVision attack, which the Leviathan researchers managed to conduct in a lab, interferes with this process by exploiting the protocol that assigns IP addresses to online devices.

This protocol’s full name is Dynamic Host Configuration Protocol (DHCP) and is part of all WiFi routers. When a device connects through the router, DHCP assigns it an IP address so it can interact with web servers. DHCP also includes a feature called Option 121, which alters traffic forwarding rules and allows it to add directions for routing data onto a participating device.

To conduct a TunnelVision exploit, the attacker controls the DHCP server and uses DHCP Option 121 to add directions that supersede the VPN’s usual routing instructions. This forces the VPN client to send data to the attacker’s server instead of a VPN server,all without the VPN client — or the targeted VPN user — noticing that anything is wrong.

How VPNs Are Responding to the TunnelVision Attack Vulnerability

I checked in with the VPN services I habitually recommend to see how seriously they’re taking TunnelVision. All the reliable services are responding by stress-testing their kill switches or racing to implement them on platforms that don’t support them yet.

They’re taking it as seriously as they should, but nobody’s hair is on fire. ExpressVPN spokesperson Lauren Hendry Parsons’ statement sums up the general attitude (which also happens to be mine):

“While we appreciate the efforts of the researchers in highlighting the need for more awareness around how traffic is routed, the importance of choosing a VPN with a reliable kill switch and the always-welcome reminder for everyone to be mindful when connecting to untrusted networks, we would urge greater care when reporting on matters of this nature.”

How to Stay Safe With Your VPN

I’ve been strongly recommending that you keep your VPN kill switch engaged at all times since long before TunnelVision. It protects against all sorts of failures, from technical problems with the VPN servers themselves to exploits like TunnelVision. Most VPNs have the kill switch enabled by default, so all you have to do is not turn it off.

That’s it! As long as you’re using a VPN that regularly tests and improves its services, you don’t need to worry about TunnelVision at all. Enjoy the same VPN protection you always do.


I’m not saying that VPN providers, the media or everyday users should ignore discoveries like TunnelVision. As ExpressVPN itself put it, it’s critical to regularly remind ourselves of how our online security works and what its limitations are. It’s all too easy to panic when something like this comes up. 

TunnelVision is the kind of exploit that the best VPNs have been dedicated to handling throughout their existence. Far from “neutering their entire purpose,” as Ars Technica put it, the incident reminds us that there are actually some VPNs we can trust. To understand why we trust ExpressVPN, read my ExpressVPN review.

If you have any other questions about TunnelVision or VPN security in general, I’d be happy to answer them in the comments. Thanks for reading!

FAQ: VPN Security

Leave a Reply

Your email address will not be published. Required fields are marked *