Help Center
OpenWrt - TunnelVision Mitigation (CVE-2024-3661)
The TunnelVision vulnerability relates to loose DHCP rules, specifically DHCP option 121 and routes to bypass the VPN connection.
For OpenWrt, this exploit can be mitigated by setting the classlessroute
interface option to 0
(zero). It might be enough to set this option on interfaces with DHCP enabled, though consider enabling the option on all interfaces, just to be on the safe side.
There is currently no LuCI graphical interface to set the option (as of OpenWrt 23.05.5, 2024-09-23), so SSH into your router to access the command line.
Check available interfaces using uci show network
, then toggle the interface option to 0
, commit the changes, and reload the network:
uci set network.wan.classlessroute=0
uci set network.wan6.classlessroute=0
uci set network.lan.classlessroute=0
uci set network.ivpnAustria.classlessroute=0
uci commit
service network reload
Note: The ivpnAustria
interface name is an example in the command above. Verify the name of your VPN interface using the uci show network
command and replace it in the uci set ...
command above.
Related Articles
- OpenWrt - OBFS3 and OBFS4 Obfuscation with Obfsproxy and OpenVPN
- How to enable a 'Kill switch' in my DD-WRT/Tomato router?
- DD-WRT - TLS errors - incoming plaintext read error etc.
- DD-WRT - How do I exclude hosts / bypass VPN tunnel?
Still have questions?
Get in touch and we'll get back to you in a few hours.
Contact supportInterested in privacy?
Read our latest privacy news and keep up-to-date on IVPN services.
Visit IVPN Blog