Pango Platform
HomeConsole
  • What is Pango Developer Platform
  • Getting started
    • Sign up on the Management Console
    • Create a new project
    • Switch projects
    • Change console settings
    • Edit your profile
    • Try out the demo app
    • Keep exploring
    • Deprecation and Sunset
  • Console details
    • Dashboard
      • General
      • Location loading
    • Users
      • User page
    • Active sessions
    • Network
      • Countries
      • Locations
      • Pools
        • Optimal location
        • Location rules
    • Settings
      • General
        • Project config description (JSON format)
          • Server selector (JSON format)
          • Request selector (JSON format)
      • Authentication methods
        • Auth Plugin requirements
      • VPN
        • General
        • VPN Bypass list
        • Client Networks
      • Member
    • Export Data
    • Log
  • SDK
    • Unified VPN SDK for Android
      • Setup
        • Application Setup
        • Proguard Rules, Notification, and Analytics Configurations
        • Backend URL Configuration
      • Usage
        • Initialization
        • VPN Interface
        • Backend interface
      • Features
        • Hydra Protocol
          • Location profile (Hydra only)
        • Custom sdk dependencies
        • Deferred VPN Service Initialization
        • Authentication
        • Client Network List (CNL)
        • OpenVPN transport
        • Wireguard Transport
        • Reconnection strategy
        • Single Protocol SDK
        • Killswitch
        • Domain route via VPN
        • Process route via VPN
        • Process Bypass
        • Domain Bypass
        • Traffic rules
        • VPN Node DNS Configuration
        • Multihop
          • Optimal Location
      • Exceptions
      • Version migration
      • Changelog
    • Unified VPN SDK for Apple
      • Setup
        • Application Setup
        • Network Extension Setup
          • Network Extension Setup for tvOS
        • Backend URL Configuration
      • Usage
        • Single Protocol SDK
        • Unified SDK
        • Logging
        • Decoding Encoded VPN SDK Logs
      • Features
        • Deferred VPN Service Initialization
        • Authentication
        • Wireguard Transport
        • Reconnection strategy
        • Killswitch
        • Domain Bypass
        • Multihop
          • Optimal Location
        • Client Network List (CNL)
        • Domain route via VPN
      • Changelog
      • API Reference
    • IPSEC VPN SDK for Apple
    • Unified VPN SDK for Windows
      • Setup
        • Backend URL Configuration
        • Service command line arguments
        • ARM Platform Support
      • Usage
        • CoreAPI
        • Events
        • Generating a Unique Device Identifier
        • Error processing
        • Pipe Messaging
      • Features
        • Traffic protection
          • Killswitch
          • Prevent IP Leaks
          • Block Local Networks
        • Other
          • Firewall
            • DNS Monitor
            • Process Bypass
            • Domain Bypass
            • Process route via VPN
            • Domain route via VPN
          • Throttling
          • Optimal Location
          • Common issues
        • Hydra Protocol
          • CustomDNS, UserDNS, MultiHop, VpnProfiles
        • OpenVPN Protocol
        • Wireguard Protocol
        • IPSec Protocol
      • Collecting Debug Logs
      • Changelog
    • Unified VPN SDK for Routers
      • SDK. Shared library.
      • Configuration Interface (CI)
        • Unix Domain Sockets CI
        • REST API CI
    • Unified VPN SDK Feature Comparison By Platform
    • Unified VPN SDK
      • Features
        • Personal Bridge
    • Tunnel Vision and Tunnel Crack Prevention
  • REST API
    • Partner API
  • Sample applications
    • Unified VPN SDK demo for Windows
    • Hydra VPN SDK demo for iOS
    • IPSEC VPN SDK demo for iOS
    • Unified VPN SDK demo for Android
    • Hydra VPN SDK demo for OpenWRT
    • OpenVPN configuration file
  • Resources
    • Use cases
      • Public VPN
      • Business VPN
        • Creating a Business VPN Project
        • Wi-Fi Security for Business
      • Application anti-blocking
    • How-to
      • Create a Firebase project for User Authentication
      • AWS CloudFront Distribution of the Platform URL
      • How can I get Shared Secret key from iTunes Connect for In-App Purchase
  • FAQ
    • General
      • VPN Platform Flow
      • What data is collected by the Platform?
      • What analytic data is collected by your SDK?
      • How the Platform restricts access to our data?
      • Why DNS Leak tests often indicate positive result?
      • Do we need to perform endpoint health checks?
      • How is the VPN exit node found?
      • How are streams re-marked if VPN is enabled/disabled on an active flow?
      • Is there a maximum number of supported devices?
      • Are both IPv4 and IPv6 supported?
      • What is the MTU of the tunnel?
      • Are any redundancy measures in terms of reliability provided?
      • Is there any load balancing?
      • Do you block broadcast and multicast to/from the VPN?
    • List of Open Source libs
Powered by GitBook
On this page

Was this helpful?

  1. SDK

Tunnel Vision and Tunnel Crack Prevention

PreviousPersonal BridgeNextUnified VPN SDK demo for Windows

Last updated 8 months ago

Was this helpful?

Type
Tunnel Vision
Tunnel Crack

Description

Tunnel vision refers to a scenario where the VPN client fails to properly route all network traffic through the VPN tunnel. This can happen when certain applications or system services bypass the VPN connection and send traffic directly over the local network, potentially exposing sensitive data.

Tunnel crack is a vulnerability that allows an attacker to intercept and manipulate network traffic that is not properly encrypted or authenticated within the VPN tunnel. This can lead to data leaks, man-in-the-middle attacks, or other security breaches.

Symptoms

  • The VPN connection becomes unresponsive

  • Applications using the VPN connection time out or fail to connect

  • Ping tests or traceroutes through the VPN tunnel fail

  • Using weak or outdated encryption ciphers that can be cracked

  • Improper authentication allowing unauthorized access to the VPN

  • Lack of integrity checks enabling data tampering

  • Leaking of DNS queries or IPv6 traffic outside the VPN tunnel

Solutions

  1. Check the VPN client logs for any error messages or indications of routing problems

  2. Verify that the VPN client's routing table is configured correctly

  3. Ensure there are no IP address or subnet conflicts between the VPN and local network

  4. Restart the VPN client or reestablish the VPN connection

  1. Use strong, up-to-date encryption protocols like AES and SHA-2

  2. Implement multi-factor authentication for VPN access

  3. Configure the VPN to use secure DNS resolution

  4. Ensure the VPN client properly routes all traffic, including IPv6, through the tunnel

  5. Keep VPN client and server software patched and updated

  6. Conduct regular security audits and penetration tests of the VPN infrastructure

Use Cases

A retail company has multiple branch offices connected to the main headquarters through site-to-site VPNs. The VPN connection to one of the branch offices suddenly becomes unresponsive, impacting critical business applications.

​

The network team finds that the issue is caused by a misconfigured routing table on the branch office VPN router. A recent change introduced a routing loop that caused tunnel vision. By correcting the routing table and implementing proper change management procedures, the team resolves the issue and prevents future occurrences.

A healthcare organization sets up a point-to-site VPN to enable secure access to electronic health records (EHR) for their mobile clinicians. The VPN uses the PPTP protocol, which is known to have security vulnerabilities.

An attacker manages to exploit a weakness in the PPTP encryption and captures packets transmitted over the VPN tunnel. By cracking the encryption, the attacker gains access to sensitive patient data, leading to a major data breach and HIPAA violation.

To prevent such tunnel crack issues, the healthcare organization should transition to a more secure VPN protocol with strong encryption. They should also implement proper access controls, monitor for unusual activity, and regularly update their VPN software to patch any known vulnerabilities.

Prevention on Windows

Prevention on Android (1)

Not applicable

Not applicable

Prevention on iOS/macOS (2)

Use includeAllNetworks

Use includeAllNetworks

Note:

  1. Android does not support DHCP option 121, so the issue cannot occur on the Android OS. No action required in the Android SDK.

  2. Set the includeAllNetworks property to true in the NetworkConfiguration object. When enabled, this setting ensures that all network traffic is routed through the VPN tunnel interface. Example usage:

// ...

let networkConfiguration = NetworkConfiguration(
    // ...
    includeAllNetworks: true
    // ...
)

For more detailed information, refer to the official documentation:

For maximum security on untrusted networks like public Wi-Fi hotspots, we strongly recommend activating a combination of three key defense modules in your VPN software: Killswitch, PreventIPLeak, and Block Local Network.

Use

Use and

includeAllNetworks
Block Local Networks
Killswitch
Prevent IP Leaks