
Unpatched iOS bug blocks VPNs from encrypting all traffic - notlukesky
https://www.bleepingcomputer.com/news/security/unpatched-ios-bug-blocks-vpns-from-encrypting-all-traffic/
======
rsync
This is why I use a "slug" when I use a VPN.

A "slug" is a layer-2 bridge, with no IP address configured, that still
enforces a TCP/IP whitelist. So it does not "use" a hop on the network route,
and you can't see the device, but as it bridges traffic it enforces a (very
simple) ruleset.

In my case, I use my own VPN hosts that transact over TCP22 ... and so my
network "slug" allows _only tcp port 22 traffic_. Everything else is blocked.

This means that no matter how badly behaved (or buggy) my VPN software is (I
use sshuttle[1]) the bad behavior is blocked by the slug.

The slug itself has almost zero attack surface as it is a BSD based system
that _has no IP address configured_ and runs no network services.

I keep meaning to write up a blog entry about this ...

[1]
[https://sshuttle.readthedocs.io/en/stable/](https://sshuttle.readthedocs.io/en/stable/)

~~~
BeefySwain
This concept is often referred to as a "VPN killswitch" as well (though that
is really a misnomer, IMO).

Popular with pirates because having torrent activity leaked to your ISP is not
great.

~~~
bitexploder
I may have a VPN box that only allows traffic to one IP via IP
tables/nftables. VPN breaks, no traffic. Simple. It’s useful for more than
just piracy though. It’s a nice way to shut down all sorts of ISP crap and
guarantee no leakage. Run the household DNS though it as well.

~~~
mjevans
This, but if your op-sec is strict enough, have unique DNS servers per
security domain; possibly just a simple local caching server that is forced to
work through the intended public face.

------
eatbitseveryday
Great, this website bans access from datacenter IP address ranges. In other
words, I cannot read this blog while connected to my VPN provider...

> Error 1005

> The owner of this website (www.bleepingcomputer.com) has banned the
> autonomous system number (ASN) your IP address is in (xxxxx) from accessing
> this website.

~~~
01CGAT
Visiting the website through WifiMask VPN (using Digital Ocean servers) works
fine.

~~~
syntheticcorp
My self hosted DigitalOcean VPN is blocked by them, I wonder if it’s region
specific

~~~
shirshak55
usually vps are blocked because they use bot to scrape data etc creating
useless problems.

Update: By vps i mean ip from digitalocean,linode, vultr etc.

------
Nursie
Discovered myself that android has issues.

Start wifi tethering. Connect your VPN, assume traffic is going over it....
nope.

There is a shadow APN configured for your network provider that you can't
edit, and all tethered traffic goes over that, _not_ the VPN'd connection.

The VPN only protects traffic originating from the phone.

~~~
pvtmert
it was going through vpn in android 4.2 or 4.4 if I'm not mistaken.

But variety of applications can install their cert (with ofc user permission
via dialog) and snoop traffic. At least unencrypted.

The way they do it is installing vpn and reading stuff in-between

[https://play.google.com/store/apps/details?id=app.greyshirts...](https://play.google.com/store/apps/details?id=app.greyshirts.sslcapture&hl=en)

~~~
Nursie
I believe that you can make a new APN entry, copying the provided settings,
without the second tethering-only APN, if you want, which gets around it too.

AFAICT the reason for this second APN is to allow providers to discriminate
between phone-originated data and tethering for charging purposes. And they
seem to have persuaded google not to allow people to edit it :/

------
taspeotis
> While connections made after connecting to a VPN on your iOS device are not
> affected by this bug, all previously established connections will remain
> outside the [VPN]...

Is it a bypass or working by design? If you’re relying on the VPN for security
then the fact they were established before it means the horse has already
bolted.

~~~
nomel
Even if it's not by design, is it even possible to move existing connections
to another IP address?

Or is the "expected" behavior to sever all connections and let whatever
reconnect mechanism work through the VPN?

~~~
dahfizz
The expected behavior is that your OS works correctly.

If a VPN adds a 0.0.0.0/0 route, that route should be respected. Your OS
should not circumvent your routing table for some packets and not others.

~~~
neilalexander
I don't think it is a case of deliberately "circumventing" the routing table,
but rather that the operating system most likely performed source address
selection based on the routing table at connection setup. The fact that the
routing table has since changed is likely irrelevant after that depending on
how the source address is used when calculating the outbound interface. That
behaviour is different across different operating systems but this is correct
and functioning as expected for Darwin.

------
monadic2
We direly need an open source phone as a matter of personal and social
security.

~~~
jmiserez
That won't protect you from bugs. But if you're interested, check out the
Librem 5 project.

~~~
monadic2
Actually, having access to the source code does protect you from bugs. Apple
ignores all the ones I report.

~~~
pjmlp
And many open source projects would most likely ignore pull requests.

~~~
monadic2
??? you don’t need to commit software upstream to use it, audit it, or publish
obvious vulnerabilities and improvements. Right now consumers have a feudal
arrangement with Apple: accept the software at any conditions or not have land
on which to work.

------
johnklos
This isn't all that surprising because this is exactly how networking is
expected to work. If it is desired to kill all active connections, then it
should be explicitly done at the time of VPN connection.

------
zahma
I'm not sure if the temporary workaround they propose is a fix or the problem
itself. I've noticed when I turn my phone off airplane mode in the mornings, I
do not have working VPN connection -- all traffic is blocked. Perhaps this is
Wireguard and its particular configuration, or perhaps Wireguard getting a
faster start than the operating system reconnecting to my network. In any
case, the VPN appears to be blocking traffic. The only workaround I have for
that is to disconnect, which takes some time, or switch servers (faster) and
reconnect -- and then I guess I'm in the same boat of possible IP leaks.

------
angott
[https://labs.integrity.pt/articles/the-curious-case-of-
apple...](https://labs.integrity.pt/articles/the-curious-case-of-apple-ios-
ikev2-vpn-on-demand/)

That's a post from April 2019 showing a very similar issue with IKEv2 VPNs
leaking traffic on iOS. I wonder if the two issues are related. Back then,
Apple was made aware under responsible disclosure but apparently nothing was
done about it.

------
unixfg
I've noticed this before with DNS, too. I have internal names that always get
resolved externally despite my VPN. Hoping this all gets fixed eventually :(

------
bitwize
Maybe Apple is proactively making iOS EARN IT Act compliant?

~~~
ronsor
In case you aren't making a joke, Apple does not have to "EARN" anything as
they don't host the VPN service (excluding Apple internal VPNs intended for
employees).

------
icehawk
This has been standard Mac OS X behavior for a long time: on a machine with
multiple IP addresses, connections will use the default gateway associated
with the interface providing that address.

~~~
dahfizz
As a Linux admin, I am thoroughly confused. Are you saying that MacOS
maintains a separate routing table for each interface?

Typically, a system has only one default route. You can have many interfaces
and many routes, but only one default. Otherwise you don't know which default
gateway to send a packet to.

~~~
djrogers
The GP is wrong, and your understanding is correct - there is one routing
table.

~~~
icehawk
There is one routing table but it can have multiple default gateways:

    
    
      fenrir:~ $ uname -a 
      Darwin fenrir 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64 x86_64
      
      fenrir:~ $ netstat -rn |head 
      Routing tables
      
      Internet:
      Destination        Gateway            Flags        Refs      Use   Netif Expire
      default            172.16.22.254      UGSc           85      732     en0       
      default            192.168.88.1       UGScI           2       49     en2       
      127                127.0.0.1          UCS             0        0     lo0       
      127.0.0.1          127.0.0.1          UH              1     3806     lo0       
      169.254            link#6             UCS             2        0     en0      !
      169.254            link#8             UCSI            0        0     en2      !
    

If you bind to a specific interface it will use that default gateway:

    
    
      fenrir:~ $ traceroute -ni en0 google.com
      traceroute to google.com (216.58.194.142), 64 hops max, 52 byte packets
       1  172.16.22.254  0.565 ms  0.340 ms  0.300 ms
       2  172.16.25.60  0.893 ms  0.727 ms  0.721 ms
       3  172.16.25.0  0.954 ms  0.819 ms  0.815 ms
       4  108.218.244.1  7.422 ms  1.908 ms  3.617 ms
       5  *^C
      fenrir:~ $ traceroute -ni en2 google.com
      traceroute to google.com (216.58.194.142), 64 hops max, 52 byte packets
       1  192.168.88.1  12.399 ms  3.768 ms  0.811 ms
       2  192.168.80.1  1.950 ms  8.322 ms  1.702 ms
       3  172.26.96.161  30.448 ms  393.449 ms  46.537 ms
       4  107.72.199.60  182.826 ms
          107.72.199.36  34.835 ms
          107.72.199.60  50.557 ms
       5  12.83.186.101  52.178 ms  32.536 ms  33.431 ms
       6  12.83.186.85  38.516 ms  51.138 ms  61.687 ms
       7  12.122.5.190  48.626 ms  251.733 ms  38.487 ms
       8  12.122.2.197  58.184 ms  82.183 ms^C
     

You can also also do this do this by IP address

    
    
      fenrir:~ $ traceroute -ns 192.168.88.243 google.com
      traceroute to google.com (216.58.194.142) from 192.168.88.243, 64 hops max, 52 byte packets
       1  192.168.88.1  4.658 ms  10.498 ms  3.633 ms
       2  192.168.80.1  4.264 ms  58.660 ms  7.153 ms
       3  172.26.96.161  105.557 ms  41.207 ms  32.243 ms
       4  107.72.199.60  66.562 ms
    

Which interface is used when IP address / interface is not specified is
selected by the Service Order setting in the Network control panel.

~~~
lathiat
You can actually do this on linux pretty easily but it's not the default, it's
sometimes called "source routing"

Easy to setup with netplan and systemd-networkd, a little more complex to do
manually.

------
mrunkel
So, for the folks that consider this a security issue.

Do you really want the OS to break all your existing connections when you
start the VPN?

Do you think this is what most people expect to happen?

I would say that the great majority of VPN users use the VPN to gain access to
services behind a firewall, not to disguise their location from the world.

I would guess they'd be pretty annoyed to have a file transfer interrupted
that has nothing to do with the resources behind the VPN.

Seems bizarre to call this a "bug"

~~~
ajconway
> Do you really want the OS to break all your existing connections when you
> start the VPN?

Yes, just like when I connect to WiFi while having LTE enabled and active.

~~~
Already__Taken
I have unlimited data, I'd very much rather the device use everything
seamlessly

~~~
ajconway
Multipath TCP or QUIC will provide us all with a seamless experience, if they
ever gain adoption.

