github.com/sagernet/sing-box@v1.9.0-rc.20/docs/manual/misc/tunnelvision.md

github.com/sagernet/sing-box@v1.9.0-rc.20/docs/manual/misc/tunnelvision.md (about)

     1  ---
     2  icon: material/book-lock-open
     3  ---
     4  
     5  # TunnelVision
     6  
     7  TunnelVision is an attack that uses DHCP option 121 to set higher priority routes
     8  so that traffic does not go through the VPN.
     9  
    10  Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661
    11  
    12  ## Status
    13  
    14  ### Android
    15  
    16  Android does not handle DHCP option 121 and is not affected.
    17  
    18  ### Apple platforms
    19  
    20  Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer,
    21  then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected.
    22  
    23  Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`,
    24  and the `system` and `mixed` stacks are not available.
    25  
    26  ### Linux
    27  
    28  Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected.
    29  
    30  ### Windows
    31  
    32  No solution yet.
    33  
    34  ## Workarounds
    35  
    36  * Don't connect to untrusted networks
    37  * Relay untrusted network through another device
    38  * Just ignore it