Security Advisory

Statement regarding TunnelCrack vulnerabilities


TunnelCrack is the name for a set of 2 vulnerabilities in VPN clients called LocalNet and ServerIP. In simple terms these allow in certain circumstances for traffic that is intended to go through the VPN tunnel to go outside of it. For this attack to be successful the attacker does need to have some control over your local network's IP addressing and/or DNS servers/records. The way Android implements VPN networking, that particular operating system is not vulnerable to these specific attacks. But other operating systems are.

This affects not only OpenVPN, but other VPN protocols and VPN clients as well, as it is an inherent property of how routing works.

More details are available in this wiki article published by the OpenVPN community, and the linked security report:


OpenVPN does support the block-local flag to the --redirect-gateway and --redirect-private options to mitigate the problem by routing the local network IPs into the VPN tunnel. In its current implementation it is however not completely effective in protecting against all possible LocalNet attacks.

We are therefore working together with the OpenVPN community to create solutions on the various operating systems and clients. By necessity these will be different solutions per operating system. In future releases of OpenVPN community edition and OpenVPN Connect these solutions will be introduced to address TunnelCrack.