From 92b399f5a77544089863716a45b4e872472aaf69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=96=E7=95=8C?= Date: Tue, 7 May 2024 21:44:31 +0800 Subject: [PATCH] documentation: Add manuel for mitigating tunnelvision attacks --- docs/manual/misc/tunnelvision.md | 38 ++++++ docs/manual/proxy-protocol/tuic.md | 208 ----------------------------- mkdocs.yml | 3 +- 3 files changed, 40 insertions(+), 209 deletions(-) create mode 100644 docs/manual/misc/tunnelvision.md delete mode 100644 docs/manual/proxy-protocol/tuic.md diff --git a/docs/manual/misc/tunnelvision.md b/docs/manual/misc/tunnelvision.md new file mode 100644 index 00000000..0d6caf76 --- /dev/null +++ b/docs/manual/misc/tunnelvision.md @@ -0,0 +1,38 @@ +--- +icon: material/book-lock-open +--- + +# TunnelVision + +TunnelVision is an attack that uses DHCP option 121 to set higher priority routes +so that traffic does not go through the VPN. + +Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3661 + +## Status + +### Android + +Android does not handle DHCP option 121 and is not affected. + +### Apple platforms + +Update [sing-box graphical client](/clients/apple/#download) to `1.9.0-rc.16` or newer, +then enable `includeAllNetworks` in `Settings` — `Packet Tunnel` and you will be unaffected. + +Note: when `includeAllNetworks` is enabled, the default TUN stack is changed to `gvisor`, +and the `system` and `mixed` stacks are not available. + +### Linux + +Update sing-box to `1.9.0-rc.16` or newer, rules generated by `auto-route` are unaffected. + +### Windows + +No solution yet. + +## Workarounds + +* Don't connect to untrusted networks +* Relay untrusted network through another device +* Just ignore it diff --git a/docs/manual/proxy-protocol/tuic.md b/docs/manual/proxy-protocol/tuic.md deleted file mode 100644 index a2e01d88..00000000 --- a/docs/manual/proxy-protocol/tuic.md +++ /dev/null @@ -1,208 +0,0 @@ ---- -icon: material/alpha-t-box ---- - -# TUIC - -A recently popular Chinese-made simple protocol based on QUIC, the selling point is the BBR congestion control algorithm. - -!!! warning - - Even though GFW rarely blocks UDP-based proxies, such protocols actually have far more characteristics than TCP based proxies. - -| Specification | Binary Characteristics | Active Detect Hiddenness | -|-----------------------------------------------------------|------------------------|--------------------------| -| [GitHub](https://github.com/EAimTY/tuic/blob/dev/SPEC.md) | :material-alert: | :material-check: | - -## Password Generator - -| Generated UUID | Generated Password | Action | -|------------------------|----------------------------|-----------------------------------------------------------------| -| | | | - - - -## :material-server: Server Example - -=== ":material-harddisk: With local certificate" - - ```json - { - "inbounds": [ - { - "type": "tuic", - "listen": "::", - "listen_port": 8080, - "users": [ - { - "name": "sekai", - "uuid": "", - "password": "" - } - ], - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org", - "key_path": "/path/to/key.pem", - "certificate_path": "/path/to/certificate.pem" - } - } - ] - } - ``` - -=== ":material-auto-fix: With ACME" - - ```json - { - "inbounds": [ - { - "type": "tuic", - "listen": "::", - "listen_port": 8080, - "users": [ - { - "name": "sekai", - "uuid": "", - "password": "" - } - ], - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org", - "acme": { - "domain": "example.org", - "email": "admin@example.org" - } - } - } - ] - } - ``` - -=== ":material-cloud: With ACME and Cloudflare API" - - ```json - { - "inbounds": [ - { - "type": "tuic", - "listen": "::", - "listen_port": 8080, - "users": [ - { - "name": "sekai", - "uuid": "", - "password": "" - } - ], - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org", - "acme": { - "domain": "example.org", - "email": "admin@example.org", - "dns01_challenge": { - "provider": "cloudflare", - "api_token": "my_token" - } - } - } - } - ] - } - ``` - -## :material-cellphone-link: Client Example - -=== ":material-web-check: With valid certificate" - - ```json - { - "outbounds": [ - { - "type": "tuic", - "server": "127.0.0.1", - "server_port": 8080, - "uuid": "", - "password": "", - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org" - } - } - ] - } - ``` - -=== ":material-check: With self-sign certificate" - - !!! info "Tip" - - Use `sing-box merge` command to merge configuration and certificate into one file. - - ```json - { - "outbounds": [ - { - "type": "tuic", - "server": "127.0.0.1", - "server_port": 8080, - "uuid": "", - "password": "", - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org", - "certificate_path": "/path/to/certificate.pem" - } - } - ] - } - ``` - -=== ":material-alert: Ignore certificate verification" - - ```json - { - "outbounds": [ - { - "type": "tuic", - "server": "127.0.0.1", - "server_port": 8080, - "uuid": "", - "password": "", - "congestion_control": "bbr", - "tls": { - "enabled": true, - "server_name": "example.org", - "insecure": true - } - } - ] - } - ``` - diff --git a/mkdocs.yml b/mkdocs.yml index 877d73c4..d5218f4d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -66,8 +66,9 @@ nav: - Proxy Protocol: - Shadowsocks: manual/proxy-protocol/shadowsocks.md - Trojan: manual/proxy-protocol/trojan.md - - TUIC: manual/proxy-protocol/tuic.md - Hysteria 2: manual/proxy-protocol/hysteria2.md + - Misc: + - TunnelVision: manual/misc/tunnelvision.md - Configuration: - configuration/index.md - Log: