English

Client-side Vulnerabilities in Commercial VPNs

Cryptography and Security 2019-12-11 v1

Abstract

Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client's traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client's real IP address from online services, and they also shield the user's connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user's username and password. We suggest ways to mitigate each of the discovered vulnerabilities.

Cite

@article{arxiv.1912.04669,
  title  = {Client-side Vulnerabilities in Commercial VPNs},
  author = {Thanh Bui and Siddharth Prakash Rao and Markku Antikainen and Tuomas Aura},
  journal= {arXiv preprint arXiv:1912.04669},
  year   = {2019}
}

Comments

A refined version of this draft, with the same title, has been published in the 24th Nordic Conference on Secure IT Systems (NordSec 19). It is accessible here: https://link.springer.com/chapter/10.1007/978-3-030-35055-0_7

R2 v1 2026-06-23T12:41:22.416Z