Security Issues with Static Routes and VPN.

I'm working on an app that implements a custom VPN with NEPacketTunnelProvider. The app is used to connect to industrial facilities, so security is an important issue.

During an audit it was mentioned that while connected to the VPN, a user could create a static route (in the Terminal) and deviate traffic for a specific IP (inside the VPN's target network) to another interface outside the VPN.

I need a way to solve this issue. I can think of:

  1. Checking the routing tables before starting the VPN for a route that has one of my known IPs. If I find one alert the user.
  2. Forcing the all the traffic through the VPN. By default I was seeing this behavior, but apparently manually created routes take precedence.
  3. In macOS versions previous to Big Sur there was an option to set the network service order, but now apparently it doesn't apply to VPN interfaces. I was thinking on somehow forcing the VPN to be on top of all other interfaces.

I have done some research about how to do the first solution, but it would need to call sysctl() and inet_ntop() but they need to be executed as root, and I guess they are not App Store friendly.

I don't know how to implement the other two solutions by code, specially in a way compatible with iOS/iPadOS and macOS, and be App Store friendly.

I will appreciate any help, comments and suggestions on how to solve this issue. Thanks.

Answered by Systems Engineer in 677375022

During an audit it was mentioned that while connected to the VPN, a user could create a static route

Adding a route on macOS to the routing table require admin access to do so. If you are allowing users to run commands from the Terminal that require sudo then you cannot stop them from doing this.

Having said that, if you are allowing this, then yes, you will have to do a few things around (1) to further validate your traffic. For example, I suspect you are already parsing your IP packets into something usable for tunnels transport. In doing so you could check the source address on the header of this packet, and then you could also check your actual network connection that runs your tunnel to make sure it is bound to the correct interface as well. Both of these checks may be redundant though if you have already validated the route your tunnel is claiming before it starts up.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Accepted Answer

During an audit it was mentioned that while connected to the VPN, a user could create a static route

Adding a route on macOS to the routing table require admin access to do so. If you are allowing users to run commands from the Terminal that require sudo then you cannot stop them from doing this.

Having said that, if you are allowing this, then yes, you will have to do a few things around (1) to further validate your traffic. For example, I suspect you are already parsing your IP packets into something usable for tunnels transport. In doing so you could check the source address on the header of this packet, and then you could also check your actual network connection that runs your tunnel to make sure it is bound to the correct interface as well. Both of these checks may be redundant though if you have already validated the route your tunnel is claiming before it starts up.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Security Issues with Static Routes and VPN.
 
 
Q