Protecting Against TunnelVision

What Is TunnelVision?

TunnelVision is an attack where someone on your local network tricks your device into sending traffic outside the encrypted VPN tunnel using a rogue DHCP server. Your VPN appears to stay connected, but an attacker can see which websites you’re visiting and any unencrypted traffic.

This isn’t a flaw in any specific VPN protocol. It affects all VPN software.

How Obscura Protects You

Obscura’s Strict Leak Prevention uses Apple’s includeAllNetworks network property to force all traffic through the VPN tunnel at the OS level, which prevents the TunnelVision attack. Even if a malicious DHCP server tries to reroute your traffic, the OS will block it.

To enable it:

1. Open the Obscura app

2. Navigate to the Settings tab

3. Enable Strict Leak Prevention

Caution

Strict Leak Prevention effectively blocks access to your local network while the VPN is connected. This means local devices like printers, NAS drives, or smart home devices may not be accessible. It can also occasionally cause connectivity issues when switching networks or waking from sleep. See our Strict Leak Prevention Bugs page for workarounds.

When Should You Use It?

We recommend enabling Strict Leak Prevention when you’re on a shared or untrusted network (coffee shops, airports, hotels, coworking spaces, or any public Wi-Fi). On your home network where you control who can connect to your network, the risk of a TunnelVision attack is much lower.