Not This Exit: Analyzing the Impact of VPN Exit IPs on Network Alchemy

Virtual Private Networks (VPNs) are used in a wide range of applications, rangingfrom commercial applications like accessing resources remotely to security and pri- vacy for targeted users like journalists, Non-governmental organizations (NGOs), etc. However, VPNs were not inherently designed with security in mind. The interaction between the kernel processes and the connection tracking framework is uncoordi- nated. This leaves VPNs vulnerable to certain attacks due to their implementation. This work explores the extent to which these attacks are possible on certain imple- mentations of VPN servers which have a separate exit IP and entry IP on the VPN server. Further, this work also formally models the VPN connection tracking behavior between servers and clients. The formal models enables a deeper analysis to identify exactly at what point of the VPN process the vulnerabilities are introduced and if the instances of VPN which have separate entry and exit IPs are still vulnerable to the same attacks. Through simulations done in a virtual lab environment and testing on formal models, it is observed that having a separate exit and entry IP leaves may affect the practicality of certain attacks.