Correct! I have done this on managed switches decades ago. But I wonder if there are some similar solutions on nix-based systems? Something like this:
kind of: https://forum.archive.openwrt.org/viewtopic.php?id=44031
and how? so I need the package isc-dhcp-client-ipv4 and then what?
" > One of dhclient(8)'s more interesting features is its ability to reject bad DHCP servers. For example, some networks allow just about anyone to hook just about anything to them. If youâve ever gone to a security conference, youâve probably seen someone throw up a rogue DHCP server as a prank. If your system receives a lease from one of these servers, your connection may not work or you may be funneling all of your traffic through a packet sniffer. Nifty, no?
Ideally, you can just ask the network administrator for the correct IP address of the DHCP server. If you canât get that information, examine the leases you have received in /var/db/dhclient.leases. This file lists all the leases your system has ever received, including the bad one. Identifying a bad DHCP server is a matter of trial and error. Get the IP address of each DHCP server and then reject each server one at a time until you get a working configuration. To reject a DHCP server and refuse any further offers from it, list its IP with the ârejectâ keyword.
reject 192.168.1.84;"
That doesnt help anything. We need a config flag to reject specific DHCP types, reject 121 for example. But OpenWRT uses udhcpc? does it have some config file?
âAs far as I understand, OpenWRT uses a program called âudhcpcâ in order to obtain an IP address on the WAN.
When it starts the DHCP protocol, it broadcasts DHCPDISCOVER âto every computer availableâ on the WAN â right?
For some reason, on my WAN two servers respond. One of them is good, and another is bad
(could even be a man in the middle).â
So maybe udhcpc is also that limited, that it doesnt support the 121 config by luck so OpenWRT is not compromised?
Me too. And the ICS systems are covered by TSA security guidelines (ONG), NERC CIP standards (utilities), and others. Using a VPN from a coffee shop to access devices in Layers 0-2 of the purdue model is laughably inexcusable. Actually, I will backtrack that, any devices covered by anything EXCEPT the business network, not just layers 0-2.
Plus, again, the traffic will never get to the VPN connected assets, again, because they cannot be accessed by the attacking hosts network. They are only going to be accessible via the VPN connected network. There is so much wrong with your example here.
I think I found an answer to what I asked myself and also as I see it, the solution to block this on OpenWRT:
Workaround:
Put 'option classlessroute 0' in section wan /etc/config/network
OR
Comment out line 39 in /lib/netifd/dhcp.script: '#[ -n "$staticroutes" ] && set_classless_routes $staticroutes'
I found this:
https://openwrt.org/docs/guide-user/network/ipv4/configuration
classlessroute boolean no 1 Whether to request the âclassless routeâ option (DHCP option 121) â available since LEDE r2001
As I see it, it should be default true though with no option set?
It does accept option 121. Have a look at my Spitzâs udhcpc process:
# ps | grep udhcp
12014 root 1232 S udhcpc -p /var/run/udhcpc-rmnet_mhi0.pid -s /lib/netifd/dhcp.script -f -t 0 -i rmnet_mhi0 -x hostname:microwave -C -R -O 121
Itâs too late hereâŚ
Test it and letâs us know tomorrow whether it works.
I cant test it. I am confused, that it seems to be ignored even with no option for it, the above wiki says default is on if you dont deactivate it with option classlessroute 0.
Hi, i am at risk because of my work as a journalist and would like to know if my setup is safe.
I use an iphone without sim card (only on wifi) that exclusively connects to a Mudi E750 with Mullvad vpn running on connected by cellular network. My iphone only has Signal to communicate and the DuckDuckGo app to browse installed. Iphone is in lockdown mode.
I am worried and would appreciate if someone can tell me if im at risk.
As long as you only connect to your router, all should be fine. Just make sure nobody else is connecting to your Mudi.
canât say it better 
This is the one million question! How can you make sure ? Security hardening right ? But letâs assume an attacker exploited a vulnerability or cracked your WiFi password to connect to you network, youâre ruined? What we need to make sure is that even if an attacker on the same lan a VPN user traffic is still secure . This is called worst case scenario!
If someone hacks you, your device or network, you are fuckâd.
So⌠eh⌠thatâs normal I guess? 
1 Like
Not really! If a machine is hardened well enough even if you get a foothold into the network, you canât hack the machine or tamper with it.
There is a discusson already.
Anyway it does not affect the vpn policies which all the client device goes to vpn only.
1 Like
Thanks for sharing it. But I think we are discussing different vulnerability/ technique which involves dhcp and mitm attacks to leak vpn traffic in clear text.
Itâ 's safe for LAN client of the router. As long as the option âAllow Access WANâ is off.
Leaking VPN traffic in clear text requires both route table and firewall permitting. The latter is controlled by that option.
1 Like
Consider to install blue-merle
Because if you are journalist you can be probably traced by IMEI and MAC
I would not trust them because some scandals.
1 Like
What if the attacker on the LAN itself?! He still can perform this attack.
1 Like
Would could âwhat ifâ this to death and nearly have I think.
Like I already said, you should add option classlessroute 0 to /etc/config/network for all DHCP devices, Glinet should also add this as default setting or give option for this in the web gui. I dont know how to set this option though for WLAN repeater, which of the devices in network file are for it, I dont see any device for wifi repeater which uses DHCP.