...
For the LANCOM Advanced VPN Client for Windows, the LocalNet attack can be prevented by enabling the “Full Local Network Enclosure Mode” option. As a result, all network traffic will be sent through the tunnel.
Alternatively, the integrated Advanced VPN Client Firewall can be configured such that only VPN traffic is allowed outside the tunnel (using the “Permit IPsec protocol” firewall option), with dedicated exceptions for, e.g., the local network printer.
Info |
---|
Please be aware that those rules could lead to undetected blocking of important network traffic (CVE-2023-35838). Against this problem, you need to take separate countermeasures. |
1.2 Countermeasurements against ServerIP attacks
...
For the LANCOM Advanced VPN Client for macOS, the LocalNet attack can be prevented only partially by enabling the “Full Local Network Enclosure Mode” option. Network traffic to and from the standard gateway will not be routed into the VPN tunnel.
Alternatively, a third-party firewall can be configured such that only VPN traffic is allowed outside the tunnel, with dedicated exceptions for, e.g., the local network printer.
...