On MacOS (but to my knowledge also on other platforms) Proton VPN provides an allow LAN connections option in the settings which enables the machine to access other devices on the local network (printers, smartphone, TV, etc.) even when the VPN connection is running.

My questions are as follows:

  • Does allowing LAN connections make the VPN connection less secure in any way?
  • If not, is there any reason as to why Proton VPN defaults to leaving this turned off?

I am aware that there is apparently an issue with the Kill Switch and the Allow LAN Connections options being mutually exclusive, but I was wondering whether there is more to it than that.

  • DahGangalang@infosec.pubEnglish
    7·
    10 days ago

    I think I’d depends on what you mean by secure.

    So to give you an idea of how that’d work (at least my understanding of it):

    • Your VPN will set up a virtual interface (naturally its associated with your physical network interface, but the virtual allows some cryptography magic) and sends all traffic out that “pipe”. That pipe leads to (in this case) a Proton server. That pipe is encrypted from your device to that server.
    • By default, ALL traffic is forced out that pipe.
    • When you allow LAN connections, it’ll basically setup a firewall rule that sends all traffic NOT bound for you local network (usually 192.168.0.0/24) through that encrypted pipe.
    • all traffic bound for the local network will go through usual routes.

    On the face of it and with a “normie” home network, this is probably okay.

    However, if you (as an example) run a local DNS server (like Pi-Hole) its possible that your DNS traffic gets send through normal (and potentially non - encrypted means) channels to the DNS server and then forwarded out to the wider internet. This could allow an ISP to get an idea of what you’re looking at with your VPN (since they’ll be able to see that you’re using a VPN, this is not a difficult thing to correlate)

    So really the answer is it depends. I’d minimize risks by leaving LAN connections off, unless you really need it, but that’s making a bunch of assumptions about your specific needs and threat model.

    • Siru@discuss.tchncs.deOPEnglish
      2·
      10 days ago

      Thank you for the detailed reply. I completely forgot about the situation like a Pi-Hole that would slip through the proverbial cracks as being a local device that also sends outbound requests on demand though.