New #TunnelCrack flaw can break a large majority of VPNs: we can trick a VPN into leaking traffic outside the protected VPN tunnel. Our tests indicate that this is a widespread design issue. For a demo, more details, and the USENIX Security paper, see tunnelcrack.mathyvanhoef.com tl;dr: 1) VPNs allow direct access to local network. Abuse by assigning public IPs to local network, causing Internet traffic to leak.
2) VPNs add a rule not to (re-)encrypt traffic to VPN server itself. Abuse by spoofing IP of VPN server. Traffic to this IP is now leaked.

I found some design and implementation flaws in Wi-Fi again. All Wi-Fi devices are affected. It was a long ~9 months embargo, over this time a lot of info has been collected and that info now available at fragattacks.com The findings consist of three design flaws and several widespread implementations flaws. Some of the flaws have been part of Wi-Fi since 1997! Full details are in my paper: papers.mathyvanhoef.com/usenix2021.pdf