{"slug":"tunnelvision-vulnerability-and-tailscale","title":"TunnelVision vulnerability and Tailscale","tags":["tailscale"],"agent_summary":"Last validated: Oct 29, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# TunnelVision vulnerability and Tailscale\r\n\r\nLast validated: Oct 29, 2025\r\n\r\nTunnelVision is an attack that abuses legitimate network configuration tools that can potentially be exploited by malicious actors.\r\n\r\nIf the TunnelVision vulnerability is detected on a macOS device running the Tailscale client, the following pop-up notification will display:\r\n\r\n![Tailscale client warning that the TunnelVision vulnerability was detected](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftunnelvision-notice.85495edd.png&w=750&q=75)\r\n\r\nIf you receive this notification on macOS, a setting called DHCP option 121 was detected and is used on the network you connected to. Although the network might be using DHCP option 121 for non-malicious purposes, there's a possibility that someone might have tried to exploit it to perform this attack.\r\n\r\nOn macOS and iOS devices, Tailscale cannot override DHCP option 121. This issue is not known to impact tvOS.\r\n\r\n## [How the attack works](https://tailscale.com/docs/concepts/tunnel-vision\\#how-the-attack-works)\r\n\r\nMost computer networks use a service called Dynamic Host Configuration Protocol (DHCP). DHCP acts as a helpful guide on your local network by assigning addresses to devices as they join and ensuring they know where to send and receive information. Typically, DHCP is used solely to assign addresses, DNS name servers, and a single default route. However, it can also provide instructions (known as DHCP options) to devices when they join the network. These instructions may indicate to your device what services are available on the network, and how to use them automatically.\r\n\r\nA TunnelVision attack occurs when someone maliciously uses a network setting known as DHCP option 121 on your local network to instruct devices to send data to the attacker when it should have gone to your tailnet or a site on the internet instead.\r\n\r\n## [How to take action](https://tailscale.com/docs/concepts/tunnel-vision\\#how-to-take-action)\r\n\r\n### [Home networks](https://tailscale.com/docs/concepts/tunnel-vision\\#home-networks)\r\n\r\nIf you're using a home network, check your network configuration and ensure DHCP option 121 is not being used. Your internet provider might also have enabled DHCP option 121 for you. If that's the case, you can safely select **Keep Tailscale Running** and check **Don't warn me again** to hide these warning messages.\r\n\r\n### [Work networks](https://tailscale.com/docs/concepts/tunnel-vision\\#work-networks)\r\n\r\nIf you're using a work network and receive the pop-up notification, contact your network administrator and notify them that Tailscale has detected DHCP option 121 in use. Your administrator can determine whether the warning was a false positive. Your administrator may also disable the warnings using a [Tailscale system policy](https://tailscale.com/docs/features/tailscale-system-policies).\r\n\r\n### [Public networks](https://tailscale.com/docs/concepts/tunnel-vision\\#public-networks)\r\n\r\nIf you're using a public network such as one in a coffee shop or co-working space, and you receive the pop-up notification, we recommend that you select **Disconnect** and connect to a different network.\r\n\r\n## [Additional information](https://tailscale.com/docs/concepts/tunnel-vision\\#additional-information)\r\n\r\nFor more in-depth information, refer to our blog post [Tailscale and TunnelVision: our analysis](https://tailscale.com/blog/tunnelvision-analysis).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>TunnelVision vulnerability and Tailscale</h1>\n<p>Last validated: Oct 29, 2025</p>\n<p>TunnelVision is an attack that abuses legitimate network configuration tools that can potentially be exploited by malicious actors.</p>\n<p>If the TunnelVision vulnerability is detected on a macOS device running the Tailscale client, the following pop-up notification will display:</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Ftunnelvision-notice.85495edd.png&#x26;w=750&#x26;q=75\" alt=\"Tailscale client warning that the TunnelVision vulnerability was detected\"></p>\n<p>If you receive this notification on macOS, a setting called DHCP option 121 was detected and is used on the network you connected to. Although the network might be using DHCP option 121 for non-malicious purposes, there's a possibility that someone might have tried to exploit it to perform this attack.</p>\n<p>On macOS and iOS devices, Tailscale cannot override DHCP option 121. This issue is not known to impact tvOS.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#how-the-attack-works\">How the attack works</a></h2>\n<p>Most computer networks use a service called Dynamic Host Configuration Protocol (DHCP). DHCP acts as a helpful guide on your local network by assigning addresses to devices as they join and ensuring they know where to send and receive information. Typically, DHCP is used solely to assign addresses, DNS name servers, and a single default route. However, it can also provide instructions (known as DHCP options) to devices when they join the network. These instructions may indicate to your device what services are available on the network, and how to use them automatically.</p>\n<p>A TunnelVision attack occurs when someone maliciously uses a network setting known as DHCP option 121 on your local network to instruct devices to send data to the attacker when it should have gone to your tailnet or a site on the internet instead.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#how-to-take-action\">How to take action</a></h2>\n<h3><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#home-networks\">Home networks</a></h3>\n<p>If you're using a home network, check your network configuration and ensure DHCP option 121 is not being used. Your internet provider might also have enabled DHCP option 121 for you. If that's the case, you can safely select <strong>Keep Tailscale Running</strong> and check <strong>Don't warn me again</strong> to hide these warning messages.</p>\n<h3><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#work-networks\">Work networks</a></h3>\n<p>If you're using a work network and receive the pop-up notification, contact your network administrator and notify them that Tailscale has detected DHCP option 121 in use. Your administrator can determine whether the warning was a false positive. Your administrator may also disable the warnings using a <a href=\"https://tailscale.com/docs/features/tailscale-system-policies\">Tailscale system policy</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#public-networks\">Public networks</a></h3>\n<p>If you're using a public network such as one in a coffee shop or co-working space, and you receive the pop-up notification, we recommend that you select <strong>Disconnect</strong> and connect to a different network.</p>\n<h2><a href=\"https://tailscale.com/docs/concepts/tunnel-vision#additional-information\">Additional information</a></h2>\n<p>For more in-depth information, refer to our blog post <a href=\"https://tailscale.com/blog/tunnelvision-analysis\">Tailscale and TunnelVision: our analysis</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}