The core discovery by the researchers is that connection tracking features don’t always isolate processes from each other, especially with those VPNs that run on top of Linux and make use of Netfilter implementations, a typical internal connection tracking routine. Without this isolation, connections could be shared across other machine resources. “This approach can pose potential security risks to any applications dependent on these frameworks,” stated the paper. They found that if an attacker was using the same VPN server, they could de-anonymize a valid user’s connection, decrypt and snoop their network traffic, and scan a user’s ports to do more damage. Again, this points to a potential issue among corporate VPN users that are sharing the same VPN infrastructure.

Part of the problem is that Netfilter and other tools such as IPFW and IPfilter aren’t well documented for this particular use case. “The documentation doesn’t explicitly discuss the behavior when used by IP obfuscating VPNs,” wrote the authors, who list the various system details and use cases, and included a table (page 10 or 118) with the vulnerabilities found across all three VPN protocols and across two typical Linux-based OSes.

Not all public VPN providers are susceptible to port shadow, including three of the more popular ones: NordVPN, ExpressVPN, and Surfshark, all of which block port shadow. NordVPN confirmed to CSO that they aren’t vulnerable.