VPN hijacking on Linux (and beyond) systems

Well, unicast reverse path filtering (uRPF) is geared towards no-config filtering of *source address spoofing* based on routing information. It was designed for hardware routers with extremely fast routing engines and far less capable packet filters, and where you care far more about packets that are just passing through.

uRPF drops packets trying to come from an interface when the reverse path (the reply path, as defined by a destination route lookup on the *source* of the packet) would NOT go through that interface -- in strict mode. It costs one extra route lookup per packet.

It is *NOT* the correct tool to address the weak host model. It will leave chinks in the armor, related to tricks with the destination addresses, and the way L2 and L3 addressing are independent in IP over ethernet. It might even twart this particular attack, but it will not in any way address the whole thing. You are strongly advised to fix the real problem, instead.

On Linux, right now, this requires iptables/nftables, since one cannot tell the kernel to configure itself for the strong host model with a single knob. BTW, uRPF for IPv6 is only available through iptables/nftables...

Oh, and one likely need to configure the damn ARP response and filtering behavior too, to keep L2 and L3 consistent.

For a strong host model, you want the firewall to drop anything incoming from an interface (*other than lo*) that is destined to the local address of a different interface. Also, anything outgoing with a *local* source address that does not belong to that interface should be rejected (again, lo should be exempt if you don't want to go insane).

Forwarding is easier to get right, and most stuff already does so... provided no local addresses are involved (see above).