There is nothing novel in the attack nor it's a security problem.
DHCP environment must be trusted.
We do have IP Source Guard and DHCP Snooping for decades to avoid scenarios from that link ( and many other).
I have never heard anyone claim that VPNs only work if DHCP can be trusted. Note that that means trusting all devices on a network because any device can be a DHCP server.
This is a great find and a real security bug. I cannot believe how many people are downplaying this work.
it does expose a nuance in VPN configuration though. If we all as an industry perfectly implemented things to be 100% to the spec, and 100% understand all security considerations in the spec from the start, this would be a nothing burger.
From TFA it seems like nordvpn at minimum is affected by this, as per the user report. Lots of users assuming a lot of trust just got violated. I'm sure there's all lots of devs at the VPN vendors and network admins in corporate settings looking around to ensure the hole is plugged.
There is nothing novel in the attack nor it's a security problem. DHCP environment must be trusted. We do have IP Source Guard and DHCP Snooping for decades to avoid scenarios from that link ( and many other).