Ask / Submit
6

IPv6 address is leaking with dualstack ISP + dualstack WLAN connection

asked 2018-12-12 20:57:06 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-12-13 16:39:22 +0300

Nekron gravatar image

Dear all,

I am running a small VPS where I host my private OpenVPN service. The ipv4 vpn connection works just fine using the build-in VPN client. However checking my connection with ipleak.net it shows that the ISP ipv6 address is leaked.

The ISP is using an ipv4/ipv6 dualstack, my Xperia X is connecting via WLAN interface to router so that the device gets an ipv4 and ipv6 address assigned. The latter is leaked over the ipv6 default route.

What countermeasures can be done without disableing ipv6 on the device to prevent leakage?

On the server-side I tried different things like pushing default ipv6 route to the client, but somehow the ipv6 routing does not change on the phone.

Any pointers just to disable ipv6 on an active vpn connection but not permanently would be helpful!

As a side note: The VPS offers me two ipv4 and one ipv6 address but no netblock and ipv6 NAT so things are limited to tunnel ipv6 over an ipv4 connection. At least I would be happy to route ipv6 to /dev/null, but not leak it!

Edit: Fixed typo in question title.

edit retag flag offensive close delete

Comments

you may not have a netblock but a /64 (that is minimum). It still works to have a smaaall part of it for tunneling, like a /96 block or so... It is no doctrine but it works...

cy8aer ( 2018-12-13 09:16:06 +0300 )edit

@cyBaer I have only /128 so the last resort for me would be to ipv6 NAT, but VPS has old kernel and no ipv6 NAT enabled, so no change to assign private ipv6 address to client and nat it to ipv6/128 address. Alas it would be helpfull if Jolla just like for the data connection allows disabling ipv6 on WLAN setup. One thing I am doing right now if I am connected to dual stack WLAN is simple "devel-su ip del r ::/0".

Nekron ( 2018-12-13 11:01:03 +0300 )edit

Could you please elaborate a bit, what do you exactly think is leaking????

If your provider grants you a globally reachable prefix then of course your ipv6 address is world-visible, that's the point of he whole thing. With ipv6 there is no intention to use nat, and i my opinion that is a good thing; to have beautiful flat network space again like on the good old days!

juiceme ( 2018-12-13 21:39:40 +0300 )edit

The problem is that you only route v4 not v6, so every site reachable by v6 will not routed through the tunnel.

cy8aer ( 2018-12-13 22:08:58 +0300 )edit

1 Answer

Sort by » oldest newest most voted
1

answered 2018-12-13 09:13:01 +0300

cy8aer gravatar image

Told you so: https://together.jolla.com/question/156391/brainstorm-vpn-security-and-design-issues-long-post/

edit flag offensive delete publish link more

Comments

Long live "devel-su ip del r :/0" (temporary delete all ipv6 routes when connected to VPN).

Nekron ( 2018-12-13 11:02:43 +0300 )edit

but you will have problems with dual stack dns answers...

cy8aer ( 2018-12-13 22:07:41 +0300 )edit
Login/Signup to Answer

Question tools

Follow
2 followers

Stats

Asked: 2018-12-12 20:57:06 +0300

Seen: 240 times

Last updated: Dec 13 '18