IPv6 address is leaking with dualstack ISP + dualstack WLAN connection
asked 2018-12-12 20:57:06 +0300
This post is a wiki. Anyone with karma >75 is welcome to improve it.
Dear all,
I am running a small VPS where I host my private OpenVPN service. The ipv4 vpn connection works just fine using the build-in VPN client. However checking my connection with ipleak.net it shows that the ISP ipv6 address is leaked.
The ISP is using an ipv4/ipv6 dualstack, my Xperia X is connecting via WLAN interface to router so that the device gets an ipv4 and ipv6 address assigned. The latter is leaked over the ipv6 default route.
What countermeasures can be done without disableing ipv6 on the device to prevent leakage?
On the server-side I tried different things like pushing default ipv6 route to the client, but somehow the ipv6 routing does not change on the phone.
Any pointers just to disable ipv6 on an active vpn connection but not permanently would be helpful!
As a side note: The VPS offers me two ipv4 and one ipv6 address but no netblock and ipv6 NAT so things are limited to tunnel ipv6 over an ipv4 connection. At least I would be happy to route ipv6 to /dev/null, but not leak it!
Edit: Fixed typo in question title.
you may not have a netblock but a /64 (that is minimum). It still works to have a smaaall part of it for tunneling, like a /96 block or so... It is no doctrine but it works...
cy8aer ( 2018-12-13 09:16:06 +0300 )edit@cyBaer I have only /128 so the last resort for me would be to ipv6 NAT, but VPS has old kernel and no ipv6 NAT enabled, so no change to assign private ipv6 address to client and nat it to ipv6/128 address. Alas it would be helpfull if Jolla just like for the data connection allows disabling ipv6 on WLAN setup. One thing I am doing right now if I am connected to dual stack WLAN is simple "devel-su ip del r ::/0".
Nekron ( 2018-12-13 11:01:03 +0300 )editCould you please elaborate a bit, what do you exactly think is leaking????
If your provider grants you a globally reachable prefix then of course your ipv6 address is world-visible, that's the point of he whole thing. With ipv6 there is no intention to use nat, and i my opinion that is a good thing; to have beautiful flat network space again like on the good old days!
juiceme ( 2018-12-13 21:39:40 +0300 )editThe problem is that you only route v4 not v6, so every site reachable by v6 will not routed through the tunnel.
cy8aer ( 2018-12-13 22:08:58 +0300 )edit